Skip to Content.
Sympa Menu

en - Re: [en@sympa] Issue with LDAP email lookup using generic_sso

Subject: The mailing list for listmasters using Sympa

List archive

Re: [en@sympa] Issue with LDAP email lookup using generic_sso

Chronological Thread  
    < Chronological >       < Thread >
  • From: Mark Cairney <address@concealed>
  • To: <address@concealed>
  • Subject: Re: [en@sympa] Issue with LDAP email lookup using generic_sso
  • Date: Thu, 11 May 2023 16:53:34 +0100
Hi,

Removing the force_email_verify line from our config seems to have sparked the LDAP lookup back into life. The mystery now is why it was working with these settings on our previous installation. We do have a couple of local patches on that so I'll review those and look for clues and get back to you if I'm still confused.


Many thanks!

Mark

On 11/05/2023 14:37, Olivier Salaün wrote:
[Some people who received this message don't often get email from address@concealed. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

I suggest you try disabling the "force_email_verify" auth.conf option,
cf <https://www.sympa.community/gpldoc/man/auth.conf.5.html>

The default value seems to be "force_email_verify=1" and it will
initiate an additional validation process for the email value.

Le 11/05/2023 à 15:24, Mark Cairney a écrit :
Hi,

Our previous version was ancient- 6.1.17 and we're upgrading to 6.2.70.

I can confirm that I can hit the LDAP server from the sympa server:

# ldapsearch -LLL -x -H ldaps://authorise.is.ed.ac.uk:636 -b
dc=authorise,dc=ed,dc=ac,dc=uk -s base
dn: dc=authorise,dc=ed,dc=ac,dc=uk
objectClass: dcObject
objectClass: organization
o: University of Edinburgh
dc: authorise

I've tried removing the 'internal_email_by_netid' variable and
restarting. The end result is the same but the debug log looks
slightly different. Still no sign of any ldap queries though:


May 11 14:21:26 mlist-dev wwsympa[16358]: debug main:: ORIG_PATH_INFO=
May 11 14:21:26 mlist-dev wwsympa[16358]: debug main::
ORIG_SCRIPT_NAME=/lists
May 11 14:21:26 mlist-dev wwsympa[16358]: debug main:: PATH_INFO=
May 11 14:21:26 mlist-dev wwsympa[16358]: debug main:: QUERY_STRING=
May 11 14:21:26 mlist-dev wwsympa[16358]: debug main::
REMOTE_ADDR=192.168.152.33
May 11 14:21:26 mlist-dev wwsympa[16358]: debug main:: REMOTE_HOST=
May 11 14:21:26 mlist-dev wwsympa[16358]: debug main::
REQUEST_METHOD=POST
May 11 14:21:26 mlist-dev wwsympa[16358]: debug main:: SCRIPT_NAME=/lists
May 11 14:21:26 mlist-dev wwsympa[16358]: debug main::
SERVER_NAME=mlist-dev.is.ed.ac.uk
May 11 14:21:26 mlist-dev wwsympa[16358]: debug main:: SERVER_PORT=443
May 11 14:21:26 mlist-dev wwsympa[16358]: debug main::
SYMPA_DOMAIN=mlist-dev.is.ed.ac.uk
May 11 14:21:26 mlist-dev wwsympa[16358]: debug
Sympa::WWW::Session::new(mlist-dev.is.ed.ac.uk, 80482429300550,
sso_login)
May 11 14:21:26 mlist-dev wwsympa[16358]: info
main::do_sso_login(cosign) [robot mlist-dev.is.ed.ac.uk] [session
80482429300550] [client 192.168.152.33]
May 11 14:21:26 mlist-dev wwsympa[16358]: info main::do_sso_login()
[robot mlist-dev.is.ed.ac.uk] [session 80482429300550] [client
192.168.152.33] POST request processing
May 11 14:21:26 mlist-dev wwsympa[16358]: info main::do_sso_login()
[robot mlist-dev.is.ed.ac.uk] [session 80482429300550] [client
192.168.152.33] Redirect user to
https://mlist-dev.is.ed.ac.uk/lists/sso_login/cosign/init
May 11 14:21:26 mlist-dev wwsympa[16358]: debug
Sympa::WWW::Session::set_cookie(Sympa::WWW::Session, localhost,
session, 1)
May 11 14:21:26 mlist-dev wwsympa[16358]: debug
Sympa::WWW::Session::store()
May 11 14:21:26 mlist-dev wwsympa[16358]: debug main::
ORIG_PATH_INFO=/sso_login/cosign/init
May 11 14:21:26 mlist-dev wwsympa[16358]: debug main::
ORIG_SCRIPT_NAME=/lists
May 11 14:21:26 mlist-dev wwsympa[16358]: debug main::
PATH_INFO=/sso_login/cosign/init
May 11 14:21:26 mlist-dev wwsympa[16358]: debug main:: QUERY_STRING=
May 11 14:21:26 mlist-dev wwsympa[16358]: debug main::
REMOTE_ADDR=192.168.152.33
May 11 14:21:26 mlist-dev wwsympa[16358]: debug main:: REMOTE_HOST=
May 11 14:21:26 mlist-dev wwsympa[16358]: debug main:: REQUEST_METHOD=GET
May 11 14:21:26 mlist-dev wwsympa[16358]: debug main:: SCRIPT_NAME=/lists
May 11 14:21:26 mlist-dev wwsympa[16358]: debug main::
SERVER_NAME=mlist-dev.is.ed.ac.uk
May 11 14:21:26 mlist-dev wwsympa[16358]: debug main:: SERVER_PORT=443
May 11 14:21:26 mlist-dev wwsympa[16358]: debug main::
SYMPA_DOMAIN=mlist-dev.is.ed.ac.uk
May 11 14:21:26 mlist-dev wwsympa[16358]: debug main::_split_params()
[robot mlist-dev.is.ed.ac.uk] [client 192.168.152.33] Incoming
parameter: auth_service_name=cosign
May 11 14:21:26 mlist-dev wwsympa[16358]: debug main::_split_params()
[robot mlist-dev.is.ed.ac.uk] [client 192.168.152.33] Incoming
parameter: subaction=init
May 11 14:21:26 mlist-dev wwsympa[16358]: debug main::_split_params()
[robot mlist-dev.is.ed.ac.uk] [client 192.168.152.33] Incoming
parameter: email=
May 11 14:21:26 mlist-dev wwsympa[16358]: debug main::_split_params()
[robot mlist-dev.is.ed.ac.uk] [client 192.168.152.33] Incoming
parameter: ticket=
May 11 14:21:26 mlist-dev wwsympa[16358]: debug
Sympa::WWW::Session::new(mlist-dev.is.ed.ac.uk, 80482429300550,
sso_login)
May 11 14:21:26 mlist-dev wwsympa[16358]: info
main::do_sso_login(cosign) [robot mlist-dev.is.ed.ac.uk] [session
80482429300550] [client 192.168.152.33]
May 11 14:21:26 mlist-dev wwsympa[16358]: info main::do_sso_login()
[robot mlist-dev.is.ed.ac.uk] [session 80482429300550] [client
192.168.152.33] Return request email
May 11 14:21:26 mlist-dev wwsympa[16358]: debug
Sympa::WWW::Session::store()
May 11 14:21:26 mlist-dev wwsympa[16358]: debug
Sympa::WWW::Session::set_cookie(Sympa::WWW::Session, localhost, , 1)



On 11/05/2023 12:02, Olivier Salaün wrote:
[Some people who received this message don't often get email from
address@concealed. Learn why this is important at
https://aka.ms/LearnAboutSenderIdentification ]

Hi Mark,

You forgot to mention your previous and new Sympa versions.

Did you ensure the Sympa server can contact the LDAP server ?

Try telnet authorise.is.ed.ac.uk 636

Looking at <https://www.sympa.community/gpldoc/man/auth.conf.5.html> and
<https://github.com/sympa-community/sympa/blob/2312ee726bd2af4e4ee15e4055ddd4eca25bae48/src/lib/Sympa/WWW/Auth.pm#L314>

it seems that the email retrieval from LDAP it not performed if
internal_email_by_netid conf parameter is enabled. Try disabling
internal_email_by_netid

Le 11/05/2023 à 12:32, Mark Cairney a écrit :
Hi,

We're in the process of building a new Sympa server to replace our
existing, old server however the user authentication doesn't appear to
be working as expected.

We've got Cosign authentication set up on the web root which uses the
REMOTE_USER environment variable. After login, if I then hit the 'Sympa
login' button I get the following error:

The Sympa Mailing list service has encountered a problem with your
login. Please contact address@concealed.

Our /etc/sympa/auth.conf is currently:

generic_sso
        service_name                    Random Crap Login
        service_id                      cosign
        http_header_list                REMOTE_USER
        netid_http_header               REMOTE_USER
        ldap_host authorise.is.ed.ac.uk:636
        ldap_suffix ou=people,ou=central,dc=authorise,dc=ed,dc=ac,dc=uk
        ldap_scope                      sub
        ldap_get_email_by_uid_filter    (uid=[REMOTE_USER])
        ldap_email_attribute            mail
        ldap_timeout                    20
        ldap_use_tls                    ldaps
        ldap_ssl_version                tlsv1_2
        ldap_ca_verify                  none
        internal_email_by_netid         1
        force_email_verify              1

user_table
        regexp                 .*

Based on our auth.conf config which is largely identical to our
previous
server I'd expect Sympa to perform an LDAP query to retrieve the user's
email address but I don't see any hits on our LDAP server.

Is there something obvious I'm missing? This is running on Rocky 8
using
sympa 6.2.70 from RPM

Kind regards,

Mark

P.S. The debug log from Sympa is shown below:


May 11 11:20:37 mlist-dev wwsympa[2540]: debug3
Sympa::search_fullpath()
Name: topics_visibility.noconceal; file
/usr/share/sympa/default/scenari/topics_visibility.noconceal
May 11 11:20:37 mlist-dev wwsympa[2540]: debug2
Sympa::Scenario::authz(Sympa::Scenario
<topics_visibility.noconceal;/usr/share/sympa/default/scenari/topics_visibility.noconceal>,


md5, HASH, ...)
May 11 11:20:37 mlist-dev wwsympa[2540]: debug2
Sympa::Scenario::new(Sympa::Scenario, mlist-dev.is.ed.ac.uk,
topics_visibility, ...)
May 11 11:20:37 mlist-dev wwsympa[2540]: debug3
Sympa::search_fullpath(mlist-dev.is.ed.ac.uk,
topics_visibility.noconceal, subdir)
May 11 11:20:37 mlist-dev wwsympa[2540]: debug3
Sympa::get_search_path(mlist-dev.is.ed.ac.uk, subdir, scenari)
May 11 11:20:37 mlist-dev wwsympa[2540]: debug3
Sympa::search_fullpath()
Name: topics_visibility.noconceal; file
/usr/share/sympa/default/scenari/topics_visibility.noconceal
May 11 11:20:37 mlist-dev wwsympa[2540]: debug2
Sympa::Scenario::authz(Sympa::Scenario
<topics_visibility.noconceal;/usr/share/sympa/default/scenari/topics_visibility.noconceal>,


md5, HASH, ...)
May 11 11:20:37 mlist-dev wwsympa[2540]: info
main::do_sso_login(cosign)
[robot mlist-dev.is.ed.ac.uk] [session 27273199795695] [client
192.168.152.33]
May 11 11:20:37 mlist-dev wwsympa[2540]: debug main::do_sso_login()
[robot mlist-dev.is.ed.ac.uk] [session 27273199795695] [client
192.168.152.33] Lookup email internal: cosign
May 11 11:20:37 mlist-dev wwsympa[2540]: debug
Sympa::WWW::Auth::get_email_by_net_id(mlist-dev.is.ed.ac.uk, HASH,
HASH)
May 11 11:20:37 mlist-dev wwsympa[2540]: debug
Sympa::Robot::get_netidtoemail_db(mcairney, cosign)
May 11 11:20:37 mlist-dev wwsympa[2540]: debug3
Sympa::Database::do_prepared_query() Will perform query "SELECT
email_netidmap FROM netidmap_table WHERE netid_netidmap = ? and
serviceid_netidmap = ? and robot_netidmap = ?"
May 11 11:20:37 mlist-dev wwsympa[2540]: info main::do_sso_login()
[robot mlist-dev.is.ed.ac.uk] [session 27273199795695] [client
192.168.152.33] Return request email
May 11 11:20:37 mlist-dev wwsympa[2540]: debug2 main::check_param_out()
[robot mlist-dev.is.ed.ac.uk] [session 27273199795695] [client
192.168.152.33]
May 11 11:20:37 mlist-dev wwsympa[2540]: debug
Sympa::WWW::Session::store()
May 11 11:20:37 mlist-dev wwsympa[2540]: debug3
Sympa::Database::do_prepared_query() Will perform query "SELECT
id_session FROM session_table WHERE prev_id_session = ?"
May 11 11:20:37 mlist-dev wwsympa[2540]: debug3
Sympa::Database::do_prepared_query() Will perform query "UPDATE
session_table SET date_session = ?, remote_addr_session = ?,
robot_session = ?, email_session = ?, start_date_session = ?,
hit_session = ?, data_session = ? WHERE id_session = ? AND
prev_id_session IS NOT NULL OR prev_id_session = ?"
May 11 11:20:37 mlist-dev wwsympa[2540]: debug
Sympa::WWW::Session::set_cookie(Sympa::WWW::Session, localhost, , 1)
May 11 11:20:37 mlist-dev wwsympa[2540]: debug3
Sympa::search_fullpath(mlist-dev.is.ed.ac.uk, css.tt2, subdir)
May 11 11:20:37 mlist-dev wwsympa[2540]: debug3
Sympa::get_search_path(mlist-dev.is.ed.ac.uk, subdir, web_tt2)
May 11 11:20:37 mlist-dev wwsympa[2540]: debug3
Sympa::search_fullpath()
Name: css.tt2; file /usr/share/sympa/default/web_tt2/css.tt2
May 11 11:20:37 mlist-dev wwsympa[2540]: debug3
Sympa::search_fullpath(mlist-dev.is.ed.ac.uk, css.tt2, subdir)
May 11 11:20:37 mlist-dev wwsympa[2540]: debug3
Sympa::get_search_path(mlist-dev.is.ed.ac.uk, subdir, web_tt2)
May 11 11:20:37 mlist-dev wwsympa[2540]: debug3
Sympa::get_search_path(mlist-dev.is.ed.ac.uk, context,
mlist-dev.is.ed.ac.uk)

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336. Is e buidheann
carthannais a th’ ann an Oilthigh Dhùn Èideann, clàraichte an Alba,
àireamh clàraidh SC005336.

--
Olivier Salaün
DSI / pôle SI / équipe SNUM
Tel : 02 23 23 74 54

--
Olivier Salaün
DSI / pôle SI / équipe SNUM
Tel : 02 23 23 74 54


Archive powered by MHonArc 2.6.19+.

Top of Page