Cant get authorized
pluckyhd opened this issue · 11 comments
Everything seems to be working except the ldap bind user I setup won't authorize.
When setting up I can't browse/set the DN when trying to connect I get the error
{0} doesn't exist on the LDAP server. It may be removed by administrator. Please refresh the page and try again later
I think it pertains to this
"LDAP search on the NAS must be possible without any authentication in order to be able to select the domain/baseDN at all"
but I am not sure how to enable it without authentication. I am sure I am missing something simple.
If I manually type in there it accepts but then fails to authorize using the binduser I setup
What DSM version are you running? Which env vars did you use for the wrapper?
Are there any errors in your docker log?
Thanks for quick reply
DSM 7.1.1-42962 Update 4
Not sure which one your asking exactly I have all the appid,tenantid,secret set according lets say my domain is user-fun.com
NODE_ENV = production
LDAP_DOMAIN = user-fun.com
LDAP_BASEDN = dc=user-fun,dc=com
LDAP_BINDUSER=ldapuser|Test123 -> This is what I enter in ldap setup of NAS
GRAPH_IGNORE_MFA_ERRORS = true
DSM7 = true
LDAP_PORT = 13389
if you need anything else let me know
The error comes when I go through the ldap wizard (looks a bit different than your screenshots
I hit the ldap server fine but once putting in my username and password I can't select the BaseDN I have attached a screenshot the red section is where the error occurs.
Ok so found in the log upon starting
| ERROR: 2023-03-01T03:19:45.792Z: ldapwrapper.js ClientAuthError: network_error: Network request failed. Please check network trace to determine root cause. | Fetch client threw: Error: HTTP status code 401 | Attempted to reach: https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token | stdout |
|---|
I edited the log to hide the tenant id in link
21:19:45 |
"HTTP status code 401" means "Unauthorized". Are you using a proxy?
If not, please check the values of AZURE_APP_ID and AZURE_APP_SECRET. They do not match your AZURE_TENANTID. Maybe you copied too many spaces somewhere or something like that?
No Proxy. Yay I have those correct I double checked them. I don't need to setup any user permissions on the azure side right? Just the read/delegate permissions listed for the app. Also I don't need a valid user on the docker side right (of azure that is it logs in im assuming by the secret)
TO add this I didn't assign any app roles in the azure side is that maybe what I am missing? I have a feeling it is that or I need a valid azure username/password on the dockerside instead of the ldapuser maybe
Did you follow required settings in azuread? Only those 3 permissions are needed...
Maybe the status for those permission ist "NOT granted" instead of "granted" in your portal?
I will add some more checks when starting the wrapper to easier isolate such problems in the future.
Yes I have that and its granted. I honestly have no idea I deleted the entire container and tried setting up from scratch and still get the same authorization error. If I try and access the link in the log I get an error because it expects a post. If you could tell me what you post I can verify that as I am capable of making a post request.
Could you temporarily use the docker "dev" image instead of "latest"? In the dev tag are now some settings checked at startup.
There should be some additional logs, which will maybe help us.
Ok so ran dev
INFO: 2023-03-05T22:32:07.699Z: graph_azuread.js system.loggerOptions 3 [Sun, 05 Mar 2023 22:32:07 GMT] : [899a63fe-5d05-441d-b6b6-6be80ac6a7f0] : @azure/msal-node@1.15.0 : Verbose - Client credential client created | stdout
-- | --
ERROR: 2023-03-05T22:32:07.978Z: graph_azuread.js checkToken { | stdout
-
errorCode: 'invalid_client', | stdout
-- | --
errorMessage: "7000215 - [2023-03-05 22:32:01Z]: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'appid'.\r\n" + | stdout
-- | --
That is what I see ofcourse I blanked out the appid up there for security reasons
`
This is great, thanks for trying! It looks like your value for AZURE_APP_SECRET is wrong (a common mistake would be to copy SecretId instead of the value) or the secret has expired. Can you create a new secret and use its value?
Wow thanks can't believe I missed that but you were correct. As a fellow programmer I can't thank you enough for spending the time to add logging and resolve!