v2 testing with ldap - default peers
pasztorl opened this issue · 3 comments
Hi,
I'm continued testing the v2 version and I configured ldap user sync.
I also configured it to create default peer for the new users.
I found out that if the user is not in the admin group wg-portal can't create the default peer because of permission problem.
This is the expected operation? I hope not, because it would be great if I can sync new users from ldap (without admin rights) and they can log in and download the precreated client configuration.
In the second try I started to sync users from ldap with admin group. In this case I haven't got permission problem, but the default peer config not created.
Here is the log:
TRAC[0010] starting to synchronize users for idm
TRAC[0010] fetched 1 raw ldap users...
TRAC[0010] SELECT * FROM `users` WHERE `users`.`identifier` = 'lenard.pasztor@xxx.yy' ORDER BY `users`.`identifier` LIMIT 1 duration=1.270231ms rows=0 src="/home/circleci/repo/internal/adapters/database.go:662"
TRAC[0010] SELECT * FROM `users` WHERE `users`.`identifier` = 'lenard.pasztor@xxx.yy' ORDER BY `users`.`identifier` LIMIT 1 duration="705.113µs" rows=0 src="/home/circleci/repo/internal/adapters/database.go:756"
TRAC[0010] INSERT INTO `users` (`created_by`,`updated_by`,`created_at`,`updated_at`,`identifier`,`email`,`source`,`provider_name`,`is_admin`,`firstname`,`lastname`,`phone`,`department`,`notes`,`password`,`disabled`,`disabled_reason`,`locked`,`locked_reason`) VALUES ('_WG_SYS_UNKNOWN_','_WG_SYS_UNKNOWN_','2024-02-23 22:33:51.311','2024-02-23 22:33:51.311','lenard.pasztor@xxx.yy','','db','',false,'','','','','','',NULL,'',NULL,'') duration=1.123412ms rows=1 src="/home/circleci/repo/internal/adapters/database.go:756"
TRAC[0010] UPDATE `users` SET `created_by`='_WG_SYS_UNKNOWN_',`updated_by`='_WG_SYS_UNKNOWN_',`created_at`='2024-02-23 22:33:51.311',`updated_at`='2024-02-23 22:33:51.313',`email`='lenard.pasztor@xxx.yy',`source`='ldap',`provider_name`='',`is_admin`=true,`firstname`='Lenard',`lastname`='Pasztor',`phone`='',`department`='',`notes`='',`password`='',`disabled`=NULL,`disabled_reason`='',`locked`=NULL,`locked_reason`='' WHERE `identifier` = 'lenard.pasztor@xxx.yy' duration=7.244356ms rows=1 src="/home/circleci/repo/internal/adapters/database.go:768"
ERRO[0010] handling new user event for lenard.pasztor@xxx.yy
TRAC[0010] SELECT * FROM `users` duration="708.902µs" rows=2 src="/home/circleci/repo/internal/adapters/database.go:677"
TRAC[0010] SELECT * FROM `interface_addresses` WHERE `interface_addresses`.`interface_identifier` = 'wg0' duration="800.626µs" rows=1 src="/home/circleci/repo/internal/adapters/database.go:284"
TRAC[0010] SELECT * FROM `cidrs` WHERE `cidrs`.`cidr` = '10.15.17.254/24' duration="593.817µs" rows=1 src="/home/circleci/repo/internal/adapters/database.go:284"
TRAC[0010] SELECT * FROM `interfaces` duration=3.809194ms rows=1 src="/home/circleci/repo/internal/adapters/database.go:284"
INFO[0010] created 0 default peers for user lenard.pasztor@xxx.yy
Unfortunately there is no info about the error.
update: when i set up the peer defaults on the interface before the ldap sync starts i got this:
TRAC[0010] UPDATE `users` SET `created_by`='_WG_SYS_UNKNOWN_',`updated_by`='_WG_SYS_UNKNOWN_',`created_at`='2024-02-23 23:04:44.718',`updated_at`='2024-02-23 23:04:44.722',`email`='lenard.pasztor@xxx.yy',`source`='ldap',`provider_name`='',`is_admin`=true,`firstname`='Lenard',`lastname`='Pasztor',`phone`='',`department`='',`notes`='',`password`='',`disabled`=NULL,`disabled_reason`='',`locked`=NULL,`locked_reason`='' WHERE `identifier` = 'lenard.pasztor@xxx.yy' duration=8.156765ms rows=1 src="/home/circleci/repo/internal/adapters/database.go:768"
...
ERRO[0010] failed to create default peer for lenard.pasztor@xxx.yy: failed to create default peer JvP7UY4bp2DZ5TQEUOy8oan1WkR3FMEeKAMHD8Nlxko= on interface wg0: creation not allowed: insufficient permissions
So in this case the new user is admin, but it ends on the same permission problem.
@pasztorl please give your work config.yaml (without creds of course) as an example. I can't configure in on V2 alpha testing. I get an error:
"msg": "failed to synchronize LDAP users for Ctrlops LDAP: failed to setup LDAP connection: failed to bind to LDAP: LDAP Result Code 34 "Invalid DN Syntax": invalid DN",
this issue cannot be reproduced - default peers are created for admin and non-admin users
@Sarevok933219 a sample config could look like this:
core:
admin_user: admin@wgportal.local
admin_password: secret
create_default_peer: true
advanced:
log_level: debug
log_pretty: true
log_json: false
config_storage_path: /etc/wireguard
expiry_check_interval: 15m
statistics:
collect_peer_data: false
collect_audit_data: false
collect_interface_data: false
database:
debug: true
type: sqlite
dsn: data/sqlite.db
auth:
callback_url_prefix: https://vpn.yourcompany.com/api/v0
ldap:
- id: ldap
provider_name: Active Directory
display_name: Login with</br>AD
url: ldap://ad01.your-company.local:389
bind_user: ldap_wireguard@your-company.local
bind_pass: a-super-S3CRET-password
base_dn: DC=YOURCOMPANY,DC=LOCAL
login_filter: (&(objectClass=organizationalPerson)(mail={{login_identifier}})(!userAccountControl:1.2.840.113556.1.4.803:=2))
admin_group: CN=WireGuardAdmins,OU=_O_ASampleGroup,DC=YOURCOMPANY,DC=LOCAL
synchronize: true
sync_filter: (&(objectClass=organizationalPerson)(!userAccountControl:1.2.840.113556.1.4.803:=2)(mail=*))
registration_enabled: true