The problem with LDAP group in homer-webapp docker container
perrfect opened this issue · 11 comments
Hello.
I have some problems with LDAP_USERGROUP in the homer-webapp docker container in a /usr/local/homer/etc/webapp_config.json config.
When the container has restarted usergroup are changed from "usergroup": "sec_homer_users"
to "usergroup": "sec_roots"
.
Only removing the container helps
This group I forward to the config via docker-compose, as:
"LDAP_USERGROUP=sec_homer_users"
>>When the container has restarted usergroup
is changed from "usergroup": "sec_homer_users" to "usergroup": "sec_roots".
This seems a permission escalation that depends on the container. The restart seems to invalidate the policy.
More information is needed in order to reproduce the issue.
If you find a solution, please share it for the community's benefit.
Thank you
P.S. Don't forget to STAR our project :)
>>When the container has restarted
usergroup
is changed from "usergroup": "sec_homer_users" to "usergroup": "sec_roots". This seems a permission escalation that depends on the container. The restart seems to invalidate the policy.More information is needed in order to reproduce the issue.
If you find a solution, please share it for the community's benefit.
Thank you
P.S. Don't forget to STAR our project :)
Hello.
I've done additional tests and looks like the problem is not in a permissions.
If I set env variable "LDAP_USERGROUP=homer_user"
in a docker-compose.yml file and running the file insidehomer-webapp
container everything is ok.
But when I stop the container and start it again in the container in a config /usr/local/homer/etc/webapp_config.json
the parameter "usergroup"
looks like - "usergroup": "root",
.
Maybe the problem is in this script docker-entrypoint.d/1
@adubovikov Could you please check?
Maybe the problem is in this script docker-entrypoint.d/1
What would the issue be? The relevant parts of the init script are simply replacing the ENV values in the template, so I see no reason why the json config results should differ between restarts. Are you mounting the config file using a volume on your filesystem?
What would the issue be? The relevant parts of the init script are simply replacing the ENV values in the template, so I see no reason why the json config results should differ between restarts. Are you mounting the config file using a volume on your filesystem?
No, I don't mount the config file and don't use a volume.
I'm using only only this docker-compose file:
homer-webapp:
container_name: homer-webapp
image: sipcapture/webapp
environment:
- "LOKI_HOST=loki"
- "PROM_HOST=prometheus"
- "DB_HOST=db"
- "DB_USER=root"
- "DB_PASS=homerSeven"
- "AUTH_TYPE=ldap"
- "LDAP_BASE=dc=ipa,dc=example,dc=com"
- "LDAP_HOST=ipa.example.com"
- "LDAP_PORT=636"
- "LDAP_SSL=true"
- "LDAP_SKIP_TLS=false"
- "LDAP_SKIP_VERIFY=true"
- "LDAP_ANONYMOUS=false"
- "LDAP_BIND_DN=uid=homer,cn=users,cn=accounts,dc=ipa,dc=example,dc=com"
- "LDAP_BIND_PASS=password"
- "LDAP_USER_FILTER=(\\&(objectClass=person)(uid=%s))"
- "LDAP_GROUP_FILTER=(member=%s)"
- "LDAP_USER_DN=uid=%s,cn=users,cn=accounts,dc=ipa,dc=example,dc=com"
- "LDAP_ADMINGROUP=homer_admins"
- "LDAP_USERMODE=false"
- "LDAP_ADMINMODE=false"
- "LDAP_USERGROUP=homer_users"
- "HOMER_LOGLEVEL=debug"
restart: unless-stopped
ports:
- "9080:80"
volumes:
- ./bootstrap:/app/bootstrap
depends_on:
db:
condition: service_healthy
grafana:
condition: service_healthy
You can try and will get the same error.
The problem reproduces on the production server and on a new test server with default configs from github.
@lmangani
The problem is reproduced on Ubuntu and Rocky Linux.
Steps to reproduce:
- Add environment variables as in the comment above to
homer7-docker/heplify-server/hom7-prom-all/docker-compose.yml
- Run docker compose:
sudo docker compose up -d
- Go to the
homer-webapp
container and check a parameter"usergroup"
in the/usr/local/homer/etc/webapp_config.json
On this step everything in ok. - Stop the
homer-webapp
containersudo docker compose stop homer-webapp
- Start it again
sudo docker compose start homer-webapp
- Go to the
homer-webapp
containersudo docker exec -it homer-webapp /bin/bash
and the parameter"usergroup":
has the value"usergroup": "roots"
@perrfect no but perhaps @adubovikov or @hamidrhashmi can help with this
@adubovikov Can you help please and check?
@lmangani @adubovikov there is search replace for homer_user string in entrypoint.sh that's why @perrfect group name (hepic_users) being replaced with 'roots'
https://github.com/sipcapture/homer-app/blob/master/docker/docker-entrypoint.d/1#L16C6-L16C6