discourse-ldap-auth icon indicating copy to clipboard operation
discourse-ldap-auth copied to clipboard

Published 20 hours ago verified publisher icon jonmbake

ldap_user_create_mode 'auto' does work without groups

Open ziima opened this issue 2 years ago • 4 comments
trafficstars

I run into a serious problem with Discourse login using LDAP. When a new user tries to login, he is redirected back to a login page without any message. Logs confirmed ldap passed successfully, but user wasn't created in Discourse. Existing users worked fine.

After debugging I discovered that ldap plugin doesn't create users if they have no groups provided by LDAP. I'm not quite sure what changed in our LDAP instance configuration, since it is not entirely under our control, but may have lead to a different data returned by LDAP regarding user groups.

Anyway I was able to workaround by this patch

--- /var/www/discourse/plugins/discourse-ldap-auth/lib/ldap_user.rb.old	2023-03-10 18:01:14.596939164 +0100
+++ /var/www/discourse/plugins/discourse-ldap-auth/lib/ldap_user.rb	2023-03-10 18:07:20.957617316 +0100
@@ -31,10 +31,10 @@
 
   private
   def create_user_groups(user_groups)
-    return if user_groups.nil?
     #user account must exist in order to create user groups
     @user = User.create!(name: self.name, email: self.email, username: self.username)
     @user.activate
+    return if user_groups.nil?
     user_groups.each do |group_name|
       group = Group.find_by(name: group_name)
       @user.groups << group unless group.nil?

All in all, I find it weird user instance is created only if groups are present. I'd expect the user object is created regardless.

Configuration:

  • discourse 2.8.13
  • discourse-ldap-auth 0.6.0
  • ldap filter is not set

I would provide a patch, but I can't write in Ruby and this workaround is as far as I could get.

ziima avatar Mar 10 '23 17:03 ziima

@ziima In the previous Discourse versions, Discourse would create the User account if an auth plugin returned a valid authentication result and the user account did not exist. It's weird that this stopped working... The only reason #create_user_groups is creating the user ahead of time is in order to be able to assign groups to the user record.

jonmbake avatar Mar 12 '23 14:03 jonmbake

@davidtaylorhq Any ideas why user creation would fail after a successful auth here? Did anything change with Auth::Result?

jonmbake avatar Mar 13 '23 13:03 jonmbake

I'm not aware of any recent changes to this area. I'd recommend checking:

  • Discourse's auth_skip_create_confirm site setting - that controls whether an account is created immediately, or whether the user is given a chance to update their username etc.

  • force_https setting (hidden). It's important that this is enabled so that the auth-related cookies are set in the correct http/https context

  • Check the browser developer console for any Javascript errors

davidtaylorhq avatar Mar 13 '23 13:03 davidtaylorhq

I got back to this, since my workaround was removed after an update.

  • auth_skip_create_confirm was disabled.
  • force_https was enabled.

Still no idea, why it doesn't work.

ziima avatar Oct 06 '23 11:10 ziima