nilsteampassnet
Mapping AD groups with Teampass roles
Page on which it happened
Mapping AD groups with Teampass roles /index.php?page=roles
Steps to reproduce
- Button LDAP Synchronization
- To define a new mapping, click the role you want to define and select it in the list of Teampass roles, and click Submit button.
- Repeat this operation severals times with other role and mapping
- quit the page
- return to this page and click Button LDAP Synchronization
Expected behaviour
Tell us what should happen Defined mapping should be ok
Actual behaviour
Tell us what happens instead Seems all roles are mapped with the last used (mapped)
Server configuration
Operating system: Linux 71ed582b5b71 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64
Web server: nginx/1.24.0
Database: 10.11.5-MariaDB
PHP version: 8.2.7
Teampass version: 3.0.10
Teampass configuration file:
'max_latest_items' => '10',
'enable_favourites' => '1',
'show_last_items' => '1',
'enable_pf_feature' => '0',
'log_connections' => '1',
'log_accessed' => '1',
'time_format' => 'H:i:s',
'date_format' => 'd/m/Y',
'duplicate_folder' => '0',
'item_duplicate_in_same_folder' => '0',
'duplicate_item' => '0',
'number_of_used_pw' => '3',
'manager_edit' => '1',
'cpassman_dir' => '/var/www/html',
'cpassman_url' => 'http://<anonym_url>
'favicon' => 'http://<anonym_url>/favicon.ico',
'path_to_upload_folder' => '/var/www/html/upload',
'path_to_files_folder' => '/var/www/html/files',
'url_to_files_folder' => 'http://<anonym_url>/files',
'activate_expiration' => '0',
'pw_life_duration' => '0',
'maintenance_mode' => '0',
'enable_sts' => '0',
'encryptClientServer' => '1',
'teampass_version' => '3.0.10',
'ldap_mode' => '1',
'ldap_type' => 'ActiveDirectory',
'ldap_suffix' => '0',
'ldap_domain_dn' => '0',
'ldap_domain_controler' => '0',
'ldap_user_attribute' => 'samaccountname',
'ldap_ssl' => '0',
'ldap_tls' => '0',
'ldap_search_base' => '0',
'ldap_port' => '389',
'richtext' => '0',
'allow_print' => '0',
'roles_allowed_to_print' => '0',
'show_description' => '1',
'anyone_can_modify' => '0',
'anyone_can_modify_bydefault' => '0',
'nb_bad_authentication' => '0',
'utf8_enabled' => '1',
'restricted_to' => '0',
'restricted_to_roles' => '0',
'enable_send_email_on_user_login' => '0',
'enable_user_can_create_folders' => '0',
'insert_manual_entry_item_history' => '0',
'enable_kb' => '0',
'enable_email_notification_on_item_shown' => '0',
'enable_email_notification_on_user_pw_change' => '0',
'custom_logo' => '',
'custom_login_text' => '',
'default_language' => 'french',
'send_stats' => '0',
'send_statistics_items' => 'stat_country;stat_users;stat_items;stat_items_shared;stat_folders;stat_folders_shared;stat_admins;stat_managers;stat_ro;stat_mysqlversion;stat_phpversion;stat_teampassversion;stat_languages;stat_kb;stat_suggestion;stat_customfields;stat_api;stat_2fa;stat_agses;stat_duo;stat_ldap;stat_syslog;stat_stricthttps;stat_fav;stat_pf;',
'send_stats_time' => '1697642997',
'get_tp_info' => '1',
'send_mail_on_user_login' => '0',
'sending_emails' => '0',
'nb_items_by_query' => 'auto',
'enable_delete_after_consultation' => '0',
'enable_personal_saltkey_cookie' => '0',
'personal_saltkey_cookie_duration' => '31',
'email_smtp_server' => '<removed>'
'email_smtp_auth' => '1',
'email_auth_username' => '<removed>'
'email_auth_pwd' => '<removed>'
'email_port' => '587',
'email_security' => 'tls',
'email_server_url' => '',
'email_from' => '<removed>'
'email_from' => '<removed>'
'pwd_maximum_length' => '40',
'google_authentication' => '0',
'delay_item_edition' => '0',
'allow_import' => '1',
'proxy_ip' => '<removed>'
'proxy_port' => '',
'upload_maxfilesize' => '10mb',
'upload_docext' => 'doc,docx,dotx,xls,xlsx,xltx,rtf,csv,txt,pdf,ppt,pptx,pot,dotx,xltx',
'upload_imagesext' => 'jpg,jpeg,gif,png',
'upload_pkgext' => '7z,rar,tar,zip',
'upload_otherext' => 'sql,xml',
'upload_imageresize_options' => '1',
'upload_imageresize_width' => '800',
'upload_imageresize_height' => '600',
'upload_imageresize_quality' => '90',
'use_md5_password_as_salt' => '0',
'ga_website_name' => 'TeamPass for ChangeMe',
'api' => '0',
'subfolder_rights_as_parent' => '0',
'show_only_accessible_folders' => '1',
'enable_suggestion' => '0',
'otv_expiration_period' => '7',
'default_session_expiration_time' => '60',
'duo' => '0',
'enable_server_password_change' => '0',
'ldap_object_class' => '0',
'bck_script_path' => '/var/www/html/backups',
'bck_script_filename' => 'bck_teampass',
'syslog_enable' => '0',
'syslog_host' => '<removed>'
'syslog_port' => '514',
'manager_move_item' => '0',
'create_item_without_password' => '0',
'otv_is_enabled' => '0',
'agses_authentication_enabled' => '0',
'item_extra_fields' => '0',
'saltkey_ante_2127' => 'none',
'migration_to_2127' => 'done',
'files_with_defuse' => 'done',
'timezone' => 'Europe/Paris',
'enable_attachment_encryption' => '1',
'personal_saltkey_security_level' => '50',
'ldap_new_user_is_administrated_by' => '0',
'disable_show_forgot_pwd_link' => '0',
'offline_key_level' => '0',
'enable_http_request_login' => '0',
'ldap_and_local_authentication' => '1',
'secure_display_image' => '1',
'upload_zero_byte_file' => '0',
'upload_all_extensions_file' => '0',
'bck_script_passkey' => '<removed>'
'admin_2fa_required' => '1',
'password_overview_delay' => '4',
'copy_to_clipboard_small_icons' => '1',
'duo_ikey' => '<removed>'
'duo_skey' => '<removed>'
'duo_host' => '<removed>'
'duo_failmode' => 'secure',
'roles_allowed_to_print_select' => '',
'clipboard_life_duration' => '30',
'mfa_for_roles' => '',
'tree_counters' => '0',
'settings_offline_mode' => '0',
'settings_tree_counters' => '0',
'enable_massive_move_delete' => '0',
'email_debug_level' => '0',
'ga_reset_by_user' => '',
'onthefly-backup-key' => '<removed>'
'onthefly-restore-key' => '<removed>'
'ldap_user_dn_attribute' => 'distinguishedname',
'ldap_dn_additional_user_dn' => '',
'ldap_user_object_filter' => '(&(objectCategory=Person)(sAMAccountName=*)(memberOf=CN=Division Approvisionnement,OU=Groupes Utilisateurs D3T,OU=D3T,DC=d3t,DC=lan)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))',
'ldap_bdn' => 'dc=d3t,dc=lan',
'ldap_hosts' => '<removed>'
'ldap_password' => '<removed>'
'ldap_username' => '[email protected]',
'api_token_duration' => '60',
'last_folder_change' => '',
'enable_tasks_manager' => '1',
'task_maximum_run_time' => '300',
'tasks_manager_refreshing_period' => '20',
'maximum_number_of_items_to_treat' => '100',
'ldap_tls_certifacte_check' => 'LDAP_OPT_X_TLS_NEVER',
'enable_tasks_log' => '0',
'upgrade_timestamp' => '1700234997',
'enable_ad_users_with_ad_groups' => '1',
'enable_ad_user_auto_creation' => '0',
'ldap_group_object_filter' => '(objectClass=group)',
'ldap_guid_attibute' => 'objectguid',
'sending_emails_job_frequency' => '2',
'user_keys_job_frequency' => '1',
'items_statistics_job_frequency' => '5',
'users_personal_folder_task' => '',
'clean_orphan_objects_task' => '',
'purge_temporary_files_task' => '',
'rebuild_config_file' => '',
'reload_cache_table_task' => '',
'maximum_session_expiration_time' => '60',
'items_ops_job_frequency' => '1',
Updated from an older Teampass or fresh install:
Client configuration
Browser: -
Operating system: - bits
Logs
Web server error log
Constant FILTER_SANITIZE_STRING is deprecated - /var/www/html/vendor/elegantweb/sanitizer/src/Filters/EscapeHTML.php (18)
Teampass 10 last system errors
Log from the web-browser developer console (CTRL + SHIFT + i)
Insert the log here and especially the answer of the query that failed.
Hi. Perhaps you have a misunderstanding on groups and roles. The shortest answer to this is:
- Roles are sets of rights.
- Groups are sets of people. Roles have nothing to do with people defined in an ldap or AD.
Hi @useronkel , Thanks for your response. This is a feature added https://github.com/nilsteampassnet/TeamPass/issues/3578
Seems having a bug ;)
@Hubertvivien I've tested in latest release and no issue. Please update and confirm.
Hi @nilsteampassnet ,
Updated teampass. Now running 3.1.1.2
Still having the same issue.
Here is a screen shot.
First I have Mapped AD Group with Teampass role (For example grp1 with
role1, grp2 with role2,..... grpx with rolex)
Then returned to the same page and see all my AD groups mapped with the
same role (the last mapped I do)
Regards
@Hubertvivien OK, I did a code review of this part of the code. It is indeed possible to happen. So I propose a change, may you test it?
Open file sources/roles.queries.php
Find
$counter = DB::count();
if ($counter === 0) {
// Adding new folder is possible as it doesn't exist
DB::insert(
prefixTable('ldap_groups_roles'),
array(
'role_id' => $post_role_id,
'ldap_group_id' => $post_adgroup_id,
'ldap_group_label' => $post_adgroup_label,
)
);
$new_id = DB::insertId();
} else {
if ((int) $post_role_id === -1) {
// delete
DB::delete(
prefixTable('ldap_groups_roles'),
'increment_id = %i',
$data['increment_id']
);
$new_id = -1;
} else {
// update
DB::update(
prefixTable('ldap_groups_roles'),
array(
'role_id' => $post_role_id,
),
'increment_id = %i',
$data['increment_id']
);
$new_id = '';
}
}
Replace by
if ($data) {
// exists in Teampass
// update or delete
if ((int) $post_role_id === -1) {
// delete
DB::delete(
prefixTable('ldap_groups_roles'),
'increment_id = %i',
$data['increment_id']
);
$new_id = -1;
} else {
if (isset($data['increment_id'])) {
// update
DB::update(
prefixTable('ldap_groups_roles'),
array(
'role_id' => $post_role_id,
),
'increment_id = %i',
$data['increment_id']
);
$new_id = '';
}
}
} else {
// Adding new folder is possible as it doesn't exist
DB::insert(
prefixTable('ldap_groups_roles'),
array(
'role_id' => $post_role_id,
'ldap_group_id' => $post_adgroup_id,
'ldap_group_label' => $post_adgroup_label,
)
);
$new_id = DB::insertId();
}
Give a try and come back please.
@nilsteampassnet Thanks for your help. Have made changes. Unfortunatly, same issue
@Hubertvivien Hum ... don't understand ... Can you provide the export of table 'ldap_groups_roles'?
@Hubertvivien Mind you also do this. In the same file, find
if ($data) {
and replace by
error_log('SELECT query result: ' . print_r($data, true));
if ($data) {
PErform the operation in Roles page. Get the log from your Apache error log file, and share it please
@nilsteampassnet
I've notice this :
- when I map a role with an AD group, only the field 'role_id' is updated in the 'ldap_groups_roles' table. There is always only one record in this table and his field 'role_id' is updated and no record added
@Hubertvivien
Thanks
I believe an AD group ID with 0 value is not good.
I think the error comes more from the list of AD roles that is wrong.
When refreshing the list of roles from AD, please open a console from Browser.
You should see a log as this one.
Can you please get the data and share with us?
@nilsteampassnet Error log file is empty...
Here is the console log (have deleted many lines because was unreadable)
{error: false, teampass_groups: Array(33), ldap_groups: Array(180)} error : false ldap_groups : Array(180) [0 … 99] 0 : {ad_group_id: 0, ad_group_title: 'Opérateurs de configuration réseau', role_id: 8, id: 1, role_title: 'Division BI'} 1 : {ad_group_id: 0, ad_group_title: 'Utilisateurs du journal de performances', role_id: 8, id: 1, role_title: 'Division BI'} 2 : {ad_group_id: 0, ad_group_title: 'Opérateurs de chiffrement', role_id: 8, id: 1, role_title: 'Division BI'} . . . . lines 3 to 98 deleted for better reading . . . 99 : {ad_group_id: 0, ad_group_title: 'Partage_BI', role_id: 8, id: 1, role_title: 'Division BI'} [100 … 179] 100 : {ad_group_id: 0, ad_group_title: 'Division Arrivage', role_id: 8, id: 1, role_title: 'Division BI'} . . . . lines 101 to 179 deleted for better reading . . . : {ad_group_id: 0, ad_group_title: 'Business_Pilote', role_id: 8, id: 1, role_title: 'Division BI'} length : 180 [[Prototype]] : Array(0) teampass_groups : Array(33) 0 : {id: '1', title: 'Default'} 1 : {id: '2', title: 'AdminSys'} 2 : {id: '3', title: 'Service IT'} . . . . lines 4 to 32 deleted for better reading . . . : {id: '33', title: 'Vivetic'} length : 33 [[Prototype]] : Array(0) [[Prototype]] : Object
OK thanks. As I expected, all groups from AD have 0 as ID which not what we should have. I will have to investigate on the query sent to the AD to get those groups.
@Hubertvivien Can you try in lowercase? Have you ensured this attribute directly in the Ad?
@nilsteampassnet
Hi
to be certain, I have used 'objectGUID' insteadof 'GUID'.
Same issue...
Here is table 'ldap_groups_roles'
regards
I have the same error. I performed the previous steps, and the same error reproduced itself.
@Hubertvivien OK that means that your AD server uses another attribute name. You need to check inside the AD what is the attribute for the ID of a group.
@Hubertvivien Did you tried all possibilities that I'm providing in the help text?
LDAP attribute to use to identify the GUID of an object. For example: objectGUID, objectSid, GUID, gidNumber, ...
Try each of them both as written and also full lowercase.
@nilsteampassnet Tested objectGUID, objectguid, objectSid, objectsid, GUID, guid, gidNumber, gidnumber same issue ... :(
@Hubertvivien Have you looked on your AD? Here you need to adapt the correct attribute
@Hubertvivien Very interesting. What I see is the GUID is not an INT. That's perhaps the issue. I need to fix using another type.
@Hubertvivien Can you do the following.
1- In the database, run the query
ALTER TABLE `teampass_ldap_groups_roles` CHANGE `ldap_group_id` `ldap_group_id` VARCHAR(500) NOT NULL;
2- In file sources/roles.queries.php,
find all WHERE ldap_group_id = %i
and replace by WHERE ldap_group_id = %s
3- In same file,
find $post_adgroup_id = filter_var($dataReceived['adGroupId'], FILTER_SANITIZE_NUMBER_INT);
replace by $post_adgroup_id = filter_var($dataReceived['adGroupId'], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
4- In file pages/roles.js.php,
Find var groupId = parseInt($(this).data('id')),
replace by var groupId = $(this).data('id'),
Retry
@nilsteampassnet
Done all the 4 modifications
Now AD Groups mapped with nothing
@Hubertvivien I'm a little blind here. In file sources/roles.queries.php, find
$retGroups = $connection->query()->where($searchCriteria)->get();
replace by
$retGroups = $connection->query()->where($searchCriteria)->get();
error_log("Contenu de l'array : " . print_r($retGroups, true));
Perform the groups refresh Get your apache log and share the content of the array Thanks
@nilsteampassnet
I am running 3.1.1.7 release.
In file sources/roles.queries.php, added
error_log("Contenu de l'array : " . print_r($retGroups, true));
but it seems the process not pass in this portion of code (not retreiving "Contenu de l'array" in log)
I have added
echo "test";
print_r($retGroups, true);
die(); // yes it is violent
but... still nothing
otherwise, having this in the log :
[18-Dec-2023 10:51:00] WARNING: [pool www] child 51 said into stderr: "NOTICE: PHP message: PHP Warning: Trying to access array offset on value of type null in /var/www/html/sources/roles.queries.php on line 791"
[18-Dec-2023 10:51:00] WARNING: [pool www] child 51 said into stderr: "NOTICE: PHP message: PHP Stack trace:"
[18-Dec-2023 10:51:00] WARNING: [pool www] child 51 said into stderr: "NOTICE: PHP message: PHP 1. {main}() /var/www/html/sources/roles.queries.php:0"
[18-Dec-2023 10:51:00] WARNING: [pool www] child 51 said into stderr: "NOTICE: PHP message: PHP Warning: Undefined array key "objectGUID" in /var/www/html/sources/roles.queries.php on line 778"
[18-Dec-2023 10:51:00] WARNING: [pool www] child 51 said into stderr: "NOTICE: PHP message: PHP Stack trace:"
[18-Dec-2023 10:51:00] WARNING: [pool www] child 51 said into stderr: "NOTICE: PHP message: PHP 1. {main}() /var/www/html/sources/roles.queries.php:0"
[18-Dec-2023 10:51:00] WARNING: [pool www] child 51 said into stderr: "NOTICE: PHP message: PHP Warning: Trying to access array offset on value of type null in /var/www/html/sources/roles.queries.php on line 778"
[18-Dec-2023 10:51:00] WARNING: [pool www] child 51 said into stderr: "NOTICE: PHP message: PHP Stack trace:"
[18-Dec-2023 10:51:00] WARNING: [pool www] child 51 said into stderr: "NOTICE: PHP message: PHP 1. {main}() /var/www/html/sources/roles.queries.php:0"
[18-Dec-2023 10:51:00] WARNING: [pool www] child 51 said into stderr: "NOTICE: PHP message: PHP Warning: Undefined array key "objectGUID" in /var/www/html/sources/roles.queries.php on line 791"
[18-Dec-2023 10:51:00] WARNING: [pool www] child 51 said into stderr: "NOTICE: PHP message: PHP Stack trace:"
[18-Dec-2023 10:51:00] WARNING: [pool www] child 51 said into stderr: "NOTICE: PHP message: PHP 1. {main}() /var/www/html/sources/roles.queries.php:0"
[18-Dec-2023 10:51:00] WARNING: [pool www] child 51 said into stderr: "NOTICE: PHP message: PHP Warning: Trying to access array offset on value of type null in /var/www/html/sources/roles.queries.php on line 791"
[18-Dec-2023 10:51:00] WARNING: [pool www] child 51 said into stderr: "NOTICE: PHP message: PHP Stack trace:"
[18-Dec-2023 10:51:00] WARNING: [pool www] child 51 said into stderr: "NOTICE: PHP message: PHP 1. {main}() /var/www/html/sources/roles.queries.php:0"
192.168.22.91 - - [18/Dec/2023:10:51:00 +0000] "POST /sources/roles.queries.php HTTP/1.1" 200 35501 "http://teampass.xxxxxxxxxxx.com/index.php?page=roles" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
2023-12-18 10:51:01,678 INFO reaped unknown pid 1276 (exit status 0)
2023-12-18 10:51:01,678 INFO reaped unknown pid 1278 (exit status 0)
2023-12-18 10:51:01,679 INFO reaped unknown pid 1280 (exit status 0)
And the line 791 is the line
'ad_group_id' => (int) $group[(isset($SETTINGS['ldap_guid_attibute']) === true && empty($SETTINGS['ldap_guid_attibute']) === false ? $SETTINGS['ldap_guid_attibute'] : 'gidnumber')][0],
in this portion code:
array_push(
$retAD,
[
'ad_group_id' => (int) $group[(isset($SETTINGS['ldap_guid_attibute']) === true && empty($SETTINGS['ldap_guid_attibute']) === false ? $SETTINGS['ldap_guid_attibute'] : 'gidnumber')][0],
'ad_group_title' => $group['cn'][0],
'role_id' => $counter> 0 ? (int) $role_detail['role_id'] : -1,
'id' => $counter > 0 ? (int) $role_detail['increment_id'] : -1,
'role_title' => $counter > 0 ? $role_detail['title'] : '',
]
);