overte icon indicating copy to clipboard operation
overte copied to clipboard
verified publisher icon overte-org

Basic LDAP support for domain authentication

Open Armored-Dragon opened this issue 1 year ago • 10 comments

This is a implementation for using LDAP services as an alternative authentication method to WordPress for domain servers.

Closes #905 as complete. Closes #906 as complete.

General TODO:

  • [x] Fix LoginDialog.qml style issues.
  • [x] LDAP server groups as roles.
  • [x] LDAPAccount.cpp (better) error handling.
  • [x] LDAPAccount.cpp expose setting server url.
  • [x] Fix LDAP accounts with capital letters can not sign in.
  • [x] Documentation.
  • [ ] Include LDAP library.

Out of scope TODO. (A follow up pull request will be opened to address these issues)

  • Fix LoginDialog.qml not being updated on failed LDAP signin attempt
  • Find a better way to store sensitive account information
  • Automatically use the correct authentication protocol (LDAP vs WordPress(OAuth2)) without client interaction.
  • https://github.com/overte-org/overte/issues/208 (This might be addressable directly, otherwise it may be possible to sneak a fix in)
  • "No valid access token present" error.
  • https://github.com/overte-org/overte/pull/1060

Armored-Dragon avatar Oct 10 '24 23:10 Armored-Dragon

Documenting this here so I don't forget. Strange issue: I logged into the directory server and then attempted to connect to my localhost LDAP domain server. This caused some strange signature validation error which would be caught on line 788. I rebuilt a few times after some changes and a revert to the point to when the issue started somehow fixed the signature validation? I suspect there may be issues I have not considered from converting the domainUsername value to be case sensitive. Case sensitivity was initially pushed on commit 9d9c34a and fully implemented on commit 4ad0d73. I will need to look into this later to make sure I didn't break anything.

Armored-Dragon avatar Oct 18 '24 09:10 Armored-Dragon

Help wanted as I have absolutely no idea how to get things to build with CMake.

Armored-Dragon avatar Oct 25 '24 12:10 Armored-Dragon

About OpenLDAP on Windows: While not open-source, the Windows version does have a fully free license, so we could use it. It's a bit annoying that it isn't open-source, but personally I would be fine with having this.

JulianGro avatar Nov 02 '24 20:11 JulianGro

About OpenLDAP on Windows: While not open-source, the Windows version does have a fully free license, so we could use it. It's a bit annoying that it isn't open-source, but personally I would be fine with having this.

I would greatly prefer we try and stick to open source only, but if there is not an alternative I won't stand in the way of it. In the future we can probably try and work something out to replace it with a open source version.

Armored-Dragon avatar Nov 02 '24 22:11 Armored-Dragon

@ksuprynowicz I'm requesting a review from you since you have experience with LDAP systems. Let me know if I've done something silly!

Armored-Dragon avatar Nov 02 '24 22:11 Armored-Dragon

I wonder how hard it would be to compile this on Windows anyway. My understanding is that we only use the client library, while OpenLDAP is a suite also containing servers and utilities. It looks like we are building pretty much all of that. make also seems available on Windows through VCPKG. It looks like the server can be disabled using --disable-slapd. https://bin.linux.pizza/?0798efe40ebcb0d3#3UBwrzp2HhwD9WQRgB2f6NSUChUxU4GyeS4orkm8FDm5

JulianGro avatar Nov 03 '24 13:11 JulianGro

@JulianGro There's an example of how to build it on Windows here: https://github.com/python-ldap/python-ldap It involves a pretty big patch file, but seems possible: https://github.com/cgohlke/python-ldap-build/blob/main/openldap.diff

ksuprynowicz avatar Nov 03 '24 14:11 ksuprynowicz

I was testing this PR this evening, and I cannot start the domain server. I get OpenSSL-related crash:

getrn 0x000055555589dd7b
OPENSSL_LH_retrieve 0x000055555589d80d
<unknown> 0x00007fffe8547a6c
<unknown> 0x00007fffe85472d6
<unknown> 0x00007fffe84569cc
<unknown> 0x00007fffe8456a3c
__pthread_once_slow 0x00007ffff58a1087
___pthread_once 0x00007ffff58a10f9
CRYPTO_THREAD_run_once 0x00005555558b2ad3
<unknown> 0x00007fffe8456cef
<unknown> 0x00007fffe84571bd
<unknown> 0x00007fffe8459a48
CRYPTO_get_ex_new_index 0x00007fffe8459c51
<unknown> 0x00007ffff7f1a148
<unknown> 0x00007ffff7f1e2a5
<unknown> 0x00007ffff7efc0a2
QSslConfiguration::defaultConfiguration() 0x00007ffff7ef271f
QNetworkRequest::sslConfiguration() const 0x00007ffff7e3b637
<unknown> 0x00007ffff7e9c74d
QNetworkAccessManager::createRequest(QNetworkAccessManager::Operation, QNetworkRequest const&, QIODevice*) 0x00007ffff7e2bbda
QNetworkAccessManager::put(QNetworkRequest const&, QIODevice*) 0x00007ffff7e2888a
QNetworkAccessManager::put(QNetworkRequest const&, QByteArray const&) 0x00007ffff7e288f5
AccountManager::sendRequest AccountManager.cpp:325
DomainServer::sendHeartbeatToMetaverse DomainServer.cpp:1643
DomainServer::sendHeartbeatToMetaverse DomainServer.h:112
DomainServer::DomainServer DomainServer.cpp:323
main main.cpp:49
__libc_start_call_main 0x00007ffff5833d68
__libc_start_main_impl 0x00007ffff5833e25
_start 0x000055555568b811

ksuprynowicz avatar Feb 25 '25 22:02 ksuprynowicz

Can you rebase this PR on current master to see if that helps?

ksuprynowicz avatar Feb 25 '25 22:02 ksuprynowicz

Tested on windows and it failed with message "['C:\Users\olive/overte-files/vcpkg\1bcc44a8\vcpkg.exe', '--vcpkg-root', 'C:\Users\olive/overte-files/vcpkg\1bcc44a8', 'install', '--triplet', 'x64-windows', 'hifi-client-deps'] Computing installation plan... openldap is only supported on '!windows, (mingw & !x86)', which does not match x64-windows. This usually means that there are known build failures, or runtime problems, when building other platforms. To ignore this and attempt to build openldap anyway, rerun vcpkg with --allow-unsupported. Traceback (most recent call last): File "D:\Code\armored\overte\prebuild.py", line 218, in main() ~~~~^^ File "D:\Code\armored\overte\prebuild.py", line 184, in main pm.setupDependencies(qt=qtInstallPath) ~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^ File "D:\Code\armored\overte\hifi_vcpkg.py", line 271, in setupDependencies self.run(['install', '--triplet', self.getTripletWithBuildType(self.triplet), 'hifi-client-deps']) ~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "D:\Code\armored\overte\hifi_vcpkg.py", line 229, in run hifi_utils.executeSubprocess(actualCommands, folder=self.path, env=self.buildEnv) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "D:\Code\armored\overte\hifi_utils.py", line 74, in executeSubprocess raise RuntimeError('Call to "{}" failed.\n\narguments:\n{}\n'.format( ...<2 lines>... )) RuntimeError: Call to "C:\Users\olive/overte-files/vcpkg\1bcc44a8\vcpkg.exe" failed.

arguments: --vcpkg-root C:\Users\olive/overte-files/vcpkg\1bcc44a8 install --triplet x64-windows hifi-client-deps

CMake Error at CMakeLists.txt:214 (message): prebuild.py failed with error 1

-- Configuring incomplete, errors occurred!" This is when trying to get cmake to gather packages.

OfficialR3ido101 avatar Apr 05 '25 12:04 OfficialR3ido101