semaphoreui
LDAP - DOCKER
Hi,
When I configure authentication via LDAP, and independently test the connection with ldapsearch etc, it works. On the other hand, via Docker, I cannot identify myself and this does not generate any visible error in the Docker console.
Do you have an idea ?
SEMAPHORE_LDAP_ACTIVATED: 'yes' # if you wish to use ldap, set to: 'yes' SEMAPHORE_LDAP_HOST: dc.example.com SEMAPHORE_LDAP_PORT: '389' #SEMAPHORE_LDAP_PORT: '636' SEMAPHORE_LDAP_NEEDTLS: 'no' SEMAPHORE_LDAP_DN_BIND: 'CN=Administrator,OU=EXEAMPLE,OU=EXEAMPLE,OU=EXEAMPLE,DC=EXEAMPLE,DC=COM' SEMAPHORE_LDAP_PASSWORD: 'ITSTHESECRETPWD' SEMAPHORE_LDAP_DN_SEARCH: 'dc=EXEAMPLE,dc=COM' SEMAPHORE_LDAP_SEARCH_FILTER: "(\u0026(uid=%s)(memberOf=CN=G_SEC_EXEAMPLE,OU=EXEAMPLE,OU=EXEAMPLE,OU=EXEAMPLE,OU=EXEAMPLE,DC=EXEAMPLE,DC=COM))"
In the AD, my
CN : NAME EXAMPLE (Space exist)
PWD with a one special chars
THanks everyone ;)
I too cannot Auth via LDAP
I have tried a number of configurations with no joy. I would be grateful for any help as I am at a loss.
I used theldapwhoami tool to check binddn is good. /home/semaphore # ldapwhoami -H ldaps://vadmz01.ipa.wandisco.com:636 -D "uid=ldap.binder,cn=users,cn=accounts,dc=ipa,dc= wandisco,dc=com" -x -W Enter LDAP Password: dn: uid=ldap.binder,cn=users,cn=accounts,dc=ipa,dc=wandisco,dc=com
CONFIG: "ldap_enable": true, "ldap_binddn": "uid=ldap.binder,cn=users,cn=accounts,dc=ipa,dc=wandisco,dc=com", "ldap_bindpassword": "*******", "ldap_server": "ldaps://vadmz01.ipa.wandisco.com:636", "ldap_searchdn": "dc=ipa,dc=wandisco,dc=com", "ldap_searchfilter": "(\u0026(uid=%s)(memberOf=cn=users,cn=groups,cn=accounts,dc=ipa,dc=wandisco,dc=com))", "ldap_mappings": { "dn": "dn", "mail": "mail", "uid": "uid", "cn": "cn" }, "ldap_needtls": false,
REQUEST:
curl 'http://localhost:3000/api/auth/login'
-H 'Accept: application/json, text/plain, /'
-H 'Accept-Language: en-US,en;q=0.9'
-H 'Cache-Control: no-cache'
-H 'Connection: keep-alive'
-H 'Content-Type: application/json'
-H 'Cookie: gdpr_cookie_consent=eyJpdiI6InI3N01wdGtJTUNERjQxdTZGcGlma0E9PSIsInZhbHVlIjoid3lDNk9kRFlsTWhiZ2NBTk9SNkx3WEVkeFd6UzRoc3BEN0NWMUdTc2xTc1Q4czgzV0RrY0tUYnJHaFBIODJJTTM1blFkSk5raHdNdEFuTGNFZmN0ZFZMY0RxdkUxb3BsVml6WjJsVTlUVFNGQVIrajNZbDRRUE1LdWFwM3BjTW10bVBYXC9XMzJyZkZNVWRVNGR4ZDl6YXk3Z1paMWJXaUo0NUYrYWVBODJQWTJSWXZlQzRlK3kyRkIrN1hkV1FYWiIsIm1hYyI6ImUwMDJhNmI4NDBjZDE3Y2UxYzdhNGE1MTAzMzhiNmIzZWJhMzc2NmY4ZGNjNmM0ZTMzNGQ4NDkyYzczMTBkMWQifQ%3D%3D; _gd_visitor=4fcf4734-30a8-4b50-85bf-4206278e7ba3; _ga=GA1.1.144311392.1677580593; _mkto_trk=id:468-VEI-944&token:_mch-localhost-1677580593882-47862; _ga_M1X90MFVM4=GS1.1.1677596234.5.1.1677596235.0.0.0'
-H 'Origin: http://localhost:3000/'
-H 'Pragma: no-cache'
-H 'Referer: http://localhost:3000/auth/login'
-H 'Sec-Fetch-Dest: empty'
-H 'Sec-Fetch-Mode: cors'
-H 'Sec-Fetch-Site: same-origin'
--data-raw '{"auth":"mark.coley","password":"Mrc09031974wandisco#"}' -v
- Trying 127.0.0.1:3000...
- TCP_NODELAY set
- Connected to localhost (127.0.0.1) port 3000 (#0)
POST /api/auth/login HTTP/1.1 Host: localhost:3000 User-Agent: curl/7.68.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Connection: keep-alive Content-Type: application/json Cookie: gdpr_cookie_consent=eyJpdiI6InI3N01wdGtJTUNERjQxdTZGcGlma0E9PSIsInZhbHVlIjoid3lDNk9kRFlsTWhiZ2NBTk9SNkx3WEVkeFd6UzRoc3BEN0NWMUdTc2xTc1Q4czgzV0RrY0tUYnJHaFBIODJJTTM1blFkSk5raHdNdEFuTGNFZmN0ZFZMY0RxdkUxb3BsVml6WjJsVTlUVFNGQVIrajNZbDRRUE1LdWFwM3BjTW10bVBYXC9XMzJyZkZNVWRVNGR4ZDl6YXk3Z1paMWJXaUo0NUYrYWVBODJQWTJSWXZlQzRlK3kyRkIrN1hkV1FYWiIsIm1hYyI6ImUwMDJhNmI4NDBjZDE3Y2UxYzdhNGE1MTAzMzhiNmIzZWJhMzc2NmY4ZGNjNmM0ZTMzNGQ4NDkyYzczMTBkMWQifQ%3D%3D; _gd_visitor=4fcf4734-30a8-4b50-85bf-4206278e7ba3; _ga=GA1.1.144311392.1677580593; _mkto_trk=id:468-VEI-944&token:_mch-localhost-1677580593882-47862; _ga_M1X90MFVM4=GS1.1.1677596234.5.1.1677596235.0.0.0 Origin: http://localhost:3000/ Pragma: no-cache Referer: http://localhost:3000/auth/login Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Content-Length: 55
- upload completely sent off: 55 out of 55 bytes
- Mark bundle as not supporting multiuse < HTTP/1.1 500 Internal Server Error < Content-Type: application/json < Date: Thu, 04 Jan 2024 11:31:07 GMT < Content-Length: 0 <
- Connection #0 to host localhost left intact
LOG: 2024-01-04 11:57:03 time="2024-01-04T11:57:03Z" level=warning msg="LDAP Result Code 200 "Network Error": dial tcp: address ldaps://vadmz01.ipa.wandisco.com:636: too many colons in address"
It looks like not every parameters from config.json are translated to variables in the Docker version. In order to set up everything, I had to import a config.json into my semaphore container.
Here is the relevant part of my docker-compose:
semaphore:
build:
dockerfile: Dockerfile_semaphore
restart: unless-stopped
ports:
- 4000:3000
environment:
SEMAPHORE_DB_USER: 'semaphore'
SEMAPHORE_DB_PASS: '<secret>'
SEMAPHORE_DB_HOST: 'mysql'
SEMAPHORE_DB_PORT: 3306
SEMAPHORE_DB_DIALECT: 'mysql'
SEMAPHORE_DB: 'semaphore'
SEMAPHORE_PLAYBOOK_PATH: '/tmp/semaphore/'
SEMAPHORE_ADMIN_PASSWORD: '<secret>'
SEMAPHORE_ADMIN_NAME: 'Administrateur'
SEMAPHORE_ADMIN_EMAIL: '[email protected]'
SEMAPHORE_ADMIN: 'admin'
SEMAPHORE_ACCESS_KEY_ENCRYPTION: '<secret>'
depends_on:
- mysql
volumes:
- type: bind
source: ./semaphore/config.json
target: /etc/semaphore/config.json
read_only: true
Then here are the additional LDAP settings, in config.json:
{
"ldap_enable": true,
"ldap_needtls": false,
"ldap_binddn": "cn=ansible,ou=AccountService,ou=Parc,dc=test-ansible,dc=lan",
"ldap_bindpassword": "<secret>",
"ldap_server": "test-win-ad.test-ansible.lan:389",
"ldap_searchdn": "ou=Utilisateurs,ou=Parc,dc=test-ansible,dc=lan",
"ldap_searchfilter": "(&(cn=%s)(memberOf=cn=SemaphoreUsers,ou=Groupes,ou=Parc,dc=test-ansible,dc=lan))",
"ldap_mappings": {
"dn": "",
"mail": "mail",
"uid": "sAMAccountName",
"cn": "cn"
}
}
After that I was able to login into the Semaphore UI with any domain user (I'm using ActiveDirectory), using first_name last_name. For example:
john doe
docker logs helped me a bit to find out what was the problem.
I hope this helps.
If I remember well, a big part of the problem came from this \u0026 in the LDAP search filter, which appears to be the result of an encoding error on the Semaphore docs website.
Hi It seems my config.jso has all of the parameters from the UI
On Tue, 9 Jan 2024 at 14:05, ramius @.***> wrote:
It looks like not every parameters from config.json are translated to variables in the Docker version. In order to set up everything, I had to import a config.json into my semaphore container.
Here is the relevant part of my docker-compose:
semaphore: build: dockerfile: Dockerfile_semaphore restart: unless-stopped ports: - 4000:3000 environment: SEMAPHORE_DB_USER: 'semaphore' SEMAPHORE_DB_PASS: '
' SEMAPHORE_DB_HOST: 'mysql' SEMAPHORE_DB_PORT: 3306 SEMAPHORE_DB_DIALECT: 'mysql' SEMAPHORE_DB: 'semaphore' SEMAPHORE_PLAYBOOK_PATH: '/tmp/semaphore/' SEMAPHORE_ADMIN_PASSWORD: ' ' SEMAPHORE_ADMIN_NAME: 'Administrateur' SEMAPHORE_ADMIN_EMAIL: @.***' SEMAPHORE_ADMIN: 'admin' SEMAPHORE_ACCESS_KEY_ENCRYPTION: ' ' depends_on: - mysql volumes: - type: bind source: ./semaphore/config.json target: /etc/semaphore/config.json read_only: true Then here are the additional LDAP settings, in config.json:
{ "ldap_enable": true, "ldap_needtls": false, "ldap_binddn": "cn=ansible,ou=AccountService,ou=Parc,dc=test-ansible,dc=lan", "ldap_bindpassword": "
", "ldap_server": "test-win-ad.test-ansible.lan:389", "ldap_searchdn": "ou=Utilisateurs,ou=Parc,dc=test-ansible,dc=lan", "ldap_searchfilter": "(&(cn=%s)(memberOf=cn=SemaphoreUsers,ou=Groupes,ou=Parc,dc=test-ansible,dc=lan))", "ldap_mappings": { "dn": "", "mail": "mail", "uid": "sAMAccountName", "cn": "cn" } } After that I was able to login into the Semaphore UI with any domain user (I'm using ActiveDirectory), using first_name last_name. For example:
john doe
docker logs helped me a bit to find out what was the problem.
I hope this helps.
— Reply to this email directly, view it on GitHub https://github.com/ansible-semaphore/semaphore/issues/1694#issuecomment-1883109098, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAM7EXKJT4C45Q3EYSDXJFDYNVFCBAVCNFSM6AAAAABBLNZKLGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOBTGEYDSMBZHA . You are receiving this because you commented.Message ID: @.***>
I have noticed a related LDAP/Docker issue for Semaphore. Please let me know if this would be better as another issue.
Whenever you spin up a new container from scratch with docker compose, if you have just the local user name configured in your docker file, then it will create the user and an 'internal' config file on start. However, if you try to use the LDAP settings in the docker compose file, it requires you to have a config file mounted and it will also not create the local admin account listed in your docker compose file.
It also defaults the ldap users to non-admins, so creating a new docker container with ldap results in no admin access to semaphore via the webUI. Am I missing anything there?
Yes, I made some modifications to the docker-compose.yml I posted here a few months ago. I removed parts related to user creation, so new config looks like:
semaphore:
build:
dockerfile: ./semaphore/Dockerfile
restart: unless-stopped
environment:
SEMAPHORE_DB_USER: 'semaphore'
SEMAPHORE_DB_PASS: '<secret>'
SEMAPHORE_DB_HOST: 'semaphore-mysql'
SEMAPHORE_DB_PORT: 3306
SEMAPHORE_DB_DIALECT: 'mysql'
SEMAPHORE_DB: 'semaphore'
depends_on:
- semaphore-mysql
volumes:
- type: bind
source: ./semaphore/config.json
target: /etc/semaphore/config.json
read_only: true
expose:
- 3000
I made this modification because I had the same problem as you describe, when I manually import the config.json.
So after I install a fresh new instance, I run the following command:
docker exec -ti root-semaphore-1 sh -c "semaphore user add --admin --login admin --name admin --email <admin_email> --password <admin_password> --config /etc/semaphore/config.json"
Has anyone got a fully working ldap integration with ldap users as admin
@coleymr Not for me, the admin account is always a local one (created with the command in my previous message).
Yes, I made some modifications to the
docker-compose.ymlI posted here a few months ago. I removed parts related to user creation, so new config looks like:semaphore: build: dockerfile: ./semaphore/Dockerfile restart: unless-stopped environment: SEMAPHORE_DB_USER: 'semaphore' SEMAPHORE_DB_PASS: '<secret>' SEMAPHORE_DB_HOST: 'semaphore-mysql' SEMAPHORE_DB_PORT: 3306 SEMAPHORE_DB_DIALECT: 'mysql' SEMAPHORE_DB: 'semaphore' depends_on: - semaphore-mysql volumes: - type: bind source: ./semaphore/config.json target: /etc/semaphore/config.json read_only: true expose: - 3000I made this modification because I had the same problem as you describe, when I manually import the
config.json.So after I install a fresh new instance, I run the following command:
docker exec -ti root-semaphore-1 sh -c "semaphore user add --admin --login admin --name admin --email <admin_email> --password <admin_password> --config /etc/semaphore/config.json"
This does not work for me
@coleymr Could you explain what doesn't work ? Is it the command in the container ? What kind of error do you have ?
@ramiuslr https://docs.semui.co/administration-guide/cli#how-to-add-admin-user
