-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"Could not load roles" when authenticating against Authentik with read-only Active Directory #397
Comments
Yes. I'd like to know those details as well.
Not, really. But it looks a bit as if the
Note, that even if you manage to get by this specific problem, I think that with using |
Commit ID is 1a00bb6
Might be related to my configuration. Same as above, just using the commented parameters. As sAMAccountName gave me some easy progress, I ignored the GUID for now. |
I think I am able to reproduce the issue. It seems to be a bug in the As a workaround you could apply this patch to the helm chart for now, until have the fix in ocis
BTW, with the above workaround I also successfully tried:
|
running into this withk AD FS. Can confirm that changing USERS_LDAP_USER_SCHEMA_ID to OCIS_LDAP_USER_SCHEMA_ID allows building a user struct from the ldap response. But now I see {
"level": "debug",
"service": "proxy",
"claims": {
"appid": "https://cloud.example.com/",
"apptype": "Public",
"aud": "microsoft:identityserver:a-u-u-i-d",
"auth_time": "2023-09-21T09:51:48.619Z",
"authmethod": "http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows",
"displayname": "John, Doe",
"exp": 1695298629,
"iat": 1695295029,
"iss": "http://cloud.example.com/adfs/services/trust",
"mail": "[email protected]",
"nbf": 1695295029,
"samaccountname": "JohnDoe",
"scp": "email profile openid",
"ver": "1.0"
},
"time": "2023-09-21T11:17:13.1156504Z",
"line": "github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/oidc_auth.go:123",
"message": "extracted claims"
}
{
"level": "debug",
"service": "proxy",
"authenticator": "oidc",
"path": "/api/v0/settings/values-list",
"time": "2023-09-21T11:17:13.1156602Z",
"line": "github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/oidc_auth.go:171",
"message": "successfully authenticated request"
}
{
"level": "error",
"service": "proxy",
"error": "{\"id\":\"go.micro.server\",\"code\":500,\"detail\":\"panic recovered: runtime error: invalid memory address or nil pointer dereference\",\"status\":\"Internal Server Error\"}",
"time": "2023-09-21T11:17:13.2519563Z",
"line": "github.com/owncloud/ocis/v2/services/proxy/pkg/userroles/defaultrole.go:38",
"message": "Could not load roles"
}
{
"level": "error",
"service": "proxy",
"error": "{\"id\":\"go.micro.server\",\"code\":500,\"detail\":\"panic recovered: runtime error: invalid memory address or nil pointer dereference\",\"status\":\"Internal Server Error\"}",
"time": "2023-09-21T11:17:13.2519742Z",
"line": "github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/account_resolver.go:154",
"message": "Could not get user roles"
}
{
"level": "info",
"service": "proxy",
"proto": "HTTP/1.1",
"request-id": "f9462791-4030-4fc1-99e5-f5fcbdfcb724",
"remote-addr": "10.68.204.59",
"method": "POST",
"status": 500,
"path": "/api/v0/settings/values-list",
"duration": 137.4538,
"bytes": 0,
"time": "2023-09-21T11:17:13.2519951Z",
"line": "github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:31",
"message": "access-log"
} What is annoying is the the users service never logs an error that it cannot map the id (because it is empty or malformed) ... it bubbles up the error but it is never logged ... and as a result at some point it is just swallowed leading to a 500 without any insights. Hard to debug. Another thing that is hard to debug is that go micro seems to swallow the stacktrace and just returns a |
@butonic Do you have the And yes. The error/debug logging has room for improvement. |
yes ... and login finally worked ... was fixed by restarting the services. seems to have been a connection issue. |
I can confirm the above patch is working. Also the objectGUID part is working now. Thanks for the solution, looking forward playing with oCIS. |
Hi Team,
not sure if this is related to my configuration, the chart or ocis in general.
I'm running a Samba-based DC for multiple years. In order to get ocis running on k8s and authenticate against the DC, I've deployed an Authentik instance.
Authentik is running on a k8s, trying to run ocis in minikube.
ocis-values.yaml:
For some reason using objectGUID wasn't working. Switched to something easier for now.
Authentication seems to work fine. LDAP Search seems to be successful as well. Role is getting extracted from the response, but then... Could not load roles
No upgrade or something like that happend. Tried to run from scratch already, completely destroying minikube installation.
I do find it a bit strange the userid is not filled on the last few log entries.
Regards,
Marc
The text was updated successfully, but these errors were encountered: