[FEATURE REQUEST] Add entrydn as an attribute for groups to permit Duo directory synchronisation about lldap HOT 10 CLOSED

Just an update, I did not manage to Duo's LDAP working with push notification. Tried several mods with no luck

from lldap.

Hi,

I've just tested the sync and it is not working. I am using LLDAP version 0.5.0.
The error I'm getting is as per below

Below is the log of the sync process.

2023-12-31T12:06:38.546615+0000 [duoauthproxy.lib.log#info] Summary: drpc_timing. Extra data: {'data_length': 617, 'parse_duration': 0, 'decompress_duration': None, 'call_id': '<REDACTED>'}
2023-12-31T12:06:38.547603+0000 [duoauthproxy.lib.log#info] Performing LDAP search for directory sync: call_id=<REDACTED> host=192.168.10.5 port=3890 base_dn=DC=EXAMPLE,DC=com auth_type=plain transport_type=clear ssl_verify_depth=9 ssl_verify_hostname=False ssl_ca_certs=False attributes=['entrydn', 'entryuuid', 'cn']
2023-12-31T12:06:38.547603+0000 [duoauthproxy.modules.drpc_plugins.ldap_directory_sync.LdapSyncClientFactory#info] Starting factory <duoauthproxy.modules.drpc_plugins.ldap_directory_sync.LdapSyncClientFactory object at 0x00000207E3DF3700>
2023-12-31T12:06:38.624619+0000 [Uninitialized] C->S LDAPMessage(id=9, value=LDAPBindRequest(version=3, dn='uid=ro_admin,ou=people,dc=EXAMPLE,dc=com', auth='****', sasl=False), controls=None)
2023-12-31T12:06:38.751650+0000 [LdapSyncClientProtocol, <REDACTED>,client] C<-S LDAPMessage(id=9, value=LDAPBindResponse(resultCode=0), controls=None)
2023-12-31T12:06:38.758650+0000 [LdapSyncClientProtocol, <REDACTED>,client] C->S LDAPMessage(id=10, value=LDAPSearchRequest(baseObject='DC=EXAMPLE,DC=com', scope=2, derefAliases=0, sizeLimit=0, timeLimit=0, typesOnly=0, filter=LDAPFilter_and(value=[LDAPFilter_equalityMatch(attributeDesc=LDAPAttributeDescription(value='objectclass'), assertionValue=LDAPAssertionValue(value='groupofnames')), LDAPFilter_or(value=[LDAPFilter_equalityMatch(attributeDesc=LDAPAttributeDescription(value='entryuuid'), assertionValue=LDAPAssertionValue(value='<REDACTED>'))])]), attributes=[b'entrydn', b'entryuuid', b'cn']), controls=[(b'1.2.840.113556.1.4.319', True, BERSequence(value=[BERInteger(value=5000), BEROctetString(value='')]))])
2023-12-31T12:06:38.849203+0000 [LdapSyncClientProtocol, <REDACTED>,client] C<-S LDAPMessage(id=10, value=LDAPSearchResultEntry(objectName=b'cn=jellyfin-users,ou=groups,dc=EXAMPLE,dc=com', attributes=[(b'entryuuid', [b'8e99cd33-3e4f-36e5-9067-e5c130c8b262']), (b'cn', [b'jellyfin-users'])]), controls=None)
2023-12-31T12:06:38.987234+0000 [LdapSyncClientProtocol, <REDACTED>,client] C<-S LDAPMessage(id=10, value=LDAPSearchResultDone(resultCode=0), controls=None)
2023-12-31T12:06:38.987234+0000 [duoauthproxy.lib.log#critical] Unexpected error handling message
	Traceback (most recent call last):
	  File "twisted\internet\tcp.pyc", line 248, in doRead
	    
	  File "twisted\internet\tcp.pyc", line 253, in _dataReceived
	    
	  File "ldaptor\protocols\ldap\ldapclient.pyc", line 67, in dataReceived
	    
	  File "ldaptor\protocols\ldap\ldapclient.pyc", line 217, in handle
	    
	--- <exception caught here> ---
	  File "duoauthproxy\modules\drpc_plugins\ldap_base.pyc", line 402, in handle_msg
	    
	  File "duoauthproxy\lib\util.pyc", line 708, in get_cookie
	    
	builtins.TypeError: 'NoneType' object is not iterable
	
2023-12-31T12:06:38.989233+0000 [duoauthproxy.lib.log#error] Paging cookie not found!
2023-12-31T12:06:38.989233+0000 [duoauthproxy.lib.log#info] Summary: drpc_jsonify_metrics. Extra data: {'json_parse_time': 0.0, 'length': 244}
2023-12-31T12:06:38.990234+0000 [duoauthproxy.lib.log#info] Summary: drpc_msg_metrics. Extra data: {'msg_time': 0.0010001659393310547, 'data_length': 245, 'msg_id': '2d6d77c0dda4314e7fbdf5a968ee928d'}
2023-12-31T12:06:38.990234+0000 [duoauthproxy.modules.drpc_plugins.ldap_directory_sync.LdapSyncClientFactory#info] Stopping factory <duoauthproxy.modules.drpc_plugins.ldap_directory_sync.LdapSyncClientFactory object at 0x00000207E3DF3700>

from lldap.

Did you make sure to pull the latest image? Given the request they sent, the response should contain the attribute. You need to be using a "latest" tag (latest-alpine, latest-debian, ...)
The v0.5 tag will not work (no new release containing the change)

from lldap.

Did you make sure to pull the latest image? Given the request they sent, the response should contain the attribute. You need to be using a "latest" tag (latest-alpine, latest-debian, ...) The v0.5 tag will not work (no new release containing the change)

Made a mistake, I using the the stable tag. The LDAP is now connected but I am now having another issue with syncing. I've attached a log to see if you may have an idea as to what is wrong

2023-12-31T20:11:42.978123+0000 [duoauthproxy.lib.log#info] Performing LDAP search for directory sync: call_id=8c19f4c38fc287dca937a6d4b4adf40c_54fd7c2c5b707ebd6882c4839d11c0a9 host=192.168.10.5 port=3890 base_dn=dc=EXAMPLE,dc=com auth_type=plain transport_type=clear ssl_verify_depth=9 ssl_verify_hostname=False ssl_ca_certs=False attributes=['entrydn', 'entryuuid', 'cn', 'objectclass', 'member']
2023-12-31T20:11:42.978123+0000 [duoauthproxy.modules.drpc_plugins.ldap_directory_sync.LdapSyncClientFactory#info] Starting factory <duoauthproxy.modules.drpc_plugins.ldap_directory_sync.LdapSyncClientFactory object at 0x00000207E3DF78B0>
2023-12-31T20:11:43.051409+0000 [Uninitialized] C->S LDAPMessage(id=263, value=LDAPBindRequest(version=3, dn='uid=ro_admin,ou=people,dc=EXAMPLE,dc=com', auth='****', sasl=False), controls=None)
2023-12-31T20:11:43.188168+0000 [LdapSyncClientProtocol,,client] C<-S LDAPMessage(id=263, value=LDAPBindResponse(resultCode=0), controls=None)
2023-12-31T20:11:43.192061+0000 [LdapSyncClientProtocol, ,client] C->S LDAPMessage(id=264, value=LDAPSearchRequest(baseObject='dc=EXAMPLE,dc=com', scope=2, derefAliases=0, sizeLimit=0, timeLimit=0, typesOnly=0, filter=LDAPFilter_and(value=[LDAPFilter_equalityMatch(attributeDesc=LDAPAttributeDescription(value='objectclass'), assertionValue=LDAPAssertionValue(value='groupofnames')), LDAPFilter_equalityMatch(attributeDesc=LDAPAttributeDescription(value='entryuuid'), assertionValue=LDAPAssertionValue(value='8e99cd33-3e4f-36e5-9067-e5c130c8b262'))]), attributes=[b'cn', b'member', b'objectclass', b'entryuuid', b'entrydn']), controls=[(b'1.2.840.113556.1.4.319', True, BERSequence(value=[BERInteger(value=5000), BEROctetString(value='')]))])
2023-12-31T20:11:43.290824+0000 [LdapSyncClientProtocol, ,client] C<-S LDAPMessage(id=264, value=LDAPSearchResultEntry(objectName=b'cn=jellyfin-users,ou=groups,dc=EXAMPLE,dc=com', attributes=[(b'cn', [b'jellyfin-users']), (b'member', [b'uid=duotest,ou=people,dc=EXAMPLE,dc=com', b'uid=duotest2,ou=people,dc=EXAMPLE,dc=com']), (b'objectclass', [b'groupOfUniqueNames']), (b'entryuuid', [b'8e99cd33-3e4f-36e5-9067-e5c130c8b262']), (b'entrydn', [b'uid=jellyfin-users,ou=groups,dc=EXAMPLE,dc=com'])]), controls=None)
2023-12-31T20:11:43.461483+0000 [LdapSyncClientProtocol, ,client] C<-S LDAPMessage(id=264, value=LDAPSearchResultDone(resultCode=0), controls=[(b'1.2.840.113556.1.4.319', None, b'0\x05\x02\x01\x01\x04\x00')])

from lldap.

What is not working? What error are you getting? I see only a correct search query with a correct response, so it's a bit hard to help :/

from lldap.

Sorry, i thought i posted the snippets

The admin page of duo is not helpful

from lldap.

Hmm, hard to say from the errors. Can you ask some Duo support for help with this? AFAICT, LLDAP is behaving well.

from lldap.

will do, hopefully they come back with something useful

from lldap.

I'd be curious to see if openLdap replies differently. I can try to match their response.

from lldap.

I'll try to make some time to find a simple openldap docker image to test

from lldap.