hubot wont authenticate agains ldap about hubot-rocketchat HOT 28 CLOSED

1. yes, hubot is a key part of our (scalable) integration and extension mechanism for the core 'chat' platform - as such, they typically do helpful work invisibly in the room where they service ; there is currently no need or use case for a 'bot disguised as regular user' scenario ; essentially, bot should always login as system user via controlled 'back-door' means

2. which instructions are you following to get the bot running? are you using docker? (I'm asking because most of our documented workflows would have excluded the HEROKU problem)

from hubot-rocketchat.

1. So I do NOT need to create a user? Given I needed to specify ROCKETCHAT_PASSWORD.
   Given that it did NOT connect, I created a user. Where do I set the user/pw on the rocketchat side?

2. Followed instructions from https://github.com/RocketChat/hubot-rocketchat section "New install". This is not a docker instance, but a CentOS box

from hubot-rocketchat.

@giray simplest way would be to create a local rocket.chat user instead of using a ldap user it will likely work.

from hubot-rocketchat.

@geekgonecrazy that doesn't quite work if you enable ldap authentication. I'm not sure on how to create a 'system users' as @Sing-Li has described.

from hubot-rocketchat.

@giray We need to allow for local user creation with ldap. I think the solution might be to disable ldap add the user then re-enable ldap.

I'll try and get one of the guys that worked on the ldap piece to take a look and see what we can do for bots.

from hubot-rocketchat.

@geekgonecrazy disabling ldap, creating local user and re-enable ldap seems to work

from hubot-rocketchat.

@giray I know that feels hacky. But glad you at least have it working.

from hubot-rocketchat.

+1 - I'm logging into the hubot/bot account with the browser/client - but when using hubot docker it just says:
ERROR Unable to Login: [object Object] Reason: User has no password set

from hubot-rocketchat.

@RocketChat/core

Right now we're using Asteroid Login Method:

login: (username, password) =>
        @logger.info "Logging In"
        # promise returned
        return @asteroid.loginWithPassword username, password

From: https://github.com/RocketChat/hubot-rocketchat/blob/master/src/rocketchat_driver.coffee#L41

It looks like that method is calling the meteor method login with a payload like:

{
  password: 'password',
  user: {
    username: 'username',
    email: undefined
  }
}

Call found here: https://github.com/mondora/asteroid/blob/master/src/core/login.js#L123

Do we know what the payload should look like for ldap authentication? Or is there another meteor method that needs called instead if its an ldap authentication?

from hubot-rocketchat.

I think to login with LDAP you should call Meteor.loginWithLDAP function.. look here

from hubot-rocketchat.

@sampaiodiego ah! So what kind of options would need passed as the 3rd parameter?

@teon / @giray: So provided we can make this work. Would you be ok with having to set an environment variable like: LDAP=true to login with ldap?

But the case still needs to be made....

Should hubot really login with ldap? Or should hubot only ever really log in as a user created specifically for the bot in rocket.chat? We can improve that process to make it easier and we plan to.

Can either of you make a case as to why use ldap vs rocket.chat specific user?

from hubot-rocketchat.

@geekgonecrazy - problem with LDAP auth provider is that when you are trying to change password for a selected user - it tries to edit it in LDAP and not Rocket.Chat as you would expect/or are suggesting. Thus there is no possibility to have local and LDAP accounts in parallel...

from hubot-rocketchat.

@geekgonecrazy our problem was that once you switch over to ldap, you are not able to get back to the local accounts. I'm fine with not being able to change passwords. LDAP=true as env var would be great.

from hubot-rocketchat.

@geekgonecrazy - exactly as @giray wrote ;-) you need to know we have LDAP enabled ;-)

from hubot-rocketchat.

@teon / @giray

So you would rather have the bot as a user on your ldap server instead of maybe being able to create a local user in like a bot section of the Rocket.Chat config?

Maybe a as easy as clicking Create Bot and specifying a name, and it spitting out a username and password?

I just want to make sure LDAP is for sure something that is practical for the bot to be able to do. If it would be better in the long run to go the other route, then we can put more effort there.

from hubot-rocketchat.

@geekgonecrazy it would be much better if Rocket.Chat would enable LDAP + local accounts - I could have accounts for bots or other people that are not (and will not be) in our company LDAP..

from hubot-rocketchat.

@teon this is kind of what I suspected. I used to do some sys admin stuff and I don't think I would have ever wanted to create an ldap user for a bot.

Unless.... the bot needed to login to other systems on the network? Is this even feasible? Or would you expect to have to pass the credentials in another way to the bot to connect to that other system?

from hubot-rocketchat.

@geekgonecrazy you want to have central control of all accounts, that does not mean that you bot "service" accounts is able to log in anywhere else. If you allow local accounts you may loose control / overview of accounts on large sites.

from hubot-rocketchat.

Guys, please vote for this PR mondora/asteroid#87

from hubot-rocketchat.

Can you guys try the [email protected]

Now you can set the environment variable ROCKETCHAT_AUTH=ldap

from hubot-rocketchat.

Only works with the branch develop of Rocket.Chat and will be merged on the 0.15.0

from hubot-rocketchat.

@engelgabriel works! thanks! will hubot-gitsy also work?

from hubot-rocketchat.

Yes. hubot-gitsy is independent of the adapter (hubot-rocketchat). Closing, verified by @teon.

from hubot-rocketchat.

I need this fix, but I'm waiting for the release. What do I need to get it working? (please, update the docs)

• Rocket.Chat 0.15.0 (not released yet)
• hubot-rocketchat 0.0.26
• Set ROCKETCHAT_AUTH=ldap

Am I missing something?

from hubot-rocketchat.

Rocket.Chat 0.15.0 is released.

https://github.com/RocketChat/Rocket.Chat/releases/tag/0.15.0

from hubot-rocketchat.

I get the following error

hubot@13457f30d4c6:~$ bin/hubot -a rocketchat
[Wed Jan 27 2016 14:09:02 GMT+0000 (UTC)] INFO Starting Rocketchat adapter...
[Wed Jan 27 2016 14:09:02 GMT+0000 (UTC)] INFO Once connected to rooms I will respond to the name: rocketbot
[Wed Jan 27 2016 14:09:02 GMT+0000 (UTC)] INFO Connecting To: <removed-ip>
[Wed Jan 27 2016 14:09:03 GMT+0000 (UTC)] ERROR Error: listen EADDRINUSE
  at exports._errnoException (util.js:746:11)
  at Server._listen2 (net.js:1156:14)
  at listen (net.js:1182:10)
  at net.js:1280:9
  at dns.js:85:18
  at process._tickCallback (node.js:355:11)

[Wed Jan 27 2016 14:09:03 GMT+0000 (UTC)] INFO Successfully connected!
[Wed Jan 27 2016 14:09:03 GMT+0000 (UTC)] INFO general
[Wed Jan 27 2016 14:09:03 GMT+0000 (UTC)] INFO Logging In
[Wed Jan 27 2016 14:09:03 GMT+0000 (UTC)] ERROR Unable to Login: {"error":400,"reason":"Unrecognized options for login request","message":"Unrecognized options for login request [400]","errorType":"Meteor.Error"} Reason: Unrecognized options for login request
[Wed Jan 27 2016 14:09:03 GMT+0000 (UTC)] ERROR If joining GENERAL please make sure its using all caps.
[Wed Jan 27 2016 14:09:03 GMT+0000 (UTC)] ERROR If using LDAP, turn off LDAP, and turn on general user registration with email                                  verification off.
[Wed Jan 27 2016 14:09:03 GMT+0000 (UTC)] ERROR {"error":400,"reason":"Unrecognized options for login request","message":"Unrecognized options for login request [400]","errorType":"Meteor.Error"}
[Wed Jan 27 2016 14:09:03 GMT+0000 (UTC)] ERROR Unable to complete setup. See https://github.com/RocketChat/hubot-rocketchat for more info.

LDAP is on and email verification is off. I tried running bin/hubot -a rocketchat with LDAP off and email verification off, but I get the same error. All enviroment variables are set:

hubot@13457f30d4c6:~$ echo $ROCKETCHAT_ROOM
GENERAL
hubot@13457f30d4c6:~$ echo $ROCKETCHAT_USER
bot
hubot@13457f30d4c6:~$ echo $ROCKETCHAT_PASSWORD
bot
hubot@13457f30d4c6:~$ echo $ROCKETCHAT_AUTH
ldap

The bot was created on LDAP and was able to authenticate.

from hubot-rocketchat.

EADDRINUSE means that the port number which listen() tries to bind the server to is already in use.
So, in your case, there must be a server already running on the port you are trying to use for inbound connections to your hubbot.

But thats unrelated to the "Unrecognized options for login request". You must be running an old version or Rocket.Chat.

Check on your version of https://demo.rocket.chat/api/info to se the version.

from hubot-rocketchat.

@engelgabriel Ok, thank you. It's working!

from hubot-rocketchat.