Graylog2-server: Error during LDAP user account sync; IllegalArgumentException in users.UserImpl.setRoleIds

Created on 30 Jan 2019 · 2Comments · Source: Graylog2/graylog2-server

Login fails with LDAP authentication configured, even though the "Login test" shows success.
No group mapping configured, and no groups in the ldap - the user accounts in the ldap are all both posixAccounts and inetOrgPersons. User search pattern set to (&(objectClass=inetOrgPerson)(uid={0})) (and again, the "Login test" works, so that seems to be fine).

Expected Behavior

Current Behavior

Logging in with an LDAP user produces the following stacktrace:

2019-01-30 17:09:26,962 INFO : org.graylog2.security.ldap.LdapConnector - LDAP group search base, id attribute or object class missing, not iterating over LDAP groups.
2019-01-30 17:09:26,964 ERROR: org.graylog2.security.realm.LdapUserAuthenticator - Error during LDAP user account sync. Cannot log in user FOOBAR
java.lang.IllegalArgumentException: null
    at org.bson.types.ObjectId.isValid(ObjectId.java:91) ~[graylog.jar:?]
    at org.bson.types.ObjectId.parseHexString(ObjectId.java:548) ~[graylog.jar:?]
    at org.bson.types.ObjectId.<init>(ObjectId.java:239) ~[graylog.jar:?]
    at org.graylog2.database.StringObjectIdFunction.apply(StringObjectIdFunction.java:28) ~[graylog.jar:?]
    at org.graylog2.database.StringObjectIdFunction.apply(StringObjectIdFunction.java:24) ~[graylog.jar:?]
    at com.google.common.collect.Iterators$6.transform(Iterators.java:788) ~[graylog.jar:?]
    at com.google.common.collect.TransformedIterator.next(TransformedIterator.java:47) ~[graylog.jar:?]
    at java.util.AbstractCollection.toArray(AbstractCollection.java:141) ~[?:1.8.0_181]
    at java.util.ArrayList.<init>(ArrayList.java:178) ~[?:1.8.0_181]
    at org.graylog2.users.UserImpl.setRoleIds(UserImpl.java:314) ~[graylog.jar:?]
    at org.graylog2.security.realm.LdapUserAuthenticator.updateFromLdap(LdapUserAuthenticator.java:306) ~[graylog.jar:?]
    at org.graylog2.security.realm.LdapUserAuthenticator.syncFromLdapEntry(LdapUserAuthenticator.java:233) ~[graylog.jar:?]
    at org.graylog2.security.realm.LdapUserAuthenticator.doGetAuthenticationInfo(LdapUserAuthenticator.java:125) [graylog.jar:?]
    at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:571) [graylog.jar:?]
    at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doMultiRealmAuthentication(ModularRealmAuthenticator.java:219) [graylog.jar:?]
    at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:269) [graylog.jar:?]
    at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198) [graylog.jar:?]
    at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106) [graylog.jar:?]
    at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:274) [graylog.jar:?]
    at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:260) [graylog.jar:?]
    at org.graylog2.rest.resources.system.SessionsResource.newSession(SessionsResource.java:134) [graylog.jar:?]
    at sun.reflect.GeneratedMethodAccessor174.invoke(Unknown Source) ~[?:?]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_181]
    at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_181]
    at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory$1.invoke(ResourceMethodInvocationHandlerFactory.java:81) [graylog.jar:?]
    at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:144) [graylog.jar:?]
    at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:161) [graylog.jar:?]
    at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:205) [graylog.jar:?]
    at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:99) [graylog.jar:?]
    at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:389) [graylog.jar:?]
    at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:347) [graylog.jar:?]
    at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:102) [graylog.jar:?]
    at org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:326) [graylog.jar:?]
    at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) [graylog.jar:?]
    at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) [graylog.jar:?]
    at org.glassfish.jersey.internal.Errors.process(Errors.java:315) [graylog.jar:?]
    at org.glassfish.jersey.internal.Errors.process(Errors.java:297) [graylog.jar:?]
    at org.glassfish.jersey.internal.Errors.process(Errors.java:267) [graylog.jar:?]
    at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317) [graylog.jar:?]
    at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305) [graylog.jar:?]
    at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154) [graylog.jar:?]
    at org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service(GrizzlyHttpContainer.java:384) [graylog.jar:?]
    at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:224) [graylog.jar:?]
    at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:176) [graylog.jar:?]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_181]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_181]
    at java.lang.Thread.run(Thread.java:748) [?:1.8.0_181]
2019-01-30 17:09:26,966 INFO : org.graylog2.rest.resources.system.SessionsResource - Invalid username or password for user "FOOBAR"

Steps to Reproduce (for bugs)

I'm not sure what specifically triggers this, but basically it's obviously:

configure ldap authentication without any group mapping
add an ldap user
try to login

Your Environment

I'm running graylog as a docker swarm stack.

Graylog Version: 2.5.1+34194da, docker image graylog/graylog:2.5
Elasticsearch Version: 6.5.1, docker image docker.elastic.co/elasticsearch/elasticsearch:6.5.1
MongoDB Version: v3.6.10, docker image mongo:3
Operating System: CentOS Linux release 7.6.1810 (Core)
Browser version: (probably irrelevant) Firefox 66.0b1 on Mac OS X

Let me know if you need anything else!

#S bug triaged

Source

rwos

👍1

Most helpful comment

Found out more, this was actually due to a bug in my setup. To reproduce:

set up graylog in some form
PUT a valid LDAP configuration to /api/system/ldap/settings, but containing under additional_default_groups a group that doesn't exist in graylog
try to login as an LDAP user

So I suppose this is just missing validation in the /api/system/ldap/settings endpoint, or missing error handling in syncFromLdapEntry or thereabouts.

rwos on 4 Feb 2019

👍2

All 2 comments

Found out more, this was actually due to a bug in my setup. To reproduce:

set up graylog in some form
PUT a valid LDAP configuration to /api/system/ldap/settings, but containing under additional_default_groups a group that doesn't exist in graylog
try to login as an LDAP user

So I suppose this is just missing validation in the /api/system/ldap/settings endpoint, or missing error handling in syncFromLdapEntry or thereabouts.

rwos on 4 Feb 2019

👍2

The LDAP backend has been refactored in the upcoming Graylog 4.0 version and this shouldn't be an issue anymore.