Rocket.chat: LDAP login not possible since 0.59.0-rc.13

I think this issue is caused by an empty email field for that user. You can either put add an email to their email field or add a default domain under LDAP settings.

Oh, I'm sorry, I should've mentioned this in the initial post: The user I am logging in with, has an email set in LDAP (attribute is called "mail") and I have set both sAMAccountName as well as mail as the fields the get queried when logging in. The login fails with both.

Cheers
Thomas

I can confirm I have been having this issue.

Same problem here but seems that the revelant part of the logs is before :

Oct 12 16:57:14 rc03 nodejs-rocketchat0[31351]: rocketchat_logger rocketchat_logger.js:375 #033[34mLDAPHandler ➔ debug#033[39m userQuery { username: '' }
Oct 12 16:57:14 rc03 nodejs-rocketchat0[31351]: rocketchat_logger rocketchat_logger.js:375 #033[34mLDAPHandler ➔ info#033[39m User does not exist, creating
Oct 12 16:57:14 rc03 nodejs-rocketchat0[31351]: rocketchat_logger rocketchat_logger.js:375 #033[34mTemplateVarHandler ➔ debug#033[39m user does not have attribute: cn
Oct 12 16:57:14 rc03 nodejs-rocketchat0[31351]: rocketchat_logger rocketchat_logger.js:375 #033[34mLDAPSync ➔ debug#033[39m user does not have attribute: mail
Oct 12 16:57:14 rc03 nodejs-rocketchat0[31351]: rocketchat_logger rocketchat_logger.js:375 #033[31mLDAPSync ➔ error#033[39m { [Error: LDAP Authentication succeded, there is no email to create an account. Have you tried setting your Default Domain in LDAP Settings? [LDAP-login-error]]
Oct 12 16:57:14 rc03 nodejs-rocketchat0[31351]: isClientSafe: true,
Oct 12 16:57:14 rc03 nodejs-rocketchat0[31351]: error: 'LDAP-login-error',
Oct 12 16:57:14 rc03 nodejs-rocketchat0[31351]: reason: 'LDAP Authentication succeded, there is no email to create an account. Have you tried setting your Default Domain in LDAP Settings?',

For sure my user have cn and mail attributes set.

Cheers

+1
None of the usermappings come over, it isn't just email. If you setup a default domain it will then fail to find the givenName attribute (or whatever is set).

@magicbelette nope, not in my case. I have just verified, that the log parts I get in debug mode are the ones I posted above.

But seriously though: from 0.59-rc.12 to 0.59-rc.13 there was only one commit that comes with changes to LDAP thingies that could be the culprit, I guess...

Cheers
Thomas

ldapUser.object[ldapField] will work better than ldapUser[ldapField]...

Yep here the same currently I switch to RC12

Could you maybe push a new update fixing this issue to the snap beta channel? Unfortunately I have updated without a backup and am now stuck at RC13, being unable to revert to RC12 (not in snap repositories anymore) or to stable (database level incompatible).

Could you maybe push a new update fixing this issue to the snap beta channel?

There is none, yet.

Unfortunately I have updated without a backup and am now stuck at RC13, being unable to revert to RC12 (not in snap repositories anymore) or to stable (database level incompatible).

This is your fault.

Cheers
Thomas

Hopefully this will get fixed before the final release, LDAP integration is the sole reason we chose Rocket.Chat over other solutions.

(It is strange how after 14 "release candidates" core code is getting modified with what seems like no smoke testing.)

@itskenny0 .. I have the same situation here.. as a temporray fix I took this file: https://raw.githubusercontent.com/RocketChat/Rocket.Chat/bd16fa49d9f1ad4761fe078f41d915ad1e41949d/packages/rocketchat-ldap/server/sync.js

.. and rebuild the app

As @magicbelette said, it's something about ldapUser.Object

@alenkovich Did you rebuild the snap package? If so, any possibility you could share this package with me? Unfortunately, I'm unable to successfully build it. Building it will always fail with one of the npm dependencies.

no, I'm not using the snap pkgs. :/

@itskenny0 are you following https://github.com/RocketChat/Rocket.Chat/blob/0.59.0-rc.15/example-build-run.sh ?

Would you please clear that up somewhere else (for example here: https://open.rocket.chat/channel/support) instead of cluttering this issue with build instructions? Thank you :)

Cheers
Thomas

@TomaszDom it was a small code change that looked good. They find bugs on RC and develop channel. Although most are found before RC that doesn't mean you should consider it as stable. If you're worried you should stay on official version.

Well you would expect some kind of testing suite to kick in even with release candidates (if not even every commit). And at least LDAP isn't covered by them as it seems. Actually I don't know if there are any tests.

But yeah. What to do with this bug at hand now? Would love to hear @rodrigok's opinion as I assume his commit (see above) to be the cause for this regression.

Cheers
Thomas

This bug is still active with 0.59.0 release version.

34mI20171019-08:53:04.420(3) Exception while invoking method 'login' TypeError: Cannot read property 'value' of undefined at addLdapUser (/opt/rocket.chat/programs/server/packages/rocketchat_ldap.js:1270:43) at [object Object]. (/opt/rocket.chat/programs/server/packages/rocketchat_ldap.js:773:9) at /opt/rocket.chat/programs/server/packages/accounts-base.js:925:30 at tryLoginMethod (/opt/rocket.chat/programs/server/packages/accounts-base.js:753:14) at AccountsServer.Ap._runLoginHandlers (/opt/rocket.chat/programs/server/packages/accounts-base.js:924:18) at AccountsServer.Accounts._runLoginHandlers (/opt/rocket.chat/programs/server/packages/rocketchat_lib.js:1951:33) at [object Object].methods.login (/opt/rocket.chat/programs/server/packages/accounts-base.js:982:27) at [object Object].methodMap.(anonymous function) (packages/rocketchat_monitoring.js:2731:30) at maybeAuditArgumentChecks (/opt/rocket.chat/programs/server/packages/ddp-server.js:1857:12) at /opt/rocket.chat/programs/server/packages/ddp-server.js:903:20 at [object Object].EVp.withValue (packages/meteor.js:1134:15) at /opt/rocket.chat/programs/server/packages/ddp-server.js:902:47 at [object Object].EVp.withValue (packages/meteor.js:1134:15) at /opt/rocket.chat/programs/server/packages/ddp-server.js:901:46 at [object Object]._.extend.protocol_handlers.method (/opt/rocket.chat/programs/server/packages/ddp-server.js:874:21) at /opt/rocket.chat/programs/server/packages/ddp-server.js:753:85

This update may ruin the day of many poor admins. At least put a big red notification on the Downloads page to warn people.

Folks!!! This is a fucking release candidate. If you run it in production, you made the error, not Rocket.Chat. And then you're a dumb admin, not a poor one. Gosh... can't even...

As written above, they just released 0.59 final which still contains the bug...

Edit: @TwizzyDizzy I also recommend you changing your tone. These statements are not appropriate - especially if you are the one who’s misinformed.

+1

@johnyb0y well... sorry. That's embarassing. Didn't see that yet. But then again, LDAP auth (with avatar sync) is broken since 0.57.0, so no big difference. Really disappointing though, that the didn't bother to fix this :-S

Edit: yes, you're right. I was misinformed as I last checked 10 hours ago, whether there is a new release. Would this not have been the case, I wouldn't take it back. I'm growingly irritated by parts of this community.

@TwizzyDizzy Seriously, calm the hell down. Your hostility is absolutely not welcome here.

If you feel so passionate about the issue, then submit a PR fixing it instead of just sitting there thinking your King s**t and mouthing off like a little child.

Yeah well... I will indeed calm the hell down. Go down with all your issues as nobody cares to stick to the topic or posting information nobody needs ("+1", "me too", " let's exchange build instructions in this issue while this isn't the topic" or people don't even caring to follow the issue template).

But yeah. I will calm the hell down...

Version of Rocket.Chat Server: 0.59.0

Well, as said earlier, by changing ldapUser with ldapUser.object new ldap users can now authenticate \o/

But existing users can't cause they're not found in the backend userQuery { username: '' }. They're then considered as new users but when RocketChat try to add them we get an error Error: Email already exists. True

Sorry if I don't come with a PR to solve the problem but am just a "dumb admin" not a developper (just kidding :stuck_out_tongue_closed_eyes: ). We'll figured it out but any help would be very appreciated.

Oct 19 10:08:16 rc03 nodejs-rocketchat0[31174]: rocketchat_logger rocketchat_logger.js:375 #033[34mLDAPHandler ➔ debug#033[39m userQuery { username: '' }
Oct 19 10:08:16 rc03 nodejs-rocketchat0[31174]: rocketchat_logger rocketchat_logger.js:375 #033[34mLDAPHandler ➔ info#033[39m User does not exist, creating
Oct 19 10:08:16 rc03 nodejs-rocketchat0[31174]: rocketchat_logger rocketchat_logger.js:375 #033[34mLDAPSync ➔ debug#033[39m user.name changed to: MAGIC Belette
Oct 19 10:08:16 rc03 nodejs-rocketchat0[31174]: rocketchat_logger rocketchat_logger.js:375 #033[34mLDAPSync ➔ debug#033[39m New user data { email: '[email protected]' }
Oct 19 10:08:16 rc03 nodejs-rocketchat0[31174]: rocketchat_logger rocketchat_logger.js:375 #033[31mLDAPSync ➔ error#033[39m Error creating user { [Error: Email already exists. [403]]

We have the same issue and the "quickfix" is that the users should not login with their uid but with their full email. Then the login with LDAP works again, at least for us.

FYI: the above automatically mentioned commit is not the fix nor is it tested. I was just trying to get a hotfix working. But as we figured out login with the email address works, we abandoned the idea to create a hotfix as this "solution" works for us.

Hi @tobru

We have the same issue and the "quickfix" is that the users should not login with their uid but with their full email. Then the login with LDAP works again, at least for us.

Unfortunately, I cannot confirm this on my side - auth itself, yes, successful, but obviously the mail is not obtained from the Active Directory/LDAP correctly - which is either a field mapping error or something else:

Oct 19 12:06:59 dev-chat RocketChat[72835]: {"name":"ldapjs","component":"client","hostname":"dev-chat","pid":72835,"clazz":"Client","ldap_id":"17__ldaps://my-active-directory.net:636","level":20,"msg":"connected after 1 attempt(s)","time":"2017-10-19T10:06:59.274Z","v":0}
Oct 19 12:06:59 dev-chat RocketChat[72835]: rocketchat_logger rocketchat_logger.js:375 LDAPSync ➔ error { [Error: LDAP Authentication succeded, there is no email to create an account. Have you tried setting your Default Domain in LDAP Settings? [LDAP-login-error]]
Oct 19 12:06:59 dev-chat RocketChat[72835]: isClientSafe: true,
Oct 19 12:06:59 dev-chat RocketChat[72835]: error: 'LDAP-login-error',
Oct 19 12:06:59 dev-chat RocketChat[72835]: reason: 'LDAP Authentication succeded, there is no email to create an account. Have you tried setting your Default Domain in LDAP Settings?',
Oct 19 12:06:59 dev-chat RocketChat[72835]: details: undefined,
Oct 19 12:06:59 dev-chat RocketChat[72835]: message: 'LDAP Authentication succeded, there is no email to create an account. Have you tried setting your Default Domain in LDAP Settings? [LDAP-login-error]',
Oct 19 12:06:59 dev-chat RocketChat[72835]: errorType: 'Meteor.Error' }

So,
the breaking bug made it to the release itself. Shit happens (quite a lot here, but it's free software), this shit hit the fan, but pointing that out does not help.

Is there any advice how to got back to 0.58.4? Rolling back to the backup is not the best way, because we will lose a lot of data.

Same problem here :(

Are the rocket.chat guys crazy? You release a stable version with a 100% defect ldap module?

Here my hotfix without any warranty.

https://gist.github.com/traxanos/e4134f46dc6c525e3b102dcfcaf62813

Sorry about that guys, I tested it locally and worked, but I see the error and will fix ASAP.

Thanks to who that send me an email alerting, I'm mentioned here so many times that I can't track.

Since we are a small team and we have a lot of things to do (things you, the community requests) there is no time to create tests for everything, all your help with that is very welcome.

I'll let you know here when the fix is available. Thanks by your patience.

+1!

@rodrigok That was me :) Thanks a lot for the quick response!

Here is the PR to fix the issue https://github.com/RocketChat/Rocket.Chat/pull/8541

Version 0.59.1 https://github.com/RocketChat/Rocket.Chat/releases/tag/0.59.1 is building and will be available in a few minutes with fixes for LDAP and Color issues

Can confirm this fixes the issue. Thanks a lot!

Works for us too. Also parenthesis in LDAP filter works now, so one can do complex filters. :)

Working here, too.

Still not solved for me. I refreshed the snap to 0.59.1, but I'm getting this error when trying to log in:

Oct 20 13:41:18 CLECPD1336 rocketchat-server.rocketchat-server[1086]: rocketchat_logger rocketchat_logger.js:375 #033[31mLDAP ➔ Search.error#033[39m { [NoSuchObjectError: 0000208D: NameErr: DSID-031001EE, problem 2001 (NO_OBJECT), data 0, best match of:
Oct 20 13:41:18 CLECPD1336 rocketchat-server.rocketchat-server[1086]: #011''
Oct 20 13:41:18 CLECPD1336 rocketchat-server.rocketchat-server[1086]:   lde_message: '0000208D: NameErr: DSID-031001EE, problem 2001 (NO_OBJECT), data 0, best match of:\n\t\'\'\n\u0000',
Oct 20 13:41:18 CLECPD1336 rocketchat-server.rocketchat-server[1086]:   lde_dn: null }
Oct 20 13:41:18 CLECPD1336 rocketchat-server.rocketchat-server[1086]: rocketchat_logger rocketchat_logger.js:375 #033[31mLDAPHandler ➔ error#033[39m { [NoSuchObjectError: 0000208D: NameErr: DSID-031001EE, problem 2001 (NO_OBJECT), data 0, best match of:
Oct 20 13:41:18 CLECPD1336 rocketchat-server.rocketchat-server[1086]: #011''
Oct 20 13:41:18 CLECPD1336 rocketchat-server.rocketchat-server[1086]:   lde_message: '0000208D: NameErr: DSID-031001EE, problem 2001 (NO_OBJECT), data 0, best match of:\n\t\'\'\n\u0000',
Oct 20 13:41:18 CLECPD1336 rocketchat-server.rocketchat-server[1086]:   lde_dn: null }

Any ideas?

EDIT: I was able to create a local user, grant it user and admin roles through mongodb directly and access RocketChat. The problem I've found is that there are more fields in the LDAP config and my previous filter setting has been removed. This should be totally avoided as it totally brokes any working instalation. Now, I haven't been able to make it work again and the docs (as far as I've seen) haven't been updated with info on the new LDAP setting fields.

Could anyone paste an screenshot of a working setup? @TwizzyDizzy @Gummikavalier @itskenny0 ?

EDIT 2: Finally got it working, stupid error on filter fields.