[stork-users] Stork Server LDAP hook loading but not functioning

Donald Birtch donald.birtch at sickkids.ca
Mon Oct 28 17:16:02 UTC 2024 

Hi Slawek,

  The LDAP option is selectable from the authentication dropdown on the login page but the logs show it is authenticating against "internal" regardless of the selected option.  I recall changing permissions on the www directory to allow stork-server to write an ldap.png file.   I did run into the Start TLS issue under version 1.18.0, which is why I tried upgrading to 1.19.0.  I am monitoring for traffic on port 389 or 636, depending on whether I am using ldap:// or ldaps://, but there are zero packets transferred between the Stork Server and the LDAP Server, which is why I suspected it was a configuration issue on my part.

Cheers,
Don

-----Original Message-----
From: Stork-users <stork-users-bounces at lists.isc.org> On Behalf Of Slawek Figiel
Sent: Monday, October 28, 2024 1:03 PM
To: stork-users at lists.isc.org
Subject: Re: [stork-users] Stork Server LDAP hook loading but not functioning

[You don't often get email from slawek at isc.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

Hello Donald!

Could you describe what means the LDAP hook doesn't work for you? Do you see the LDAP authentication method on the Stork login page?

I see your LDAP server is served over TLS. Another user reported a problem with this kind of configuration:
https://gitlab.isc.org/isc-projects/stork/-/issues/1488 . Could you check if you can use LDAP if it is served without TLS? We are analyzing this problem, so any additional feedback would be appreciated.

If you run the Stork server as a systemD service, you can check the detailed logs by calling `journalctl -u isc-stork-server` command.

Regards,
Slawek Figiel

On 28/10/2024 17:54, Donald Birtch wrote:
> Hi All,
>
>    I have been stumped with getting the Stork Server LDAP hook working.
> Maybe someone can see a glaring issue with my configuration or have
> some additional things to troubleshoot the issue.  I see no logs
> relating to LDAP.  Here are the installed packages:
>
> hi  isc-stork-server
> 1.19.0.240927162608                     amd64        ISC Stork Server
>
> hi  isc-stork-server-hook-ldap
> 1.19.0.240927162031                     amd64        ISC Stork server
> ldap hook
>
> The LDAP hook appears to be loaded:
>
> # lsof -p $(pgrep stork-server) | grep stork-server-ldap.so
>
> stork-ser 409743 stork-server  mem       REG              253,0 12268368
> 16789136 /usr/lib/stork-server/hooks/stork-server-ldap.so
>
> Here are the server.env entries that I added based on the
> "stork-server -help" output:
>
> STORK_SERVER_HOOK_LDAP_URL=ldaps://ldap-server
>
> STORK_SERVER_HOOK_LDAP_SKIP_SERVER_TLS_VERIFICATION=true
>
> STORK_SERVER_HOOK_LDAP_BIND_USERDN=uid=username,ou=users,dc=server,dc=
> local
>
> STORK_SERVER_HOOK_LDAP_BIND_PASSWORD=password123
>
> STORK_SERVER_HOOK_LDAP_ROOT=dc=server,dc=local
>
> STORK_SERVER_HOOK_LDAP_DEBUG=true
>
> STORK_SERVER_HOOK_LDAP_MAP_GROUPS=true
>
> STORK_SERVER_HOOK_LDAP_GROUP_ALLOW=admins
>
> STORK_SERVER_HOOK_LDAP_GROUP_ADMIN=admins
>
> STORK_SERVER_HOOK_LDAP_GROUP_SUPER_ADMIN=admins
>
> STORK_SERVER_HOOK_LDAP_OBJECT_CLASS_USER=inetOrgPerson
>
> STORK_SERVER_HOOK_LDAP_OBJECT_CLASS_USER_ID=uid
>
> STORK_SERVER_HOOK_LDAP_OBJECT_CLASS_USER_EMAIL=mail
>
> STORK_SERVER_HOOK_LDAP_OBJECT_CLASS_USER_LAST_NAME=sn
>
> STORK_SERVER_HOOK_LDAP_OBJECT_CLASS_USER_FIRST_NAME=displayName
>
> STORK_SERVER_HOOK_LDAP_OBJECT_CLASS_GROUP=posixGroup
>
> STORK_SERVER_HOOK_LDAP_OBJECT_CLASS_GROUP_COMMON_NAME=cn
>
> STORK_SERVER_HOOK_LDAP_OBJECT_CLASS_GROUP_MEMBER=memberUid
>
> Any help is appreciated.
>
> Cheers,
>
> Don
>
>
> ----------------------------------------------------------------------
> --
>
> This e-mail may contain confidential, personal and/or health
> information(information which may be subject to legal restrictions on
> use, retention and/or disclosure) for the sole use of the intended
> recipient. Any review or distribution by anyone other than the person
> for whom it was originally intended is strictly prohibited. If you
> have received this e-mail in error, please contact the sender and
> delete all copies.
>

--
Stork-users mailing list
Stork-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/stork-users

________________________________

This e-mail may contain confidential, personal and/or health information(information which may be subject to legal restrictions on use, retention and/or disclosure) for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete all copies.

More information about the Stork-users mailing list