LDAP login failed

Support
1

I configed openldap in my hedgedoc. It works fine in my local environment but not good when I add tls , domain name, cloudflare and nginx reverse proxy

I use docker-compose to deploy my hedgedoc , docker-compose file like that

---
version: "2.1"
services:
  hedgedoc:
    image: linuxserver/hedgedoc:1.9.7
    container_name: hedgedoc
    network_mode: bridge
    links:
      - db
    environment:
      - DEBUG=true
      - CMD_LDAP_URL=ldap://<my ldap address>
      - CMD_LDAP_BINDDN=cn=admin,dc=kkatex,dc=com
      - CMD_LDAP_BINDCREDENTIALS=<my password>
      - CMD_LDAP_SEARCHBASE=cn=nas,dc=kkatex,dc=com
      - CMD_LDAP_SEARCHFILTER=(&(sn={{username}})(objectClass=*))
      - CMD_LDAP_USERIDFIELD=cn
      - CMD_LDAP_USERNAMEFIELD=cn
      - CMD_LDAP_PROVIDERNAME=LDAP
      - PUID=1001
      - PGID=1001
      - TZ=Asia/Shanghai
      - DB_HOST=db
      - DB_PORT=3306
      - DB_USER=hedgedoc
      - DB_PASS=hedgedoc
      - DB_NAME=hedgedoc
      # it work fine when I config CMD_DOMAIN=<my local ip:port> and config CMD_PROTOCOL_USESSL=false
      # it not good when I use my domain name and config CMD_PROTOCOL_USESSL=true like this
      - CMD_DOMAIN=hedgedoc.kkatex.com
      - CMD_PROTOCOL_USESSL=true
      - CMD_PORT=4000 #optional
      - CMD_ALLOW_ORIGIN=['*'] #optional
      - CMD_URL_ADDPORT=false
    volumes:
      - /data/docker/hedgedoc/app:/config
    ports:
      - 4000:4000
    restart: unless-stopped  
  db:
    image: mariadb:10.5
    restart: always
    user: "1001:1001"
    network_mode: bridge
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
    volumes:
      - /data/docker/hedgedoc/db:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=hedgedoc
      - MYSQL_PASSWORD=hedgedoc
      - MYSQL_DATABASE=hedgedoc
      - MYSQL_USER=hedgedoc

My version of HedgeDoc is: 1.7.0

What I expected to happen:

openldap account login success

What actually happened:

Not login success, it redirect to the home page.

Hear is some info of my environment:

I have a nginx reverse proxy container and a nginx ingress in oracle cloud, with tls and domain name config in nginx ingress and nginx_proxy in my nginx reverse proxy container pointed to my hedgedoc container, also I add websocket config in nginx.conf

I also add cloudflare before my nginx ingress, like the manual says ,the minify features diabled

The hedgedoc, openldap, nginx and nginx ingress shows no error log

2

Hey @cyboca

welcome to the community forum.

Do you see the the login attempt in the log of your ldap server? Or could it be that communication between those two components is blocked?

Greetings
DerMolly

3

Yes.
The openldap container’s log shows all good with no error.
And I can login success by using host IP and hedgedoc container’s expose port. It’s failed login after nginx reverse proxy ,nginx ingress and cloudflare.

4

Okay, so just so that I get this right:

You are able to login if you use the HedgeDoc Container without any reverse proxy, if you expose HedgeDoc directly to the internet and access it via the ip of the system.

And according to the ldap server it also is successful, when you try to login with the reverse proxy in place, but something in your hosting stack is broken and so the success never is received by the HedgeDoc server?

5

Yes, here is my situation :

hedgedoc
hedgedoc2134×524 7.8 KB

There is no error at openldap and hedgedoc container in both login method, so I’m confused why can not login success after reverse proxy added.

Login using domain ,Hedgedoc log like that, is that success?

2023-04-17T02:17:43.413Z info: 	Executing (690f7407-f206-4aa4-bdcd-938404a16e1c): START TRANSACTION;

2023-04-17T02:17:43.414Z info: 	Executing (690f7407-f206-4aa4-bdcd-938404a16e1c): SELECT `id`, `profileid`, `profile`, `history`, `accessToken`, `refreshToken`, `deleteToken`, `email`, `password`, `createdAt`, `updatedAt` FROM `Users` AS `User` WHERE `User`.`profileid` = 'LDAP-casper_chen';

2023-04-17T02:17:43.416Z info: 	Executing (690f7407-f206-4aa4-bdcd-938404a16e1c): COMMIT;

2023-04-17T02:17:43.417Z info: 	Executing (default): SELECT `sid`, `expires`, `data`, `createdAt`, `updatedAt` FROM `Sessions` AS `Session` WHERE `Session`.`sid` = 'Tav-fs5ZsQj0aNv9VMjfRcgqDSyzcQDr';

2023-04-17T02:17:43.418Z info: 	serializeUser: a678a290-7530-4d7d-9206-04e21bb6883f

2023-04-17T02:17:43.418Z info: 	Executing (default): SELECT `sid`, `expires`, `data`, `createdAt`, `updatedAt` FROM `Sessions` AS `Session` WHERE `Session`.`sid` = 'oujmA9KMMilVYnjc0h28ZGXqzhQs0UVP';

2023-04-17T02:17:43.420Z info: 	Executing (default): INSERT INTO `Sessions` (`sid`,`expires`,`data`,`createdAt`,`updatedAt`) VALUES (?,?,?,?,?);

2023-04-17T02:17:43.494Z info: 	Executing (default): SELECT `sid`, `expires`, `data`, `createdAt`, `updatedAt` FROM `Sessions` AS `Session` WHERE `Session`.`sid` = 'oujmA9KMMilVYnjc0h28ZGXqzhQs0UVP';

2023-04-17T02:17:43.496Z info: 	Executing (default): UPDATE `Sessions` SET `expires`=?,`data`=?,`updatedAt`=? WHERE `sid` = ?

2023-04-17T02:17:43.513Z info: 	10.42.0.30 - - [17/Apr/2023:02:17:43 +0000] "POST /auth/ldap HTTP/1.0" 302 100 "https://hedgedoc.kkatex.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0"

2023-04-17T02:17:45.119Z info: 	Executing (default): SELECT `sid`, `expires`, `data`, `createdAt`, `updatedAt` FROM `Sessions` AS `Session` WHERE `Session`.`sid` = 'gVzWSEH4WIrUcZtWR7rp_zuNDf4KIJjT';

2023-04-17T02:17:45.120Z info: 	Executing (default): INSERT INTO `Sessions` (`sid`,`expires`,`data`,`createdAt`,`updatedAt`) VALUES (?,?,?,?,?);

2023-04-17T02:17:45.169Z info: 	10.42.0.30 - - [17/Apr/2023:02:17:45 +0000] "GET / HTTP/1.0" 200 - "https://hedgedoc.kkatex.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0"

2023-04-17T02:17:45.899Z info: 	Executing (default): SELECT `sid`, `expires`, `data`, `createdAt`, `updatedAt` FROM `Sessions` AS `Session` WHERE `Session`.`sid` = 'MZ2gsNLTJDhAUeamSAbs35kl79yI2bPy';

2023-04-17T02:17:45.900Z info: 	Executing (default): INSERT INTO `Sessions` (`sid`,`expires`,`data`,`createdAt`,`updatedAt`) VALUES (?,?,?,?,?);

2023-04-17T02:17:45.915Z info: 	10.42.0.30 - - [17/Apr/2023:02:17:45 +0000] "GET /config HTTP/1.0" 200 290 "https://hedgedoc.kkatex.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0"

2023-04-17T02:17:46.594Z info: 	Executing (default): SELECT `sid`, `expires`, `data`, `createdAt`, `updatedAt` FROM `Sessions` AS `Session` WHERE `Session`.`sid` = 'tLOXyo_9Gpruvb_MZfObVtnkHKPqp8-P';

2023-04-17T02:17:46.601Z info: 	Executing (default): INSERT INTO `Sessions` (`sid`,`expires`,`data`,`createdAt`,`updatedAt`) VALUES (?,?,?,?,?);

2023-04-17T02:17:46.619Z info: 	10.42.0.30 - - [17/Apr/2023:02:17:46 +0000] "GET /me HTTP/1.0" 200 22 "https://hedgedoc.kkatex.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0"

2023-04-17T02:17:47.271Z info: 	10.42.0.30 - - [17/Apr/2023:02:17:47 +0000] "GET /icons/apple-touch-icon.png HTTP/1.0" 200 2126 "https://hedgedoc.kkatex.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0"

2023-04-17T02:17:48.269Z info: 	10.42.0.30 - - [17/Apr/2023:02:17:48 +0000] "GET /icons/favicon-32x32.png HTTP/1.0" 200 605 "https://hedgedoc.kkatex.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0"

openldap log

643cac47 conn=1451 fd=12 ACCEPT from IP=172.17.0.1:51660 (IP=0.0.0.0:389)

643cac47 conn=1451 op=0 BIND dn="cn=admin,dc=kkatex,dc=com" method=128

643cac47 conn=1451 op=0 BIND dn="cn=admin,dc=kkatex,dc=com" mech=SIMPLE ssf=0

643cac47 conn=1451 op=0 RESULT tag=97 err=0 text=

643cac47 conn=1452 fd=13 ACCEPT from IP=172.17.0.1:51672 (IP=0.0.0.0:389)

643cac47 conn=1451 op=1 SRCH base="cn=nas,dc=kkatex,dc=com" scope=2 deref=0 filter="(&(sn=casper_chen)(objectClass=*))"

643cac47 <= mdb_equality_candidates: (sn) not indexed

643cac47 conn=1451 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

643cac47 conn=1452 op=0 BIND dn="cn=casper_chen,cn=nas,dc=kkatex,dc=com" method=128

643cac47 conn=1452 op=0 BIND dn="cn=casper_chen,cn=nas,dc=kkatex,dc=com" mech=SIMPLE ssf=0

643cac47 conn=1452 op=0 RESULT tag=97 err=0 text=

643cac47 conn=1451 op=2 UNBIND

643cac47 conn=1451 fd=12 closed

643cac47 conn=1452 op=1 UNBIND

643cac47 conn=1452 fd=13 closed