Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ldap_user_create_mode 'auto' does work without groups #74

Open
ziima opened this issue Mar 10, 2023 · 4 comments
Open

ldap_user_create_mode 'auto' does work without groups #74

ziima opened this issue Mar 10, 2023 · 4 comments

Comments

@ziima
Copy link

ziima commented Mar 10, 2023

I run into a serious problem with Discourse login using LDAP. When a new user tries to login, he is redirected back to a login page without any message. Logs confirmed ldap passed successfully, but user wasn't created in Discourse. Existing users worked fine.

After debugging I discovered that ldap plugin doesn't create users if they have no groups provided by LDAP. I'm not quite sure what changed in our LDAP instance configuration, since it is not entirely under our control, but may have lead to a different data returned by LDAP regarding user groups.

Anyway I was able to workaround by this patch

--- /var/www/discourse/plugins/discourse-ldap-auth/lib/ldap_user.rb.old	2023-03-10 18:01:14.596939164 +0100
+++ /var/www/discourse/plugins/discourse-ldap-auth/lib/ldap_user.rb	2023-03-10 18:07:20.957617316 +0100
@@ -31,10 +31,10 @@
 
   private
   def create_user_groups(user_groups)
-    return if user_groups.nil?
     #user account must exist in order to create user groups
     @user = User.create!(name: self.name, email: self.email, username: self.username)
     @user.activate
+    return if user_groups.nil?
     user_groups.each do |group_name|
       group = Group.find_by(name: group_name)
       @user.groups << group unless group.nil?

All in all, I find it weird user instance is created only if groups are present. I'd expect the user object is created regardless.

Configuration:

  • discourse 2.8.13
  • discourse-ldap-auth 0.6.0
  • ldap filter is not set

I would provide a patch, but I can't write in Ruby and this workaround is as far as I could get.
@ziima ziima mentioned this issue Mar 10, 2023
Open
@jonmbake
Copy link
Owner

jonmbake commented Mar 12, 2023
edited
Loading

@ziima In the previous Discourse versions, Discourse would create the User account if an auth plugin returned a valid authentication result and the user account did not exist. It's weird that this stopped working... The only reason #create_user_groups is creating the user ahead of time is in order to be able to assign groups to the user record.

@jonmbake
Copy link
Owner

@davidtaylorhq Any ideas why user creation would fail after a successful auth here? Did anything change with Auth::Result?

@davidtaylorhq
Copy link
Contributor

I'm not aware of any recent changes to this area. I'd recommend checking:

  • Discourse's auth_skip_create_confirm site setting - that controls whether an account is created immediately, or whether the user is given a chance to update their username etc.

  • force_https setting (hidden). It's important that this is enabled so that the auth-related cookies are set in the correct http/https context

  • Check the browser developer console for any Javascript errors

@ziima
Copy link
Author

ziima commented Oct 6, 2023

I got back to this, since my workaround was removed after an update.

  • auth_skip_create_confirm was disabled.
  • force_https was enabled.

Still no idea, why it doesn't work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ziima @jonmbake @davidtaylorhq