On Mon, Aug 17, 2020 at 6:02 AM Hendrik Hansmeier < hendrik.hansme...@hh-it.co> wrote:
> I re-checked the permissions and found that the permissions-issue was only > with my certs. Since i stored them in the app-root of the > .deb-Installation, chown-ing of the whole folder helped as well. > > So nothing needs to be fixed. Thanks for your help. > > Good to know that you figured it out :) > > > Mit freundlichen Grüßen > > Hendrik Hansmeier > > > Hendrik Hansmeier IT-Consulting ::: Bunsenstraße 5 ::: 51647 Gummersbach > FON +49 2261 814 174 <+49%202261%20814%20174> ::: MOB +49 151 235 866 02 > <+49%20151%20235%20866%2002> ::: E-MAIL hendrik.hansme...@hh-it.co ::: > WEB https://www.hh-it.co ::: > USt-IdNr.: DE311717013 ::: Finanzamt Gummersbach > > > -------- Ursprüngliche Nachricht -------- > Von: Hendrik Hansmeier <hendrik.hansme...@hh-it.co> > Datum: 17.08.20 01:49 (GMT+01:00) > An: khushboo.va...@enterprisedb.com > Cc: pgadmin-support@lists.postgresql.org, heiko.onnebr...@metronom.com > Betreff: Re: [EXT] Re: pgadmin4 container deployment with > ldap-authentication > > So after installing pgadmin4 from .deb-file and trying out several > configurations, i found out a working one, but with a > file-permission-issue. Because i didn't try out which specific file made > the problems, i chown-ed all pgadmin4/web/*-files to www:data:www-data, > since pgadmin4 from the .deb-file is hosted by apache2. So finally i got it > working. > > After that i adapted my docker-parameters to > > > docker run -p 8280:80 > -e "PGADMIN_DEFAULT_EMAIL=<emaiAddress>" > -e "PGADMIN_DEFAULT_PASSWORD=<password>" > -e "PGADMIN_CONFIG_AUTHENTICATION_SOURCES=['ldap']" > -e "PGADMIN_CONFIG_LDAP_AUTO_CREATE_USER=True" > -e "PGADMIN_CONFIG_LDAP_SERVER_URI='ldaps://dc.mydomain.local:636'" > -e "PGADMIN_CONFIG_LDAP_BASE_DN='cn=Users,dc=mydomain,dc=local'" > -e "PGADMIN_CONFIG_LDAP_USE_STARTTLS=True" > -e > "PGADMIN_CONFIG_LDAP_BIND_USER='cn=user,cn=Users,dc=mydomain,dc=local'" > -e "PGADMIN_CONFIG_LDAP_BIND_PASSWORD='<bind-password>'" > -e "PGADMIN_CONFIG_LDAP_CA_CERT_FILE='/certs/ca.crt'" > -e "PGADMIN_CONFIG_LDAP_CERT_FILE='/certs/client.crt'" > -e "PGADMIN_CONFIG_LDAP_KEY_FILE='/private/client.key'" > -e "PGADMIN_CONFIG_LDAP_USERNAME_ATTRIBUTE='sAMAccountName'" > -e > "PGADMIN_CONFIG_LDAP_SEARCH_BASE_DN='cn=Users,dc=mydomain,dc=local'" > -v '/local/path/to/ca.crt:/certs/ca.crt' > -v '/local/path/to/client.crt:/certs/client.crt' > -v '/local/path/to/client.key:/private/client.key' > -d <my docker-image> > > As expected, i got the same file-permission-issue. So i interactively > entered the docker-session with > > > docker exec -it -u 0 <container id> /bin/sh > > and did > > > chown -R pgadmin:pgadmin /pgadmin4/* > > since the process is running under user pgadmin and > > > chmod 644 /private/* > > > chmod 644 /certs/* > > as a quickfix. So i finally got it working, so that i can login with a > valid sAMAccountName and password. It would be great if you would fix that > file-permission-issues in the image as well as in the .deb-file. > > Due to the issue, i got > > LDAPSocketOpenError socket ssl wrapping error: [Errno 13] Permission denied > > before. > > > Best regards, > > Hendrik Hansmeier > > > Hendrik Hansmeier IT-Consulting ::: Bunsenstraße 5 ::: 51647 Gummersbach > FON +49 (0) 2261 814 174 ::: MOB +49 (0) 151 235 866 02 ::: E-MAIL > hendrik.hansme...@hh-it.co > USt-IdNr.: DE311717013 ::: Finanzamt Gummersbach > > Am 11.08.20 um 15:09 schrieb Khushboo Vashi: > > > > On Tue, Aug 11, 2020 at 6:26 PM <heiko.onnebr...@metronom.com> wrote: > >> Can you confirm that the parameter that I pass to docker are >> (syntactical) correct to properly filter for the requested user record. >> > They are correct except PGADMIN_CONFIG_LDAP_USERNAME_ATTRIBUTE should be " > *cn"* > >> As we should not timeout once we properly filter by userPrincipalName I >> want to be sure that filtering is properly passed to the LDAP quey. >> > If you want to filter by userPrincipalName then use LDAP_SEARCH_FILTER > option. > PGADMIN_CONFIG_LDAP_SEARCH_FILTER="xxxxx" > > >> >> *From: *Khushboo Vashi <khushboo.va...@enterprisedb.com> >> *Date: *Tuesday, 11. August 2020 at 14:36 >> *To: *"Onnebrink, Heiko" <heiko.onnebr...@metronom.com> >> *Cc: *"pgadmin-support lists.postgresql.org" < >> pgadmin-support@lists.postgresql.org>, Hendrik Hansmeier < >> hendrik.hansme...@hh-it.co> >> *Subject: *Re: [EXT] Re: pgadmin4 container deployment with >> ldap-authentication >> >> >> >> Hi, >> >> >> >> On Tue, Aug 11, 2020 at 4:29 PM <heiko.onnebr...@metronom.com> wrote: >> >> Hi, >> I am just back from holiday and wanted to test the same (as I authored >> this LDAP change request I think its overdue to test it __ )) >> >> To ensure the env is fine I executed ldapsearch on the docker host to >> have some check first: >> >> ldapsearch -LLL -x -h ldap.mgi.de:389 -D >> "cn=SVCLDAP,cn=Users,dc=asf,dc=madm,dc=net" -w xxxxxx -b"dc=madm,dc=net" >> userPrincipalName=heiko.onnebr...@metronom.com >> >> I got some fine output back within some ms: >> >> dn: CN=Onnebrink >> Heiko,OU=HQ01-DUS,OU=Users,OU=DE,OU=MSYS,DC=r2,DC=madm,DC=netobjectClass: >> topobjectClass: person >> objectClass: organizationalPerson >> objectClass: user >> cn: Onnebrink Heiko >> sn: Onnebrink >> c: DE >> l: Duesseldorf >> title: Mr >> description: XPC User (migriert) - managed by identityDirectory >> postalCode: 40235 >> physicalDeliveryOfficeName: 09.02.207 >> etc (truncated) >> >> Next I transferred the args from test and passed them to pgBadger docker >> container >> >> docker run -p 443:443 >> -e PGADMIN_DEFAULT_EMAIL=ad...@metronom.com >> -e PGADMIN_DEFAULT_PASSWORD=admin >> -e 'PGADMIN_CONFIG_AUTHENTICATION_SOURCES=["ldap"]' >> -e 'PGADMIN_CONFIG_LDAP_SERVER_URI="ldap://ldap.mgi.de:389";' >> -e 'PGADMIN_CONFIG_LDAP_USERNAME_ATTRIBUTE="userPrincipalName"' >> -e >> 'PGADMIN_CONFIG_LDAP_BIND_USER="cn=SVCLDAP,cn=Users,dc=asf,dc=madm,dc=net"' >> -e 'PGADMIN_CONFIG_LDAP_BIND_PASSWORD="xxxxxx"' >> -e 'PGADMIN_CONFIG_LDAP_SEARCH_BASE_DN="dc=madm,dc=net"' >> -e PGADMIN_CONFIG_LDAP_AUTO_CREATE_USER=True >> -e PGADMIN_ENABLE_TLS=TRUE >> -v '/dockerdata/pgadmin/servers.json:/servers.json' >> -v '/dockerdata/pgadmin/server.cert:/certs/server.cert' >> -v '/dockerdata/pgadmin/server.key:/certs/server.key' >> --name pgadminssl registry.metroscales.io/rdb-dev/pgadmin:latest >> NOTE: Configuring authentication for SERVER mode. >> >> sudo: setrlimit(RLIMIT_CORE): Operation not permitted >> [2020-08-11 10:45:49 +0000] [1] [INFO] Starting gunicorn 19.9.0 >> [2020-08-11 10:45:49 +0000] [1] [INFO] Listening at: http://[::]:443 (1) >> [2020-08-11 10:45:49 +0000] [1] [INFO] Using worker: threads >> /usr/local/lib/python3.8/os.py:1023: RuntimeWarning: line buffering >> (buffering=1) isn't supported in binary mode, the default buffer size will >> be used >> return io.open(fd, *args, **kwargs) >> [2020-08-11 10:45:49 +0000] [97] [INFO] Booting worker with pid: 97 >> >> I started up pgAdmin web and entered heiko.onnebr...@metronom.com with >> pwd as credentials >> >> After logon a new window pops up with this Json result >> { >> success:0, >> result:null, >> info:"", >> data:null, >> errormsg:"error receiving data: timed out" >> } >> >> Here the error stack from pgAdmin container: >> >> ::ffff:10.97.177.148 - - [11/Aug/2020:10:49:02 +0000] "GET / HTTP/1.1" >> 302 237 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) >> AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15" >> ::ffff:10.97.177.148 - - [11/Aug/2020:10:49:02 +0000] "GET >> /login?next=%2F HTTP/1.1" 200 1698 "-" "Mozilla/5.0 (Macintosh; Intel Mac >> OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 >> Safari/605.1.15" >> 2020-08-11 10:49:27,835: ERROR flask.app: error receiving data: >> timed out >> Traceback (most recent call last): >> File "/usr/local/lib/python3.8/site-packages/ldap3/strategy/sync.py", >> line 82, in receiving >> data = self.connection.socket.recv(self.socket_size) >> socket.timeout: timed out >> >> During handling of the above exception, another exception occurred: >> >> Traceback (most recent call last): >> File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 1813, >> in full_dispatch_request >> rv = self.dispatch_request() >> File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 1799, >> in dispatch_request >> return self.view_functions[rule.endpoint](**req.view_args) >> File "/pgadmin4/pgadmin/authenticate/__init__.py", line 55, in login >> status, msg = auth_obj.authenticate() >> File "/pgadmin4/pgadmin/authenticate/__init__.py", line 118, in >> authenticate >> status, msg = source.authenticate(self.form) >> File "/pgadmin4/pgadmin/authenticate/ldap.py", line 73, in authenticate >> status, ldap_user = self.search_ldap_user() >> File "/pgadmin4/pgadmin/authenticate/ldap.py", line 228, in >> search_ldap_user >> self.conn.search(search_base=search_base_dn, >> File "/usr/local/lib/python3.8/site-packages/ldap3/core/connection.py", >> line 819, in search >> response = self.post_send_search(self.send('searchRequest', request, >> controls)) >> File "/usr/local/lib/python3.8/site-packages/ldap3/strategy/sync.py", >> line 139, in post_send_search >> responses, result = self.get_response(message_id) >> File "/usr/local/lib/python3.8/site-packages/ldap3/strategy/base.py", >> line 353, in get_response >> responses = self._get_response(message_id, timeout) >> File "/usr/local/lib/python3.8/site-packages/ldap3/strategy/sync.py", >> line 157, in _get_response >> responses = self.receiving() >> File "/usr/local/lib/python3.8/site-packages/ldap3/strategy/sync.py", >> line 92, in receiving >> raise communication_exception_factory(LDAPSocketReceiveError, >> type(e)(str(e)))(self.connection.last_error) >> ldap3.core.exceptions.LDAPSocketReceiveError: error receiving data: timed >> out >> ::ffff:10.97.177.148 - - [11/Aug/2020:10:49:27 +0000] "POST >> /authenticate/login HTTP/1.1" 500 94 "https://10.96.48.68/login?next=%2F"; >> "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 >> (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15" >> >> Looking at the error (receiving data timed out), I think we need to >> provide the configuration option to set the *"Receive Timeout" * >> parameter. >> >> Can you please log this issue @ >> https://redmine.postgresql.org/projects/pgadmin4 , so we can fix and >> track it ? >> >> >> >> Thanks for the testing. >> >> >> >> Thanks, >> >> Khushboo >> >> >> >> Thanks for any advice >> cheers >> Heiko >> >> From: Khushboo Vashi <khushboo.va...@enterprisedb.com> >> Date: Tuesday, 11. August 2020 at 06:09 >> To: Hendrik Hansmeier <hendrik.hansme...@hh-it.co> >> Cc: "pgadmin-support lists.postgresql.org" < >> pgadmin-support@lists.postgresql.org> >> Subject: [EXT] Re: pgadmin4 container deployment with ldap-authentication >> >> Hi, >> >> >> On Tue, Aug 11, 2020 at 4:35 AM Hendrik Hansmeier <mailto: >> hendrik.hansme...@hh-it.co> wrote: >> Hi, >> i am trying to get pgadmin4 running in server-mode as a docker-container. >> So i pulled the image and after i tried out the image a little bit, i tried >> to use ldap-authentication. >> Unfortunately, i didn't get it running as expected. I am not able to >> authenticate against my samba 4-domain. This is how i tried to launch the >> container: >> >> docker run -p 8280:80 >> -e "PGADMIN_DEFAULT_EMAIL=<emailAddress>" >> -e "PGADMIN_DEFAULT_PASSWORD=<password>" >> -e "AUTHENTICATION_SOURCES=['ldap']" >> -e "LDAP_AUTO_CREATE_USER=True" >> -e "LDAP_SERVER_URI='ldaps://<domaincontroller>:636'" >> -e "LDAP_BASE_DN='cn=Users,dc=mydomain,dc=local'" >> -e "LDAP_BIND_USER='cn=User1,cn=Users,dc=mydomain,dc=local'" >> -e "LDAP_BIND_PASSWORD=<BindDNPassword>" >> -e "LDAP_CA_CERT_FILE='/etc/ssl/certs/myca.pem'" >> -e "LDAP_CERT_FILE='/etc/ssl/certs/my.cert.pem'" >> -e "LDAP_KEY_FILE='/etc/ssl/private/my.key.pem'" >> -d dpage/pgadmin4 >> >> I am using the container behind a reverse-proxy on nginx (debian buster), >> for the first try via http. The authentication with the given user >> PGADMIN_DEFAULT_EMAIL works as expected but ldap-authentication results in >> an error-message "Specified user does not exist". >> Am i using the environment-parameters for ldap-authentication correctly? >> May a reverse-proxy over https help to get ldaps working? >> The variable prefix "PGADMIN_CONFIG_" should be used to override any of >> the configuration options in pgAdmin’s config.py file. So add this prefix >> to all the config params you have used. >> (Ex, AUTHENTICATION_SOURCES, LDAP_SERVER_URI etc...) >> >> Ex: AUTHENTICATION_SOURCES should >> be PGADMIN_CONFIG_AUTHENTICATION_SOURCES >> Please refer >> https://www.pgadmin.org/docs/pgadmin4/4.24/container_deployment.html#environment-variables >> for >> more information. >> >> Also, set LDAP_SEARCH_BASE_DN param which is required to configure LDAP >> Authentication in Dedicated User mode (which you have configured). >> Please refer >> https://www.pgadmin.org/docs/pgadmin4/4.24/enabling_ldap_authentication.html >> >> Thanks, >> Khushboo >> >> -- >> Best regards, >> >> Hendrik Hansmeier >> >> >> Hendrik Hansmeier IT-Consulting ::: Bunsenstraße 5 ::: 51647 Gummersbach >> FON +49 (0) 2261 814 174 ::: MOB +49 (0) 151 235 866 02 ::: E-MAIL mailto: >> hendrik.hansme...@hh-it.co >> USt-IdNr.: DE311717013 ::: Finanzamt Gummersbach >> >> Geschäftsanschrift/Business address: METRO-NOM GmbH, Metro-Straße 12, >> 40235 Duesseldorf, Germany >> Aufsichtsrat/Supervisory Board: Olaf Koch (Vorsitzender/Chairman) >> Geschäftsführung/Management Board: Timo Salzsieder (Vorsitzender/CEO), >> Felix Lindemann (COO), Frank Hammerle (CFO) >> Sitz Düsseldorf, Amtsgericht Düsseldorf, HRB 18232/Registered Office >> Düsseldorf, Commercial Register of the Düsseldorf Local Court, HRB 18232 >> >> Betreffend Mails von *@metronom.com <http://metrosystems.net/> >> Die in dieser E-Mail enthaltenen Nachrichten und Anhänge sind >> ausschließlich für den bezeichneten Adressaten bestimmt. Sie können >> rechtlich geschützte, vertrauliche Informationen enthalten. Falls Sie nicht >> der bezeichnete Empfänger oder zum Empfang dieser E-Mail nicht berechtigt >> sind, ist die Verwendung, Vervielfältigung oder Weitergabe der Nachrichten >> und Anhänge untersagt. Falls Sie diese E-Mail irrtümlich erhalten haben, >> informieren Sie bitte unverzüglich den Absender und vernichten Sie die >> E-Mail. >> >> Regarding mails from *@metronom.com <http://metrosystems.net/> >> This e-mail message and any attachment are intended exclusively for the >> named addressee. They may contain confidential information which may also >> be protected by professional secrecy. Unless you are the named addressee >> (or authorised to receive for the addressee) you may not copy or use this >> message or any attachment or disclose the contents to anyone else. If this >> e-mail was >> >> Geschäftsanschrift/Business address: METRO-NOM GmbH, Metro-Straße 12, >> 40235 Duesseldorf, Germany >> Aufsichtsrat/Supervisory Board: Olaf Koch (Vorsitzender/Chairman) >> Geschäftsführung/Management Board: Timo Salzsieder (Vorsitzender/CEO), >> Felix Lindemann (COO), Frank Hammerle (CFO) >> Sitz Düsseldorf, Amtsgericht Düsseldorf, HRB 18232/Registered Office >> Düsseldorf, Commercial Register of the Düsseldorf Local Court, HRB 18232 >> >> Betreffend Mails von *@metronom.com <http://metrosystems.net/> >> Die in dieser E-Mail enthaltenen Nachrichten und Anhänge sind >> ausschließlich für den bezeichneten Adressaten bestimmt. Sie können >> rechtlich geschützte, vertrauliche Informationen enthalten. Falls Sie nicht >> der bezeichnete Empfänger oder zum Empfang dieser E-Mail nicht berechtigt >> sind, ist die Verwendung, Vervielfältigung oder Weitergabe der Nachrichten >> und Anhänge untersagt. Falls Sie diese E-Mail irrtümlich erhalten haben, >> informieren Sie bitte unverzüglich den Absender und vernichten Sie die >> E-Mail. >> >> Regarding mails from *@metronom.com <http://metrosystems.net/> >> This e-mail message and any attachment are intended exclusively for the >> named addressee. They may contain confidential information which may also >> be protected by professional secrecy. Unless you are the named addressee >> (or authorised to receive for the addressee) you may not copy or use this >> message or any attachment or disclose the contents to anyone else. If this >> e-mail was >> >
