[SOLVED] LDAP/AD Users

    • OMV 2.x

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • [SOLVED] LDAP/AD Users

      I've spent countless hours trying to get LDAP/AD integration working. I got really close, with being able to get the Groups in AD to list in the OMV WebGUI, but the User would throw a communication error. A common/known issue. I've learned that we need to see

      Source Code

      1. /usr/sbin/omv-rpc "UserMgmt" "getUserList" '{"start":0,"limit":null,"sortfield":null,"sortdir":null}'
      to work. I was having an issue with that command timing out. This thread was helpful, but somewhere along the way, now the omv-rpc command just returns "nobody" on both User and Group pages. However, all these commands return AD information without issue:

      Source Code

      1. wbinfo -u
      2. wbinfo -i {someuser}
      3. wbinfo -g
      4. getent passwd
      5. getent group


      so it seems my LDAP/AD integration is healthy, but just not the omv-rpc command to return that information for the WebGUI. I'm *so* close! Please help!

      [IMG:https://dl.dropboxusercontent.com/u/13871375/OMV/Users01.jpg]

      [IMG:https://dl.dropboxusercontent.com/u/13871375/OMV/Groups01.jpg]

      The post was edited 1 time, last by bkeadle ().

    • It would seem the magic bullet is going to be in /var/www/openmediavault/js/omv/data/proxy/Rpc.js somewhere. Futzing with it will either generate the none/nobody as above, or, a timeout with this output:

      Source Code

      1. oot@omv-pd:~# /usr/sbin/omv-rpc "UserMgmt" "getUserList" '{"start":0,"limit":null,"sortfield":null,"sortdir":null}'
      2. {"response":null,"error":{"code":7003,"message":"Failed to read from socket: Resource temporarily unavailable","trace":"exception 'OMVException' with message 'Failed to read from socket: Resource temporarily unavailable' in \/usr\/share\/php\/openmediavault\/rpc.inc:168\nStack trace:\n#0 \/usr\/sbin\/omv-rpc(107): OMVRpc::exec('UserMgmt', 'getUserList', Array, Array, 2)\n#1 {main}"}}


      This thread and this entry lead me to Rpc.js file. This is the current contents:

      Source Code

      1. /**
      2. * This file is part of OpenMediaVault.
      3. *
      4. * @license http://www.gnu.org/licenses/gpl.html GPL Version 3
      5. * @author Volker Theile <volker.theile@openmediavault.org>
      6. * @copyright Copyright (c) 2009-2016 Volker Theile
      7. *
      8. * OpenMediaVault is free software: you can redistribute it and/or modify
      9. * it under the terms of the GNU General Public License as published by
      10. * the Free Software Foundation, either version 3 of the License, or
      11. * any later version.
      12. *
      13. * OpenMediaVault is distributed in the hope that it will be useful,
      14. * but WITHOUT ANY WARRANTY; without even the implied warranty of
      15. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
      16. * GNU General Public License for more details.
      17. *
      18. * You should have received a copy of the GNU General Public License
      19. * along with OpenMediaVault. If not, see <http://www.gnu.org/licenses/>.
      20. */
      21. // require("js/omv/Rpc.js")
      22. // require("js/omv/data/reader/RpcJson.js")
      23. // require("js/omv/window/MessageBox.js")
      24. /**
      25. * @ingroup webgui
      26. * @class OMV.data.proxy.Rpc
      27. * @derived Ext.data.proxy.Ajax
      28. * This proxy uses AJAX requests to load data from the server delivered via
      29. * the OMV RPC engine.
      30. * @param config An array containing the following fields:
      31. * \li rpcData The RPC parameters. \see OMV.Rpc.request
      32. * for more details.
      33. * \li extraParams An object of additional method parameters.
      34. * \li appendSortParams Set to FALSE to do not append the sort parameters
      35. * 'start', 'limit', 'sortfield' and 'sortdir'. Defaults to TRUE.
      36. */
      37. Ext.define("OMV.data.proxy.Rpc", {
      38. extend: "Ext.data.proxy.Ajax",
      39. alias: "proxy.rpc",
      40. requires: [
      41. "OMV.Rpc",
      42. "OMV.data.reader.RpcJson",
      43. "OMV.window.MessageBox"
      44. ],
      45. uses: [ "Ext.data.Request" ],
      46. config: {
      47. reader: "rpcjson",
      48. simpleSortMode: true,
      49. idParam: "uuid",
      50. sortParam: "sortfield",
      51. directionParam: "sortdir",
      52. appendSortParams: true,
      53. timeout: 60000
      54. },
      55. constructor: function() {
      56. var me = this;
      57. Ext.apply(me, {
      58. timeout: 60000
      59. });
      60. me.callParent(arguments);
      61. me.on("exception", function(proxy, response, operation) {
      62. OMV.MessageBox.error(null, response);
      63. });
      64. },
      65. doRequest: function(operation, callback, scope) {
      66. var me = this;
      67. var request = me.buildRequest(operation);
      68. Ext.apply(request, {
      69. timeout: me.timeout,
      70. scope: me,
      71. callback: me.createRequestCallback(request, operation,
      72. callback, scope),
      73. method: me.getMethod(request),
      74. disableCaching: false
      75. });
      76. OMV.Rpc.request(request);
      77. return request;
      78. },
      79. createRequestCallback: function(request, operation, callback, scope) {
      80. var me = this;
      81. return function(id, success, response) {
      82. me.processResponse(success, operation, request, response,
      83. callback, scope);
      84. };
      85. },
      86. buildRequest: function(operation) {
      87. var me = this, request = null, rpcData = me.rpcData;
      88. rpcData.params = Ext.applyIf(rpcData.params || {},
      89. me.extraParams || {});
      90. if (me.getAppendSortParams()) {
      91. rpcData.params = Ext.apply(rpcData.params,
      92. me.getParams(operation));
      93. }
      94. request = Ext.create("Ext.data.Request", {
      95. action: operation.getAction(),
      96. operation: operation,
      97. proxy: me,
      98. rpcData: rpcData,
      99. relayErrors: true
      100. });
      101. operation.request = request;
      102. return request;
      103. },
      104. getParams: function(operation) {
      105. var me = this,
      106. params = {},
      107. start = operation.getStart(),
      108. limit = operation.getLimit(),
      109. sorters = operation.getSorters(),
      110. startParam = me.getStartParam(),
      111. limitParam = me.getLimitParam(),
      112. sortParam = me.getSortParam(),
      113. simpleSortMode = me.getSimpleSortMode(),
      114. directionParam = me.getDirectionParam();
      115. if (startParam && Ext.isDefined(start))
      116. params[startParam] = start;
      117. if (limitParam && Ext.isDefined(limit))
      118. params[limitParam] = limit;
      119. if (sortParam && sorters && (sorters.length > 0)) {
      120. if (simpleSortMode) {
      121. params[sortParam] = sorters[0].getProperty();
      122. params[directionParam] = sorters[0].getDirection();
      123. } else {
      124. params[sortParam] = me.encodeSorters(sorters);
      125. }
      126. } else {
      127. params[sortParam] = null;
      128. params[directionParam] = null;
      129. }
      130. return params;
      131. }
      132. });
      Display All


      Note the hard-coded entry of 60000 instead of the OMV.HTTPREQUEST_TIMEOUT variable
    • Digging a bit deeper, I found somewhere about running:

      Source Code

      1. ​omv-engined -d -f


      so that I can see request output. Having done that, and selecting the Group item, which returns a list, I see this output:

      Source Code

      1. Executing RPC (service=UserMgmt, method=getGroupList, params={"start":0,"limit":25,"sortfield":"name","sortdir":"ASC"}, context={"username":"admin","role":1}) ...
      2. RPC response (service=UserMgmt, method=getGroupList): {"response":{"total":324,"data":[{"name":"-acad","gid":16777455,"members":["mgrabowski","scvetan"],"system":false},...
      3. SIGCHLD received ...
      4. Child (pid=7237) terminated with exit code 0​


      But when I click on the User item, I see this output:

      Source Code

      1. ​Executing RPC (service=ShareMgmt, method=enumerateSharedFolders, params={"start":0,"limit":25,"sortfield":null,"sortdir":null}, context={"username":"admin","role":1}) ...
      2. RPC response (service=ShareMgmt, method=enumerateSharedFolders): {"response":[],"error":null}
      3. SIGCHLD received ...
      4. Child (pid=9371) terminated with exit code 0


      Which to my untrained eye, doesn't look like it's running the command I've been using to test:

      Source Code

      1. ​/usr/sbin/omv-rpc "UserMgmt" "getUserList" '{"start":0,"limit":null,"sortfield":null,"sortdir":null}'


      Which this command returns the error output shown above in the first post.
    • Now I'm wondering if the issue is tied to this some how:
      /usr/share/openmediavault/engined/rpc/usermgmt.inc

      Source Code

      1. function getUserList($params, $context) {
      2. global $xmlConfig;
      3. // Validate the RPC caller context.
      4. $this->validateMethodContext($context, array(
      5. "role" => OMV_ROLE_ADMINISTRATOR
      6. ));
      7. // Validate the parameters of the RPC service method.
      8. $this->validateMethodParams($params, '{
      9. "type":"object",
      10. "properties":{
      11. "start":{"type":"integer"},
      12. "limit":{'.$GLOBALS['OMV_JSONSCHEMA_COUNTFIELD'].'},
      13. "sortfield":{'.$GLOBALS['OMV_JSONSCHEMA_SORTFIELD'].'},
      14. "sortdir":{'.$GLOBALS['OMV_JSONSCHEMA_SORTDIR'].'}
      15. }
      16. }');
      17. // Get the list of non-system user.
      18. $users = $this->enumerateUsersByType("normal");
      19. // Process users and append additional information stored in
      20. // the database.
      21. foreach ($users as $userk => &$userv) {
      22. // Get additional information stored in database.
      23. $xpath = sprintf("//system/usermanagement/users/user[name='%s']",
      24. $userv['name']);
      25. $object = $xmlConfig->get($xpath);
      26. if (!is_null($object)) {
      27. $userv['email'] = $object['email'];
      28. $userv['disallowusermod'] = boolvalEx(
      29. $object['disallowusermod']);
      30. $userv['sshpubkeys'] = empty($object['sshpubkeys']) ?
      31. array() : $object['sshpubkeys']['sshpubkey'];
      32. }
      33. }
      34. // Filter result.
      35. return $this->applyFilter($users, $params['start'],
      36. $params['limit'], $params['sortfield'], $params['sortdir']);
      37. }
      Display All


      since the getGroupList function is returning correctly, I compared it to the getUserList function. It looks very similar, just curious why getting groups list from AD works but not users list.

      Source Code

      1. ​ /**
      2. * Get list of groups (except system groups).
      3. * @param params An array containing the following fields:
      4. * \em start The index where to start.
      5. * \em limit The number of objects to process.
      6. * \em sortfield The name of the column used to sort.
      7. * \em sortdir The sort direction, ASC or DESC.
      8. * @param context The context of the caller.
      9. * @return An array containing the requested objects. The field \em total
      10. * contains the total number of objects, \em data contains the object
      11. * array. An exception will be thrown in case of an error.
      12. */
      13. function getGroupList($params, $context) {
      14. global $xmlConfig;
      15. // Validate the RPC caller context.
      16. $this->validateMethodContext($context, array(
      17. "role" => OMV_ROLE_ADMINISTRATOR
      18. ));
      19. // Validate the parameters of the RPC service method.
      20. $this->validateMethodParams($params, '{
      21. "type":"object",
      22. "properties":{
      23. "start":{"type":"integer"},
      24. "limit":{'.$GLOBALS['OMV_JSONSCHEMA_COUNTFIELD'].'},
      25. "sortfield":{'.$GLOBALS['OMV_JSONSCHEMA_SORTFIELD'].'},
      26. "sortdir":{'.$GLOBALS['OMV_JSONSCHEMA_SORTDIR'].'}
      27. }
      28. }');
      29. // Get the list of non-system groups.
      30. $groups = $this->enumerateGroupsByType("normal");
      31. foreach($groups as $groupk => &$groupv) {
      32. // Get additional information stored in database.
      33. $xpath = sprintf("//system/usermanagement/groups/group[name='%s']",
      34. $groupv['name']);
      35. $object = $xmlConfig->get($xpath);
      36. if(!is_null($object)) {
      37. $groupv['comment'] = $object['comment'];
      38. }
      39. }
      40. // Filter result.
      41. return $this->applyFilter($groups, $params['start'],
      42. $params['limit'], $params['sortfield'], $params['sortdir']);
      43. }
      Display All
    • Seems you have read this http://bugtracker.openmediavault.org/view.php?id=707

      Did you do this?

      Source Code

      1. [/url]nano /etc/login.defs
      2. UID_MIN 1000
      3. UID_MAX 33554431
      4. # System accounts
      5. #SYS_UID_MIN 100
      6. #SYS_UID_MAX 999
      7. #
      8. # Min/max values for automatic gid selection in groupadd
      9. #
      10. GID_MIN 1000
      11. GID_MAX 33554431[url='http://bugtracker.openmediavault.org/view.php?id=707']
      Display All


      Not sure it matters. Davidh2k did a nice tutorial at one time, did you see that?

      I have given up on the plugin as I don't have time to learn how to program it. Maybe after I retire. For now I just add things to a stock image and get it working that way. Seems to get less broken by updates. I do have it running on omv3 that way. I think I may have posted the steps in here somewhere.

      I only have a 2008sbs server to test against. What is your server? And version of OMV.
      If you make it idiot proof, somebody will build a better idiot.
    • bkeadle wrote:

      but I have seen references to v3. Is that something I can do an in-place upgrade to?

      No. OMV 3.x is not ready yet.
      omv 4.1.15 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.13
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • Quick question: when trying changes to /usr/share/openmediavault/engined/rpc for troubleshooting, do I need to restart anything to effect the change? Or is it effectively immediately?

      Also, is there some sort of an array limit that's making the function fail? I have 410 users that come back in 'wbinfo -u'
    • Source Code

      1. ​/usr/sbin/omv-rpc "UserMgmt" "getGroupList" '{"start":0,"limit":25,"sortfield":"name","sortdir":"ASC"}'

      returns a list

      Source Code

      1. /usr/sbin/omv-rpc "UserMgmt" "getUserList" '{"start":0,"limit":25,"sortfield":"name","sortdir":"ASC"}'

      times out with the error. Seems like this is a major clue, pointing to either UserMgmt.inc or whatever it's calling.
    • bkeadle wrote:

      /usr/share/openmediavault/engined/rpc for troubleshooting, do I need to restart anything to effect the change? Or is it effectively immediately?


      YOu need to restart engined service, BTW any changes to rpc will get overwritten by package upgrade

      bkeadle wrote:

      Also, is there some sort of an array limit that's making the function fail? I have 410 users that come back in 'wbinfo -u'


      few months ago there was a thread where a user had problems retrieving a big list around 3000 thousand. I think he solved the issue by increasing http timeout.

      Connection Failure when listing AD Users
      New wiki
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server
    • Thanks. Yeah, I saw that about the 3,000 users, and I made those timeout changes. Still, I have much fewer objects (410). It's just so puzzling that all the *other* commands work correctly (wbinfo -u/-g, getent passwd/group, omv-rpc "UserMgmt" "getGroupList"), only omv-rpc "UserMgmt" "getUserList" fails. :/
    • As for the timeouts, wouldn't that be ignored by specifying a smaller limit using:

      Source Code

      1. ​/usr/sbin/omv-rpc "UserMgmt" "getUserList" '{"start":0,"limit":25,"sortfield":"name","sortdir":"ASC"}'


      the other commands to return the user list (410 total) comes back almost immediately, so it would seem that latency isn't the issue. Since the getGroupList returns almost instantly, I'm wondering if the getUserList isn't returning the correct information for users, and so it timesout looking for some specific attribute that isn't getting returned? Any idea how to test that? What does a getUserList look like?
    • Well LA DEE DAH! Resolved! How any of it worked and just not the geUserList I don't get.

      Having started the omv-engined in debug mode:

      Source Code

      1. ​monit stop omv-engined
      2. omv-engined -df


      And then referencing this guide (for the umpteenth time), when I restarted the winbind service

      Source Code

      1. service winbindrestart
      , a saw a bunch of LDAP errors scroll by in the omv-engined debug screen, referencing unable to talk to my AD server via LDAPS. I then edited the associated files and restarted winbind again:

      Source Code

      1. ​vi /etc/libnss-ldap.conf
      2. cat /etc/pam_ldap.conf
      3. vi /etc/pam_ldap.conf
      4. service winbind restart

      And voila - no errors, and the getUserList returned my AD users! Woo hoo! :thumbsup:

      One minor(?) observation, however: in my user list, the email address for all my users are blank - though I know my users have email addresses associated (especially because we are using Office365 for our email with AD integration). Is that something I will need to concern myself?