[SOLVED] LDAP/AD Users

bkeadle · 7. April 2016

I've spent countless hours trying to get LDAP/AD integration working. I got really close, with being able to get the Groups in AD to list in the OMV WebGUI, but the User would throw a communication error. A common/known issue. I've learned that we need to see

Code

/usr/sbin/omv-rpc "UserMgmt" "getUserList" '{"start":0,"limit":null,"sortfield":null,"sortdir":null}'

to work. I was having an issue with that command timing out. This thread was helpful, but somewhere along the way, now the omv-rpc command just returns "nobody" on both User and Group pages. However, all these commands return AD information without issue:

Code

wbinfo -u
wbinfo -i {someuser}
wbinfo -g
getent passwd
getent group

so it seems my LDAP/AD integration is healthy, but just not the omv-rpc command to return that information for the WebGUI. I'm *so* close! Please help!

bkeadle · 8. April 2016

It would seem the magic bullet is going to be in /var/www/openmediavault/js/omv/data/proxy/Rpc.js somewhere. Futzing with it will either generate the none/nobody as above, or, a timeout with this output:

Code

oot@omv-pd:~# /usr/sbin/omv-rpc "UserMgmt" "getUserList" '{"start":0,"limit":null,"sortfield":null,"sortdir":null}'
{"response":null,"error":{"code":7003,"message":"Failed to read from socket: Resource temporarily unavailable","trace":"exception 'OMVException' with message 'Failed to read from socket: Resource temporarily unavailable' in \/usr\/share\/php\/openmediavault\/rpc.inc:168\nStack trace:\n#0 \/usr\/sbin\/omv-rpc(107): OMVRpc::exec('UserMgmt', 'getUserList', Array, Array, 2)\n#1 {main}"}}

This thread and this entry lead me to Rpc.js file. This is the current contents:

Code

/**
 * This file is part of OpenMediaVault.
 *
 * @license   http://www.gnu.org/licenses/gpl.html GPL Version 3
 * @author    Volker Theile <volker.theile@openmediavault.org>
 * @copyright Copyright (c) 2009-2016 Volker Theile
 *
 * OpenMediaVault is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * any later version.
 *
 * OpenMediaVault is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with OpenMediaVault. If not, see <http://www.gnu.org/licenses/>.
 */
// require("js/omv/Rpc.js")
// require("js/omv/data/reader/RpcJson.js")
// require("js/omv/window/MessageBox.js")


/**
 * @ingroup webgui
 * @class OMV.data.proxy.Rpc
 * @derived Ext.data.proxy.Ajax
 * This proxy uses AJAX requests to load data from the server delivered via
 * the OMV RPC engine.
 * @param config An array containing the following fields:
 *   \li rpcData The RPC parameters. \see OMV.Rpc.request
 *     for more details.
 *   \li extraParams An object of additional method parameters.
 *   \li appendSortParams Set to FALSE to do not append the sort parameters
 *     'start', 'limit', 'sortfield' and 'sortdir'. Defaults to TRUE.
 */
Ext.define("OMV.data.proxy.Rpc", {
        extend: "Ext.data.proxy.Ajax",
        alias: "proxy.rpc",
        requires: [
                "OMV.Rpc",
                "OMV.data.reader.RpcJson",
                "OMV.window.MessageBox"
        ],
        uses: [ "Ext.data.Request" ],


        config: {
                reader: "rpcjson",
                simpleSortMode: true,
                idParam: "uuid",
                sortParam: "sortfield",
                directionParam: "sortdir",
                appendSortParams: true,
                timeout: 60000
        },


        constructor: function() {
                var me = this;
                Ext.apply(me, {
                        timeout: 60000
                });
                me.callParent(arguments);
                me.on("exception", function(proxy, response, operation) {
                        OMV.MessageBox.error(null, response);
                });
        },


        doRequest: function(operation, callback, scope) {
                var me = this;
                var request = me.buildRequest(operation);
                Ext.apply(request, {
                        timeout: me.timeout,
                        scope: me,
                        callback: me.createRequestCallback(request, operation,
                          callback, scope),
                        method: me.getMethod(request),
                        disableCaching: false
                });
                OMV.Rpc.request(request);
                return request;
        },


        createRequestCallback: function(request, operation, callback, scope) {
                var me = this;
                return function(id, success, response) {
                        me.processResponse(success, operation, request, response,
                          callback, scope);
                };
        },


        buildRequest: function(operation) {
                var me = this, request = null, rpcData = me.rpcData;
                rpcData.params = Ext.applyIf(rpcData.params || {},
                  me.extraParams || {});
                if (me.getAppendSortParams()) {
                        rpcData.params = Ext.apply(rpcData.params,
                          me.getParams(operation));
                }
                request = Ext.create("Ext.data.Request", {
                        action: operation.getAction(),
                        operation: operation,
                        proxy: me,
                        rpcData: rpcData,
                        relayErrors: true
                });
                operation.request = request;
                return request;
        },


        getParams: function(operation) {
                var me = this,
                  params = {},
                  start = operation.getStart(),
                  limit = operation.getLimit(),
                  sorters = operation.getSorters(),
                  startParam = me.getStartParam(),
          limitParam = me.getLimitParam(),
                  sortParam = me.getSortParam(),
                  simpleSortMode = me.getSimpleSortMode(),
                  directionParam = me.getDirectionParam();
                if (startParam && Ext.isDefined(start))
                        params[startParam] = start;
                if (limitParam && Ext.isDefined(limit))
                        params[limitParam] = limit;
                if (sortParam && sorters && (sorters.length > 0)) {
                        if (simpleSortMode) {
                                params[sortParam] = sorters[0].getProperty();
                                params[directionParam] = sorters[0].getDirection();
                        } else {
                                params[sortParam] = me.encodeSorters(sorters);
                        }
                } else {
                        params[sortParam] = null;
                        params[directionParam] = null;
                }
                return params;
        }
});

Alles anzeigen

Note the hard-coded entry of 60000 instead of the OMV.HTTPREQUEST_TIMEOUT variable

bkeadle · 8. April 2016

Digging a bit deeper, I found somewhere about running:

Code

omv-engined -d -f

so that I can see request output. Having done that, and selecting the Group item, which returns a list, I see this output:

Code

Executing RPC (service=UserMgmt, method=getGroupList, params={"start":0,"limit":25,"sortfield":"name","sortdir":"ASC"}, context={"username":"admin","role":1}) ...
RPC response (service=UserMgmt, method=getGroupList): {"response":{"total":324,"data":[{"name":"-acad","gid":16777455,"members":["mgrabowski","scvetan"],"system":false},...
SIGCHLD received ...
Child (pid=7237) terminated with exit code 0

But when I click on the User item, I see this output:

Code

Executing RPC (service=ShareMgmt, method=enumerateSharedFolders, params={"start":0,"limit":25,"sortfield":null,"sortdir":null}, context={"username":"admin","role":1}) ...
RPC response (service=ShareMgmt, method=enumerateSharedFolders): {"response":[],"error":null}
SIGCHLD received ...
Child (pid=9371) terminated with exit code 0

Which to my untrained eye, doesn't look like it's running the command I've been using to test:

Code

/usr/sbin/omv-rpc "UserMgmt" "getUserList" '{"start":0,"limit":null,"sortfield":null,"sortdir":null}'

Which this command returns the error output shown above in the first post.

bkeadle · 8. April 2016

Now I'm wondering if the issue is tied to this some how:
/usr/share/openmediavault/engined/rpc/usermgmt.inc

Code

function getUserList($params, $context) {
        global $xmlConfig;
        // Validate the RPC caller context.
        $this->validateMethodContext($context, array(
              "role" => OMV_ROLE_ADMINISTRATOR
          ));
        // Validate the parameters of the RPC service method.
        $this->validateMethodParams($params, '{
              "type":"object",
              "properties":{
                  "start":{"type":"integer"},
                  "limit":{'.$GLOBALS['OMV_JSONSCHEMA_COUNTFIELD'].'},
                  "sortfield":{'.$GLOBALS['OMV_JSONSCHEMA_SORTFIELD'].'},
                  "sortdir":{'.$GLOBALS['OMV_JSONSCHEMA_SORTDIR'].'}
              }
          }');
        // Get the list of non-system user.
        $users = $this->enumerateUsersByType("normal");
        // Process users and append additional information stored in
        // the database.
        foreach ($users as $userk => &$userv) {
            // Get additional information stored in database.
            $xpath = sprintf("//system/usermanagement/users/user[name='%s']",
              $userv['name']);
            $object = $xmlConfig->get($xpath);
            if (!is_null($object)) {
                $userv['email'] = $object['email'];
                $userv['disallowusermod'] = boolvalEx(
                  $object['disallowusermod']);
                $userv['sshpubkeys'] = empty($object['sshpubkeys']) ?
                  array() : $object['sshpubkeys']['sshpubkey'];
            }
        }
        // Filter result.
        return $this->applyFilter($users, $params['start'],
          $params['limit'], $params['sortfield'], $params['sortdir']);
    }

Alles anzeigen

since the getGroupList function is returning correctly, I compared it to the getUserList function. It looks very similar, just curious why getting groups list from AD works but not users list.

Code

/**
     * Get list of groups (except system groups).
     * @param params An array containing the following fields:
     *   \em start The index where to start.
     *   \em limit The number of objects to process.
     *   \em sortfield The name of the column used to sort.
     *   \em sortdir The sort direction, ASC or DESC.
     * @param context The context of the caller.
     * @return An array containing the requested objects. The field \em total
     *   contains the total number of objects, \em data contains the object
     *   array. An exception will be thrown in case of an error.
     */
    function getGroupList($params, $context) {
        global $xmlConfig;
        // Validate the RPC caller context.
        $this->validateMethodContext($context, array(
              "role" => OMV_ROLE_ADMINISTRATOR
          ));
        // Validate the parameters of the RPC service method.
        $this->validateMethodParams($params, '{
              "type":"object",
              "properties":{
                  "start":{"type":"integer"},
                  "limit":{'.$GLOBALS['OMV_JSONSCHEMA_COUNTFIELD'].'},
                  "sortfield":{'.$GLOBALS['OMV_JSONSCHEMA_SORTFIELD'].'},
                  "sortdir":{'.$GLOBALS['OMV_JSONSCHEMA_SORTDIR'].'}
              }
          }');
        // Get the list of non-system groups.
        $groups = $this->enumerateGroupsByType("normal");
        foreach($groups as $groupk => &$groupv) {
            // Get additional information stored in database.
            $xpath = sprintf("//system/usermanagement/groups/group[name='%s']",
              $groupv['name']);
            $object = $xmlConfig->get($xpath);
            if(!is_null($object)) {
                $groupv['comment'] = $object['comment'];
            }
        }
        // Filter result.
        return $this->applyFilter($groups, $params['start'],
          $params['limit'], $params['sortfield'], $params['sortdir']);
    }

Alles anzeigen

donh · 8. April 2016

Seems you have read this http://bugtracker.openmediavault.org/view.php?id=707

Did you do this?

Code

[/url]nano /etc/login.defs     UID_MIN 1000     UID_MAX 33554431     # System accounts     #SYS_UID_MIN 100     #SYS_UID_MAX 999     #     # Min/max values for automatic gid selection in groupadd     #     GID_MIN 1000     GID_MAX 33554431[url='http://bugtracker.openmediavault.org/view.php?id=707']

[/url]

Not sure it matters. Davidh2k did a nice tutorial at one time, did you see that?

I have given up on the plugin as I don't have time to learn how to program it. Maybe after I retire. For now I just add things to a stock image and get it working that way. Seems to get less broken by updates. I do have it running on omv3 that way. I think I may have posted the steps in here somewhere.

I only have a 2008sbs server to test against. What is your server? And version of OMV.

bkeadle · 8. April 2016

Yes, I've seen those posts and done those settings.

I'm running againsts Windows Server 2012, and OMV v2.2 That was the "latest", but I have seen references to v3. Is that something I can do an in-place upgrade to? I've got quite a bit of effort invested in this 2.2 installation.

ryecoaaron · 8. April 2016

Zitat von bkeadle

but I have seen references to v3. Is that something I can do an in-place upgrade to?

No. OMV 3.x is not ready yet.

bkeadle · 8. April 2016

Ah. good(?) I *thought* I was installing "current".

Any thoughts/suggestions about the /usr/sbin/omv-rpc command not returning a UserList?

bkeadle · 8. April 2016

Quick question: when trying changes to /usr/share/openmediavault/engined/rpc for troubleshooting, do I need to restart anything to effect the change? Or is it effectively immediately?

Also, is there some sort of an array limit that's making the function fail? I have 410 users that come back in 'wbinfo -u'

bkeadle · 9. April 2016

Code

/usr/sbin/omv-rpc "UserMgmt" "getGroupList" '{"start":0,"limit":25,"sortfield":"name","sortdir":"ASC"}'

returns a list

Code

/usr/sbin/omv-rpc "UserMgmt" "getUserList" '{"start":0,"limit":25,"sortfield":"name","sortdir":"ASC"}'

times out with the error. Seems like this is a major clue, pointing to either UserMgmt.inc or whatever it's calling.

subzero79 · 9. April 2016

Zitat von bkeadle

/usr/share/openmediavault/engined/rpc for troubleshooting, do I need to restart anything to effect the change? Or is it effectively immediately?

YOu need to restart engined service, BTW any changes to rpc will get overwritten by package upgrade

Zitat von bkeadle

Also, is there some sort of an array limit that's making the function fail? I have 410 users that come back in 'wbinfo -u'

few months ago there was a thread where a user had problems retrieving a big list around 3000 thousand. I think he solved the issue by increasing http timeout.

Connection Failure when listing AD Users

bkeadle · 9. April 2016

Thanks. Yeah, I saw that about the 3,000 users, and I made those timeout changes. Still, I have much fewer objects (410). It's just so puzzling that all the *other* commands work correctly (wbinfo -u/-g, getent passwd/group, omv-rpc "UserMgmt" "getGroupList"), only omv-rpc "UserMgmt" "getUserList" fails.

bkeadle · 12. April 2016

As for the timeouts, wouldn't that be ignored by specifying a smaller limit using:

Code

/usr/sbin/omv-rpc "UserMgmt" "getUserList" '{"start":0,"limit":25,"sortfield":"name","sortdir":"ASC"}'

the other commands to return the user list (410 total) comes back almost immediately, so it would seem that latency isn't the issue. Since the getGroupList returns almost instantly, I'm wondering if the getUserList isn't returning the correct information for users, and so it timesout looking for some specific attribute that isn't getting returned? Any idea how to test that? What does a getUserList look like?

bkeadle · 12. April 2016

Well LA DEE DAH! Resolved! How any of it worked and just not the geUserList I don't get.

Having started the omv-engined in debug mode:

Code

monit stop omv-engined
omv-engined -df

And then referencing this guide (for the umpteenth time), when I restarted the winbind service

Code

service winbindrestart

, a saw a bunch of LDAP errors scroll by in the omv-engined debug screen, referencing unable to talk to my AD server via LDAPS. I then edited the associated files and restarted winbind again:

Code

vi /etc/libnss-ldap.conf
  cat /etc/pam_ldap.conf
  vi /etc/pam_ldap.conf
  service winbind restart

And voila - no errors, and the getUserList returned my AD users! Woo hoo!

One minor(?) observation, however: in my user list, the email address for all my users are blank - though I know my users have email addresses associated (especially because we are using Office365 for our email with AD integration). Is that something I will need to concern myself?

Jetzt mitmachen!