starred/pocket-id
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-11 09:13:15 +03:00
Code Issues 121 Packages Projects Releases 16 Wiki Activity

🐛 Bug Report: LDAP: With wrong unique attribute for groups ldap sync creates _local_ groups. #281

New Issue
Closed
opened 2025-10-07 00:08:44 +03:00 by OVERLORD · 8 comments
OVERLORD commented 2025-10-07 00:08:44 +03:00
Owner
Copy Link

Originally created by @jose-d on GitHub.

Originally assigned to: @kmendell on GitHub.

Reproduction steps

I installed pocket-id using docker image and connected it to instance of freeIPA.

Image

Expected behavior

Imported groups are shown with source LDAP.

Actual Behavior

Groups imported from LDAP are shown as local

Image

Version and Environment

0.42.1 in Docker behind haproxy

Log Output

Originally created by @jose-d on GitHub. Originally assigned to: @kmendell on GitHub. ### Reproduction steps I installed pocket-id using docker image and connected it to instance of freeIPA. ![Image](https://github.com/user-attachments/assets/537c8d4f-2845-4dde-86b9-e8e8951f7266) ### Expected behavior Imported groups are shown with source `LDAP`. ### Actual Behavior Groups imported from LDAP are shown as `local` ![Image](https://github.com/user-attachments/assets/3d80f387-4f13-4e37-9aa5-a0e6f80683ae) ### Version and Environment 0.42.1 in Docker behind haproxy ### Log Output -
OVERLORD added the bug label 2025-10-07 00:08:44 +03:00
OVERLORD commented 2025-10-07 00:08:47 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

Does the value uuid exsist on the group in freeipa? Some stuff does it differently uuid was lldap , but most ldpa solutions have a unique value for each entry thats what you should use.

@kmendell commented on GitHub: Does the value uuid exsist on the group in freeipa? Some stuff does it differently uuid was lldap , but most ldpa solutions have a unique value for each entry thats what you should use.
OVERLORD commented 2025-10-07 00:08:47 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

If its uses the same Logic as LDAP it should work.

My guess is something is not setting the ldapId value on the groups. If you try to edit a group thats from ldap (dont save it), does it let you or are the values and options greyed out?

Same thing for users?

@kmendell commented on GitHub: If its uses the same Logic as LDAP it should work. My guess is something is not setting the ldapId value on the groups. If you try to edit a group thats from ldap (dont save it), does it let you or are the values and options greyed out? Same thing for users?
OVERLORD commented 2025-10-07 00:08:47 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

I have never used FreeIPA , Does it differ from LDAP in any way when it comes do search queries?

Also do you get any error logs load this page?

@kmendell commented on GitHub: I have never used FreeIPA , Does it differ from LDAP in any way when it comes do search queries? Also do you get any error logs load this page?
OVERLORD commented 2025-10-07 00:08:47 +03:00
Author
Owner
Copy Link

@jose-d commented on GitHub:

Does it differ from LDAP in any way when it comes do search queries?

it is solution around LDAP so should be not different.
I can provide output of any ldapsearch if needed to verify it.

On every LDAP sync I see this kind of error for all LDAP groups: ( c4 is ldap group and I never created it manually for sure )

...
2025/03/20 13:00:00 /app/backend/internal/service/user_group_service.go:74 duplicated key not allowed
[0.090ms] [rows:0] INSERT INTO `user_groups` (`id`,`created_at`,`friendly_name`,`name`,`ldap_id`) VALUES (?,?,?,?,?)
2025/03/20 13:00:00 Error syncing group c4: name is already in use
...

so cannot be that the groups were somehow created as local during initial sync?

Also do you get any error logs load this page?

no. When I refresh group page with F5 in browser, in docker logs I see:

[GIN] 2025/03/20 - 13:17:15 | 200 |     554.267µs |             ::1 | GET      "/api/users/me"
[GIN] 2025/03/20 - 13:17:15 | 200 |     604.529µs |             ::1 | GET      "/api/users/me"
[GIN] 2025/03/20 - 13:17:15 | 200 |     238.296µs |             ::1 | GET      "/api/application-configuration"
[GIN] 2025/03/20 - 13:17:15 | 200 |     252.194µs |             ::1 | GET      "/api/application-configuration"
[GIN] 2025/03/20 - 13:17:15 | 200 |    9.294761ms |             ::1 | GET      "/api/user-groups?sort[column]=friendlyName&sort[direction]=asc"
[GIN] 2025/03/20 - 13:17:15 | 200 |    9.322034ms |             ::1 | GET      "/api/user-groups?sort[column]=friendlyName&sort[direction]=asc"
@jose-d commented on GitHub: > Does it differ from LDAP in any way when it comes do search queries? it is solution around LDAP so should be not different. I can provide output of any `ldapsearch` if needed to verify it. On every LDAP sync I see this kind of error for all LDAP groups: ( `c4` is ldap group and I never created it manually for sure ) ``` ... 2025/03/20 13:00:00 /app/backend/internal/service/user_group_service.go:74 duplicated key not allowed [0.090ms] [rows:0] INSERT INTO `user_groups` (`id`,`created_at`,`friendly_name`,`name`,`ldap_id`) VALUES (?,?,?,?,?) 2025/03/20 13:00:00 Error syncing group c4: name is already in use ... ``` so cannot be that the groups were somehow created as `local` during initial sync? > Also do you get any error logs load this page? no. When I refresh group page with F5 in browser, in `docker logs` I see: ``` [GIN] 2025/03/20 - 13:17:15 | 200 | 554.267µs | ::1 | GET "/api/users/me" [GIN] 2025/03/20 - 13:17:15 | 200 | 604.529µs | ::1 | GET "/api/users/me" [GIN] 2025/03/20 - 13:17:15 | 200 | 238.296µs | ::1 | GET "/api/application-configuration" [GIN] 2025/03/20 - 13:17:15 | 200 | 252.194µs | ::1 | GET "/api/application-configuration" [GIN] 2025/03/20 - 13:17:15 | 200 | 9.294761ms | ::1 | GET "/api/user-groups?sort[column]=friendlyName&sort[direction]=asc" [GIN] 2025/03/20 - 13:17:15 | 200 | 9.322034ms | ::1 | GET "/api/user-groups?sort[column]=friendlyName&sort[direction]=asc" ```
OVERLORD commented 2025-10-07 00:08:48 +03:00
Author
Owner
Copy Link

@jose-d commented on GitHub:

If you try to edit a group thats from ldap (dont save it), does it let you or are the values and options greyed out?

yes, I am able to check/uncheck the check-boxes with (possible) members in group and type into textbox with groupname

Same thing for users?

no, when I open particular user in /settings/admin/users , then I can not edit name, it's grayed out.

when I check the user_groups sqlite table, it looks like this (i redacted some more sensitive groupnames)

sqlite> .schema user_groups
CREATE TABLE user_groups
(
    id           TEXT NOT NULL PRIMARY KEY,
    created_at   DATETIME,
    friendly_name TEXT NOT NULL,
    name        TEXT NOT NULL UNIQUE
, ldap_id TEXT);
CREATE UNIQUE INDEX user_groups_ldap_id ON user_groups (ldap_id);
sqlite> select * from user_groups;
....
ef0e9a53-df69-416b-ba83-27d953b1912f|1742471798|collab001|collab001|
....
67184a00-bcf4-4e06-96e7-e8beb6a37cb4|1742471798|c4|c4|
652344bf-56c9-4176-8130-b2124d694966|1742471798|p001|p001|
97a47b43-1e5b-4c7d-a7ba-a9fb4aabba5b|1742471798|p002|p002|
f18a87fa-f60e-4a81-9b5e-81163ffd4e4c|1742471798|p003|p003|
sqlite>
@jose-d commented on GitHub: > If you try to edit a group thats from ldap (dont save it), does it let you or are the values and options greyed out? yes, I am able to check/uncheck the check-boxes with (possible) members in group and type into textbox with groupname > Same thing for users? no, when I open particular user in /settings/admin/users , then I can not edit name, it's grayed out. when I check the `user_groups` sqlite table, it looks like this (i redacted some more sensitive groupnames) ``` sqlite> .schema user_groups CREATE TABLE user_groups ( id TEXT NOT NULL PRIMARY KEY, created_at DATETIME, friendly_name TEXT NOT NULL, name TEXT NOT NULL UNIQUE , ldap_id TEXT); CREATE UNIQUE INDEX user_groups_ldap_id ON user_groups (ldap_id); sqlite> select * from user_groups; .... ef0e9a53-df69-416b-ba83-27d953b1912f|1742471798|collab001|collab001| .... 67184a00-bcf4-4e06-96e7-e8beb6a37cb4|1742471798|c4|c4| 652344bf-56c9-4176-8130-b2124d694966|1742471798|p001|p001| 97a47b43-1e5b-4c7d-a7ba-a9fb4aabba5b|1742471798|p002|p002| f18a87fa-f60e-4a81-9b5e-81163ffd4e4c|1742471798|p003|p003| sqlite> ```
OVERLORD commented 2025-10-07 00:08:48 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

@jose-d No worries, I actually just implemented a quick fix to skip over groups or user without a valid ldap id.

@kmendell commented on GitHub: @jose-d No worries, I actually just implemented a quick fix to skip over groups or user without a valid ldap id.
OVERLORD commented 2025-10-07 00:08:49 +03:00
Author
Owner
Copy Link

@jose-d commented on GitHub:

thanks, this was helpful.
ipaUniqueID was the right one, the local groups indeed need to be deleted, and then the import works fine.

Next week I'll take look at the code if we could somehow detect similar scenario and avoid creating such false local groups.

@jose-d commented on GitHub: thanks, this was helpful. `ipaUniqueID` was the right one, the local groups indeed need to be deleted, and then the import works fine. Next week I'll take look at the code if we could somehow detect similar scenario and avoid creating such _false local_ groups.
OVERLORD commented 2025-10-07 00:08:49 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

It looks like the unqiue attribute fpr groups in free ipa is: ipaUniqueID or you can try gidNumber as well

@kmendell commented on GitHub: It looks like the unqiue attribute fpr groups in free ipa is: `ipaUniqueID` or you can try `gidNumber` as well
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#281
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?