by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • 07:55
    albogdano labeled #188
  • 07:54
    albogdano commented #188
  • 07:33
    albogdano commented #188
  • 07:13
    thomdask opened #188
  • Aug 05 22:02
    B1NAR10 starred Erudika/scoold
  • Aug 05 07:04
    albogdano commented #41
  • Aug 05 07:04
    albogdano commented #41
  • Aug 05 05:08
    couviphi commented #41
  • Aug 05 05:08
    couviphi commented #41
  • Aug 04 19:11
    albogdano commented #41
  • Aug 04 19:11
    albogdano commented #41
  • Aug 04 19:11
    albogdano closed #41
  • Aug 04 19:11
    albogdano closed #41
  • Aug 04 16:54
  • Aug 04 04:40
    couviphi opened #41
  • Aug 04 04:40
    couviphi opened #41
  • Aug 03 18:31
    albogdano labeled #187
  • Aug 03 18:31
    albogdano opened #187
  • Aug 03 11:51

    albogdano on master

    fixed CSS .container width for … (compare)

  • Aug 03 02:15
Alex Bogdanovski
@albogdano
@jtlamb also make sure you click the "Add to Slack" button on the Administration page in Scoold
Jacob Lambert
@jtlamb

yeah i have done both those things.. does this configuration look right ??

para_sl_app_id: ""
para_sl_secret: ""
para_slack_app_id: ""
para_slack_signing_secret: ""
para_slack_map_workspaces_to_spaces: false
para_slack_map_channels_to_spaces: false
para_slack_post_to_space: "default"
para_slack_notify_on_new_question: true
para_slack_notify_on_new_answer: true

with para_sl_app_id, para_sl_sceret, etc being set to what is in slack. These are set as environment variables

Alex Bogdanovski
@albogdano
para_slack_signing_secret must not be empty
same for para_slack_app_id
Jacob Lambert
@jtlamb
yeah they are all set just didnt want to put them in the channel
Alex Bogdanovski
@albogdano
ok, then it's fine
perhaps Slack cannot connect to your local instance of Scoold
and since localhost is a private address, we use ngrok
Jacob Lambert
@jtlamb
our scoold instance is also hosted privately do you think that is where the issue lies? Maybe our instance can send out info but not receive it?
Alex Bogdanovski
@albogdano
yes, that's exactly the problem. communication between Slack and Scoold goes both ways
executing a /scoold ... command on Slack sends a signed request to Scoold directly
Scoold verifies the request using the signing secret and proceeds to execute the command then posts the result to channel
Jacob Lambert
@jtlamb
do you know if there is any way around that?
Alex Bogdanovski
@albogdano
there's no way around that unless you host your own private Slack server
this is how Slack works
Jacob Lambert
@jtlamb
Makes sense.. thank you so much
pikrakpzu
@pikrakpzu
Hi,

Hi,

I have only one AD server, but it handle multiple domains.
For config:

para.security.ldap.server_url = "ldap://ldap.org.com:389"
para.security.ldap.base_dn = "CN=Users,O=ORG"
para.security.ldap.user_search_filter="(&(objectCategory=person)(objectClass=user)(uid={1})(memberOf=CN=USER_SCOOLD,CN=SCOOLD,CN=Groups,O=ORG))"
para.security.ldap.active_directory_domain = "org.com"

Para LDAP bind always use login@org.com, it doesn't matter if i login to Scoold as user, user@cmp.com or user@org.com, checked with wireshark.
Is that correct?

pikrakpzu
@pikrakpzu

I consulted our AD admin, and he said that AD LDS should be treated as usual LDAP not as AD.
So my config is:

para.security.ldap.server_url = "ldap://ldap.org.com:389"
para.security.ldap.base_dn = "CN=Users,O=ORG"
para.security.ldap.user_dn_pattern = "uid={0}"

para.security.ldap.user_search_base=""
para.security.ldap.user_search_filter="(&(objectCategory=person)(objectClass=user)(uid={1})(memberOf=CN=USER_SCOOLD,CN=SCOOLD,CN=Groups,O=ORG))"

But user_search_filter is ignored and in my case memberOf verification is mandatory.
How can I force Scoold/Para to filter results instead of just checking if user is active?

Btw.
As described in Spring javadoc of ActiveDirectoryLdapAuthenticationProvider, domain may be null or empty.
I think that would solve sending value active_directory_domain for all the time in bind request.
But in Para it's not possible to use ActiveDirectoryLdapAuthenticationProvider while active_directory_domain has no value.

Alex Bogdanovski
@albogdano

Hi,

I have only one AD server, but it handle multiple domains.
For config:

para.security.ldap.server_url = "ldap://ldap.org.com:389"
para.security.ldap.base_dn = "CN=Users,O=ORG"
para.security.ldap.user_search_filter="(&(objectCategory=person)(objectClass=user)(uid={1})(memberOf=CN=USER_SCOOLD,CN=SCOOLD,CN=Groups,O=ORG))"
para.security.ldap.active_directory_domain = "org.com"

Para LDAP bind always use login@org.com, it doesn't matter if i login to Scoold as user, user@cmp.com or user@org.com, checked with wireshark.
Is that correct?

Yes. As you can see the domain part is actually ignored because it is irrelevant. You cannot bind an AD user with their email. You can bind them based on their username a.k.a. sAMAccountName. If the user has an email address where the alias is the same as the sAMAccountName but the domain is different, then the login will succeed. If the user above has an email joe.smith@gmail.com then the login with that email will fail because a bind is not possible, and the LDAP search request will return no results.

@pikrakpzu have a look at my comment on the topic here: https://github.com/Erudika/scoold/issues/67#issuecomment-593520117
@pikrakpzu I don't think that you can use user_search_filter without also specifying user_search_base
Para will try to bind a user directly first, using user_dn_pattern+base_dn which forms the full DN. If, and only if that fails, Para will try to execute a search operation. Then the search filter is applied.
Alex Bogdanovski
@albogdano
@pikrakpzu you can't use the ActiveDirectoryLdapAuthenticationProvider without setting active_directory_domain.
I'm not sure about memberOf and whether or not it's supported
If AD LDS is just like LDAP then you should not set active_directory_domain
pikrakpzu
@pikrakpzu

@albogdano Thanks for reply.

There is no property sAMAccountName on my LDAP User object.
The uid and name are set to login and userPrincipalName is set to login@domain.
As I can see on traced network packets sent from Para, when active_directory_domain set then bindRequest is always sent with login@active_directory_domain.

Just to find out if it makes any sense: https://docs.spring.io/spring-security/site/docs/4.2.17.BUILD-SNAPSHOT/apidocs/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProvider.html#ActiveDirectoryLdapAuthenticationProvider-java.lang.String-java.lang.String-
I'll try to check how ActiveDirectoryLdapAuthenticationProvider behave with null domain (when some spare time will be granted by my employe).

But its doesn't matter, as I said the AD integration should not be used in my case, even if it seems to work.
Thats illegal use of our company AD LDS.

Let's stick to LDAP config.
I've made change in Scoold config to fail on user_dn_pattern + base_dn (Usersx on base_dn).
Can't find any exaple what should be set on user_search_base but none of "CN=Usersx,O=ORG" or "uid={0}" has any other effrect on traced packets compared to "".

para.security.ldap.server_url = "ldap://ldap.org.com:389"
para.security.ldap.base_dn = "CN=Usersx,O=ORG"
para.security.ldap.user_dn_pattern = "uid={0}"

para.security.ldap.user_search_base="CN=Users,O=ORG"
para.security.ldap.user_search_filter="(&(objectCategory=person)(objectClass=user)(uid={1})(memberOf=CN=USER_SCOOLD,CN=SCOOLD,CN=Groups,O=ORG))"

Only one LDAP bindRequest is sent and it fails becouse of, on purpose, invalid base_dn.
I can't see anything else in traced packets that would confirm that another search with use of user_search_filter was attempted.

memberOf is a field like all others and it may be used on LDAP query as we do in many other apps using same AD LDS instance.
Over 20k users in almos 50 apps (many of them use Spring Security for LDAP integration) can't be wrong ;)

So even on network level I can't confirm that Para make any use of user_search_filter to authenticate user with LDAP.
Maybe Im missing something, could You verify thatuser_search_filter` is used and how to force it?

Alex Bogdanovski
@albogdano
@pikrakpzu you're right about the search filter and I will do some digging these days to see what's wrong. If you notice something else, leave a comment here. The value of user search base can be the same as base_dn or something else if you want to find users in another part of the LDAP tree
Kkoonnrraadd
@Kkoonnrraadd
Hello, i am trying to deploy Scoold prototype using apache2 reverse proxy and i am having an issue with css/js, most of request response with 404. I think that the issue is connected to headers, but i am not able to fix it. Does anyone know potential solution ?
iks82
@iks82
Hi everybody,
it seems that tags are visible to anyone, even if the user is not logged in.
Via this way, any anonymous user can see every question.
Is this a side effect of the featureis_default_space_public:true?
Alex Bogdanovski
@albogdano
@Kkoonnrraadd try setting para.host_url and para.context_pathif you are hosting Scoold under a context path other that the root
@iks82 you can't see the tags if you set para.is_default_space_public = false
Alex Bogdanovski
@albogdano
@pikrakpzu Unfortunately I couldn't find any issues with the LDAP code and the search filter is actually executed in cases where the direct bind operation fails
iks82
@iks82
@albogdano Thanks, but I want para.is_default_space_public = true so unregistered users can see the questions in the default room, but no other questions or tags.
Alex Bogdanovski
@albogdano
@iks82 ok, so only the tags will be visible but not the questions in other spaces
if you click on a tag from another space you won't see any results
iks82
@iks82
@albogdano But when the public user clicks on a tag, he will see all questions with this tag, even though the questions are from an other space.
Alex Bogdanovski
@albogdano
that should not happen
iks82
@iks82
But it does :-(
I'm on Scoold version: 1.39.4, so it's the latest one.
Alex Bogdanovski
@albogdano
yes, you're right! thanks for reporting this :thumbsup:
will be fixed asap
iks82
@iks82
Thank you!
Julianne Lee
@juliannehalversen
Hello, I just cloned the Schoold repo and am trying to deploy it locally on my machine. I created my para account and created an application.conf in the root directory and filled out my information. I then tried running java -jar -Dconfig.file=./application.conf scoold-.jar and am getting the error Error: Unable to access jarfile scoold-.jar. I'm completely new to this so thanks in advance for any help!
Alex Bogdanovski
@albogdano
@juliannehalversen try running java -jar -Dconfig.file=./application.conf scoold-*.jar
or type in the full name of the scoold jar file
Julianne Lee
@juliannehalversen
Still getting the same error. Am I supposed to create a jar file or is it already in the project, and if so what is the path?
Alex Bogdanovski
@albogdano
@juliannehalversen you download the jar file from here
if you want to build the project and generate a new JAR file, run mvn install
the JAR file will be inside scoold/target/scoold-1.39.4.jar