[Lizmap] R: More verbose logging for LDAP
Fabio.Pifferini at masotti.ch
Fri Dec 13 08:23:05 PST 2019
has i see, you already enable the debugging mode suggested in the Lizmap documentation.
The LDAP server is an Active Directory or other?
Maybe is possible to verify if there are some error logs server side...but never done before.
Usually i overcome LDAP issues after some test of the settings and queries using an LDAP tool.
I imagine that "auth.log" is the file name of the log file you have entered in the LDAP settings.
The error " auth.log doesn't complain" seems to point to this file, like the system is not able to write it (file permission). Try to check it , maybe need to give permission to user www-data instead of root.
Da: Paolo Cavallini <cavallini at faunalia.it>
Inviato: venerdì, 13 dicembre 2019 17:04
A: Fabio Pifferini <Fabio.Pifferini at masotti.ch>; lizmap at lists.osgeo.org
Oggetto: Re: [Lizmap] More verbose logging for LDAP
Thanks Fabio, all.
The problem, however, seems to reside somewhere within Lizmap, because the server LDAP responds, auth.log doesn't complain, indirectly confirming that the user is authenticated, but some of the users are not listed, or have wrong groups (being "without a group" and at the same time belonging to the default group is weird), and return errors (Invalid user) when the admin try to see its detail.
The basic point is that without full logging we are moving aroound in darkness.
So my original question: is there a way to enable more extensive logging?
Il 13/12/19 16:51, Fabio Pifferini ha scritto:
> ...additionaly to my previous mail, you can eventualy use a tool like LDAPbrowser (https://www.ldapadministrator.com/softerra-ldap-browser.htm) to verify the LDAP settings used in Lizmap.
> -----Messaggio originale-----
> Da: Lizmap <lizmap-bounces at lists.osgeo.org> Per conto di Paolo
> Inviato: venerdì, 13 dicembre 2019 16:18
> A: lizmap at lists.osgeo.org
> Oggetto: Re: [Lizmap] More verbose logging for LDAP
> Hi Laurent
> Il 13/12/19 14:34, Laurent Jouanneau ha scritto:
>> Le 13/12/2019 à 14:00, Paolo Cavallini a écrit :
>>> Hi all,
>>> some LDAP users cannot authenticate on our system.
>> What it does exactly? Is there a message ? something else?
> the usual
> "Utente sconosciuto o password errata"
> unknown user or wrong password
>>> Apparently everything
>>> is fine, as LDAP server records the access and returns the
>>> authentication, therefore auth.log does not report an error (it does
>>> when an user insert wrong credentials).
>>> We cannot find a reason for this: would it be possible to enable
>>> fully verbose auth logging, to search for the issue?). Any other suggestion?
>>> Thanks a lot.
>> You can enable logs. see :
> of course, this is active. as mentioned, it logs correctly when an
> user enters wrong credentials
>> See also your file var/log/errors.log
> also checked, nothing relevant to auth here
>> If you synchronize lizmap user groups with groups given by your ldap,
>> be sure corresponding lizmap groups exist.
>> Be sure the account of users who cannot authenticate, have the status
> this is interesting: one of the "wrong" users was not validated. others were missing, and a good set was listed as both "without a group" and belonging to a specific group. if I click on View for those users I get an `Invalid user` message.
> so, apparently something went wrong during user configuration, but I have not clear where.
> as I understand it, users are not created trough Lizmap, so it is not clear to me how these errors arise, and how to fix them.
> Thanks a lot!
> Paolo Cavallini - www.faunalia.eu
> QGIS.ORG Chair:
> Lizmap mailing list
> Lizmap at lists.osgeo.org
Paolo Cavallini - www.faunalia.eu
More information about the Lizmap