LDAP mapping leads to Admin API ERROR

Kkokel · 2025-03-17T14:05:08+00:00

Hello,

we use the ORG LDAP configuration and I'm trying to define a custom LDAP attribute mapping.

If I want to map "o" or "organizationName" to "companyname" the ORG settings in the admin interface isn't working anymore.

uwsgi throws this error:

Mar 17 14:59:47 groupware uwsgi[243367]: [ERROR] (grommunio Admin API) Traceback (most recent call last):
Mar 17 14:59:47 groupware uwsgi[243367]:   File "/usr/lib/python3/dist-packages/flask/app.py", line 1820, in full_dispatch_request
Mar 17 14:59:47 groupware uwsgi[243367]:     rv = self.dispatch_request()
Mar 17 14:59:47 groupware uwsgi[243367]:          ^^^^^^^^^^^^^^^^^^^^^^^
Mar 17 14:59:47 groupware uwsgi[243367]:   File "/usr/lib/python3/dist-packages/flask/app.py", line 1796, in dispatch_request
Mar 17 14:59:47 groupware uwsgi[243367]:     return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
Mar 17 14:59:47 groupware uwsgi[243367]:            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Mar 17 14:59:47 groupware uwsgi[243367]:   File "/usr/share/grommunio-admin-api/api/core.py", line 204, in wrapper
Mar 17 14:59:47 groupware uwsgi[243367]:     return call()
Mar 17 14:59:47 groupware uwsgi[243367]:            ^^^^^^
Mar 17 14:59:47 groupware uwsgi[243367]:   File "/usr/share/grommunio-admin-api/api/core.py", line 169, in call
Mar 17 14:59:47 groupware uwsgi[243367]:     ret = func(*args, **kwargs)
Mar 17 14:59:47 groupware uwsgi[243367]:           ^^^^^^^^^^^^^^^^^^^^^
Mar 17 14:59:47 groupware uwsgi[243367]:   File "/usr/share/grommunio-admin-api/endpoints/system/domains.py", line 55, in getOrgLdapConfig
Mar 17 14:59:47 groupware uwsgi[243367]:     config = OrgParam.loadLdap(ID) or {}
Mar 17 14:59:47 groupware uwsgi[243367]:              ^^^^^^^^^^^^^^^^^^^^^
Mar 17 14:59:47 groupware uwsgi[243367]:   File "/usr/share/grommunio-admin-api/orm/domains.py", line 104, in loadLdap
Mar 17 14:59:47 groupware uwsgi[243367]:     for entry in plain.getall("ldap_user_attributes") if " " in entry}
Mar 17 14:59:47 groupware uwsgi[243367]:                  ^^^^^^^^^^^^
Mar 17 14:59:47 groupware uwsgi[243367]: AttributeError: 'dict' object has no attribute 'getall'
Mar 17 14:59:47 groupware uwsgi[243367]: [WARNING] (grommunio Admin API) GET /api/v1/system/orgs/2/ldap? from 192.168.11.57 -> 500 '{"message":"The server encountered an error while processing the request."}\n'

The database shows:

MariaDB [grommunio]> select * from orgparam;
+--------+------------------------+-------------------------------------------------------------+
| org_id | key                    | value                                                       |
+--------+------------------------+-------------------------------------------------------------+
|      2 | ldap_basedn            | dc=example,dc=com                                                |
|      2 | ldap_binddn            | cn=grommunio,ou=services,dc=example,dc=com                       |
|      2 | ldap_bindpw            | password                            |
|      2 | ldap_contact_filter    | (objectclass=grommunioContact)                              |
|      2 | ldap_disabled          | False                                                       |
|      2 | ldap_group_addr        | grommunioMailAddress                                        |
|      2 | ldap_group_filter      | (&(objectClass=grommunioGroup)(grommunioActive=TRUE))       |
|      2 | ldap_group_memberof    | memberOf                                                    |
|      2 | ldap_group_name        | cn                                                          |
|      2 | ldap_mail_attr         | grommunioMailAddress                                        |
|      2 | ldap_object_id         | entryUUID                                                   |
|      2 | ldap_start_tls         | False                                                       |
|      2 | ldap_uri               | ldaps://ldaptest.example.com                             |
|      2 | ldap_user_aliases      | grommunioMailAlias                                          |
|      2 | ldap_user_attributes   | organizationName companyname                                |
|      2 | ldap_user_displayname  | displayName                                                 |
|      2 | ldap_user_filter       | (&(objectClass=grommunioMailAccount)(grommunioActive=TRUE)) |
|      2 | ldap_user_search_attrs | mail,givenName,cn,sn,displayName,gecos                      |
|      2 | ldap_user_templates    | common,OpenLDAP                                             |
+--------+------------------------+-------------------------------------------------------------+
19 rows in set (0.001 sec)

Am I'm doing something wrong with custom attribute mapping?

We're running grommunio on Debian 12 with the following versions:

ii  grommunio-admin-api              1.17.0.39d84a8-1+2.1           all          Backend for grommunio management
ii  grommunio-admin-common           42.e17ec55-1+30.1              amd64        Common files for grommunio management
ii  grommunio-admin-web              4.0.0.0.5e1e4b3-1+123.2        all          Frontend for grommunio management
ii  grommunio-common                 27.db4a83f-1+49.1              amd64        Common configuration package for grommunio
ii  grommunio-dav                    1.4.7.ee40553-1                all          grommunio-dav is CalDAV and CardDAV implementation for grommunio.
ii  grommunio-dbconf                 1.1.1.da20a46-1+6.1            amd64        grommunio-dbconf
ii  grommunio-error-pages            1.0.10.bb2df37-1+14.2          all          Grommunio-branded error pages for webservers
ii  grommunio-index                  1.3.0.g2bd8a8c-1+3.2           amd64        Generator for grommunio-web search indexes
ii  grommunio-sync                   2.1.6.22f2119-0                all          an implementation of the ActiveSync protocol which is
ii  grommunio-web                    3.10.52.ga0ab1670-1+224.1      all          Web access for grommunio
ii  mapi-header-php                  1.6.0.8f4757d-1+5.1            amd64        Common PHP MAPI header files for grommunio
ii  system-user-grommunio            9-1                            all          General grommunio system user identities

EDIT by @crpb - examples on how to format

crpb · 2025-03-24T09:34:32+00:00

Hmm.. might be because of the template

does other mappings work? if so then i would recommend removing the template common from your configuration and basically create an individual mapping like it which fits your needs.

crpb · 2025-03-24T10:42:07+00:00

hhmmm..

@jschroeder

@kokel fyi, i get some odd errors here too so that above will hopefully get her to look into that.

and just to be thorough, with /etc/gromox/ldap_adaptor.cfg the problem doesn't occur. i can overwrite e.g.

not with the mysql entries tho as the seem to be another datatype but i'm too lazy to look closer..

Kkokel · 2025-03-25T10:43:01+00:00

@crpb @jschroeder
I can confirm that this issue doesn't occur if we use the "global" LDAP-Configuration via Admin-UI -> Configuration -> LDAP Directory / "/etc/gromox/ldap_adaptor.cfg" with the same attribute mapping.

/etc/gromox/ldap_adaptor.cfg

...
ldap_user_attributes=organizationName companyname
...

The error occurs only when using Organization specific LDAP-Configuration. So I assume this is a bug in the Org-specific LDAP-Implementation.

Steakie · 2025-03-25T14:50:03+00:00

Hello there, this might be a frontend bug, because i recall adapting some templates or default values or similar (not quite sure) and i might have forgotten to adapt the org settings (because i kinda forgot they exist, ups xD).

Did you use any specific template?

Edit: HA! @crpb changed some stuff in there, but did not adapt the org config file

crpb · 2025-03-25T15:16:01+00:00

Steakie Edit: HA! @crpb changed some stuff in there, but did not adapt the org config file

I don't recall but as long as you found the problem ️

Steakie · 2025-03-25T15:27:03+00:00

crpb i do not think this is the solution for this particular problem but the changes from

https://github.com/grommunio/admin-web/commit/615bc5d04b7523d3c3442348ade15232bb5911b9

should also be applied to the org templates, shouldn't they?

crpb · 2025-03-25T16:13:46+00:00

Steakie

uhm.. the admin-api/res/ldapTemplates.yaml just has values and doesn't care about "filters" or which file are your referring to?

From what i could make out yesterday i believe those datatypes differ and that ".getALL()" isn't working for it

cb@obelix ~crpb/grommunio-admin-api (git)-[master] % grep -r ldap_user_attributes
orm/domains.py:        if "ldap_user_attributes" in plain:
orm/domains.py:                                             for entry in plain.getall("ldap_user_attributes") if " " in entry}
orm/domains.py:                flat["ldap_user_attributes"] = ["{} {}".format(key, value)
tools/mconf.py:    if "ldap_user_attributes" in conf:
tools/mconf.py:                                       for entry in conf.getall("ldap_user_attributes") if " " in entry}
tools/mconf.py:            LDAP["ldap_user_attributes"] = ["{} {}".format(key, value) for key, value in conf["users"]["attributes"].items()]

One as MultiDict and the other not or something..

in mconf it's "conf" and in domains it's the "plain" thingy

Steakie · 2025-03-25T16:55:55+00:00

crpb nono, sorry. I was talking about the frontend file containers/LdapConfig.js which you correctly fixed in the linked commit. (Thanks again ) But the same patch should be applied to containers/OrgDetails.js, shouldn't it?

crpb · 2025-03-25T17:00:15+00:00

Steakie

Ahhh, didn't even know about that. javash^wcript...

Yes, i believe those () should be in there aswell for ALL filter's