Log in Developer Portal error with LDAP

Linker2016 · November 24, 2017, 1:25am

First, the TIB log:

DEBU[0111] [AUTH HANDLERS] → Looking up profile ID:7
DEBU[0111] [AD AUTH] Connect: starting…
DEBU[0111] [AD AUTH] → To: localhost:389
DEBU[0111] [AD AUTH] Connect: finished…
DEBU[0111] DN: cn=test,ou=people,dc=appliedinnovation-cn,dc=com
INFO[0111] [AD AUTH] User bind successful: test
INFO[0111] [AD AUTH] Search: starting…
INFO[0111] [AD AUTH] LDAPFilter is blank, skipping
INFO[0111] [AD AUTH] User Data:{map[] ADProvider test@ADProvider test 0001-01-01 00:00:00 +0000 UTC}
DEBU[0111] [AD AUTH] Constraints for AD must be set in DN
INFO[0111] [TYK ID HANDLER] Creating nonce
INFO[0111] [TYK ID HANDLER] Creating identity for: {map[] ADProvider test@ADProvider test 0001-01-01 00:00:00 +0000 UTC}
2017/11/23 18:19:10 http: panic serving 117.22.255.130:61498: interface conversion: interface {} is nil, not map[string]interface {}
goroutine 67 [running]:
net/http.(*conn).serve.func1(0xc420133900)
/usr/local/go/src/net/http/server.go:1697 +0xd0
panic(0x786c60, 0xc420110c40)
/usr/local/go/src/runtime/panic.go:491 +0x283
github.com/TykTechnologies/tyk-identity-broker/tap/identity-handlers.(*TykIdentityHandler).CreateIdentity(0xc42012f080, 0x7e6ac0, 0xc42016e780, 0x1, 0xf, 0xc420129e20, 0x1f)
/Users/buger/Documents/work/go/src/github.com/TykTechnologies/tyk-identity-broker/tap/identity-handlers/tyk_handler.go:136 +0x5b8
github.com/TykTechnologies/tyk-identity-broker/tap/identity-handlers.(*TykIdentityHandler).CompleteIdentityActionForPortal(0xc42012f080, 0x9b9180, 0xc4201641c0, 0xc420190d00, 0x7e6ac0, 0xc42016e780, 0xc42019a828, 0x1, 0xc420129b40, 0x18, …)
/Users/buger/Documents/work/go/src/github.com/TykTechnologies/tyk-identity-broker/tap/identity-handlers/tyk_handler.go:172 +0x12f
github.com/TykTechnologies/tyk-identity-broker/tap/identity-handlers.(*TykIdentityHandler).CompleteIdentityAction(0xc42012f080, 0x9b9180, 0xc4201641c0, 0xc420190d00, 0x7e6ac0, 0xc42016e780, 0xc42019a828, 0x1, 0xc420129b40, 0x18, …)
/Users/buger/Documents/work/go/src/github.com/TykTechnologies/tyk-identity-broker/tap/identity-handlers/tyk_handler.go:391 +0x2cd
github.com/TykTechnologies/tyk-identity-broker/providers.(*ADProvider).Handle(0xc420167b00, 0x9b9180, 0xc4201641c0, 0xc420190d00)
/Users/buger/Documents/work/go/src/github.com/TykTechnologies/tyk-identity-broker/providers/active_directory.go:264 +0xdca
main.HandleAuth(0x9b9180, 0xc4201641c0, 0xc420190d00)
/Users/buger/Documents/work/go/src/github.com/TykTechnologies/tyk-identity-broker/http_handlers.go:138 +0x89
net/http.HandlerFunc.ServeHTTP(0x80fb20, 0x9b9180, 0xc4201641c0, 0xc420190d00)
/usr/local/go/src/net/http/server.go:1918 +0x44
github.com/gorilla/mux.(*Router).ServeHTTP(0xc420118a50, 0x9b9180, 0xc4201641c0, 0xc420190d00)
/Users/buger/Documents/work/go/src/github.com/gorilla/mux/mux.go:114 +0xdc
net/http.serverHandler.ServeHTTP(0xc42011e8f0, 0x9b9180, 0xc4201641c0, 0xc420190b00)
/usr/local/go/src/net/http/server.go:2619 +0xb4
net/http.(*conn).serve(0xc420133900, 0x9b9840, 0xc4201109c0)
/usr/local/go/src/net/http/server.go:1801 +0x71d
created by net/http.(*Server).Serve
/usr/local/go/src/net/http/server.go:2720 +0x288

The profile.json:
{
“ActionType”: “GenerateOrLoginDeveloperProfile”,
“ID”: “7”,
“IdentityHandlerConfig”: {
“DashboardCredential”: “822f2b1c75dc4a4a522944caa757976a”
},
“OrgID”: “53ac07777cbb8c2d53000002”,
“ProviderConfig”: {
“FailureRedirect”: “http://openapi.appliedinnovation-cn.com:3000/portal/login/”,
“LDAPAttributes”: [],
“LDAPPort”: “389”,
“LDAPServer”: “localhost”,
“LDAPUserDN”: “cn=USERNAME,ou=people,dc=appliedinnovation-cn,dc=com”
},
“ProviderConstraints”: {
“Domain”: “ADProvider”,
“Group”: “”
},
“ProviderName”: “ADProvider”,
“ReturnURL”: “http://openapi.appliedinnovation-cn.com:3000/portal/sso/”,
“Type”: “passthrough”
}

The tib.conf:
{
“Secret”: “test-secret”,
“HttpServerOptions”: {
“UseSSL”: false,
“CertFile”: “./certs/server.pem”,
“KeyFile”: “./certs/server.key”
},
“BackEnd”: {
“Name”: “in_memory”,
“ProfileBackendSettings”: {},
“IdentityBackendSettings”: {
“Hosts” : {
“localhost”: “6379”
},
“Password”: “”,
“Database”: 0,
“EnableCluster”: false,
“MaxIdle”: 1000,
“MaxActive”: 2000
}
},
“TykAPISettings”: {
“GatewayConfig”: {
“Endpoint”: “http://localhost”,
“Port”: “8080”,
“AdminSecret”: “352d20ee67be67f6340b4c0605b044b7”
},
“DashboardConfig”: {
“Endpoint”: “http://localhost”,
“Port”: “3000”,
“AdminSecret”: “352d20ee67be67f6340b4c0605b044b7”
}
}
}

The LDAP data:
dn: cn=test,ou=people,dc=appliedinnovation-cn,dc=com
cn: test

Now, the user bind success, but there’s a panic error, I have no idea about this error, anything I can do for it?

PS: The TIB version is v0.2.1.

leon · November 28, 2017, 12:21pm

Apologies for late reply.

The error message itself is terrible, but it indicates that there is an error when It tries to communicate with the dashboard API. Either it is not available due to networking issues, TLS error, or similar.

Error handling was improved in latest master.

Linker2016 · November 29, 2017, 9:04am

Hi Leon.

Thanks for you response. The panic error caused by SSL config, I set SSL enable for tyk-dashboard, tyk-gateway and TIB with CA cert file, then it’s fine now.

And there’s another error below.

DEBU[0005] [AUTH HANDLERS] --> Looking up profile ID:7
DEBU[0005] [AD AUTH] Connect: starting…
DEBU[0005] [AD AUTH] --> To: localhost:389
DEBU[0005] [AD AUTH] Connect: finished…
DEBU[0005] DN: uid=test,ou=people,dc=ip029,dc=cn
INFO[0005] [AD AUTH] User bind successful: test
INFO[0005] [AD AUTH] Search: starting…
INFO[0005] [AD AUTH] LDAPFilter is blank, skipping
INFO[0005] [AD AUTH] User Data:{map[] ADProvider test@ADProvider test 0001-01-01 00:00:00 +0000 UTC}
DEBU[0005] [AD AUTH] Constraints for AD must be set in DN
INFO[0005] [TYK ID HANDLER] Creating nonce
INFO[0005] [TYK ID HANDLER] Creating identity for: {map[] ADProvider test@ADProvider test 0001-01-01 00:00:00 +0000 UTC}
WARN[0005] Response code was: 404
WARN[0005] GOT:{“Status”:“Error”,“Message”:“Could not retrieve portal object”,“Meta”:null}

WARN[0005] [TYK ID HANDLER] Returned: {ObjectIdHex("") 0001-01-01 00:00:00 +0000 UTC false map[] map[] map[] }
WARN[0005] [TYK ID HANDLER] API Error:
INFO[0005] [TYK ID HANDLER] User not found, creating new record
INFO[0005] [TYK ID HANDLER] Creating user
WARN[0005] Response code was: 400
WARN[0005] GOT:{“Status”:“Error”,“Message”:“Developer object validation failed.”,“Meta”:null,“Errors”:[“email: Does not match format ‘email’”,“password: String length must be greater than or equal to 6”]}

ERRO[0005] [TYK ID HANDLER] failed to create user! Response code was not 200!
DEBU[0005] [AD AUTH] Closing connection

Looks like Iit generate the wrong temp account to access TYK portal. The same error occured when use github account to login.

I found this function “CompleteIdentityActionForPortal” in file “\tyk-identity-broker-master\tap\identity-handlers\tyk_handler.go” of TIB.

func (t *TykIdentityHandler) CompleteIdentityActionForPortal(w http.ResponseWriter, r *http.Request, i interface{}, profile tap.Profile) {
// Create a nonce
log.Info(TykAPILogTag + " Creating nonce")
nonce, nErr := t.CreateIdentity(i)

if nErr != nil {
	log.Error(TykAPILogTag+" Nonce creation failed: ", nErr)
	fmt.Fprintf(w, "Login failed")
	return
}

// Check if user exists
sso_key := tap.GenerateSSOKey(i.(goth.User))
thisUser, retErr := t.API.GetDeveloperBySSOKey(t.dashboardUserAPICred, sso_key)
log.Warning(TykAPILogTag+" Returned: ", thisUser)

createUser := false
if retErr != nil {
	log.Warning(TykAPILogTag+" API Error: ", nErr)
	log.Info(TykAPILogTag + " User not found, creating new record")
	createUser = true
}

// If not, create user
if createUser {
	if thisUser.Email == "" {
		thisUser.Email = sso_key
	}

	log.Info(TykAPILogTag + " Creating user")
	newUser := tyk.PortalDeveloper{
		Email:         thisUser.Email,
		Password:      "",
		DateCreated:   time.Now(),
		OrgId:         t.profile.OrgID,
		ApiKeys:       map[string]string{},
		Subscriptions: map[string]string{},
		Fields:        map[string]string{},
		Nonce:         nonce,
		SSOKey:        sso_key,
	}
	createErr := t.API.CreateDeveloper(t.dashboardUserAPICred, newUser)
	if createErr != nil {
		log.Error(TykAPILogTag+" failed to create user! ", createErr)
		fmt.Fprintf(w, "Login failed")
		return
	}
} else {
	// Set nonce value in user profile
	thisUser.Nonce = nonce
	updateErr := t.API.UpdateDeveloper(t.dashboardUserAPICred, thisUser)
	if updateErr != nil {
		log.Error("Failed to update user! ", updateErr)
		fmt.Fprintf(w, "Login failed")
		return
	}
}

// After login, we need to redirect this user
log.Info(TykAPILogTag + " --> Running redirect...")
if profile.ReturnURL != "" {
	newURL := profile.ReturnURL + "?nonce=" + nonce
	log.Info(TykAPILogTag+" --> URL With NONCE is: ", newURL)
	http.Redirect(w, r, newURL, 301)
	return
}

log.Warning(TykAPILogTag + "No return URL found, redirect failed.")
fmt.Fprintf(w, "Success! (Have you set a return URL?)")

}

leon · November 30, 2017, 4:39pm

I see!

This indeed looks like an issue in TIB.

To mitigate it you can change tyk dashobard developer object validation rules, by going to folder with tyk-analytics, and modifying ./schemas/developer.json file to smth like this:

{
    "title": "Developer Schema",
    "type": "object",
    "properties": {
        "email": {
            "type": "string"
        },
        "password": { "type": "string" }
    },
    "required": [
        "email"
    ]
}

This will turn off email validation and password security rules. In the meantime I’ll try to fix issue on TIB side.

Thank you!