can not create group

[IamTaoChen]

Describe the bug

when I create a new group nothing happens..

Screenshots

Server Software (please complete the following information):

• OS: debian
• Virtualization: docker
• Network: reverse proxy
• Version: 1.1.22
• Node: [e.g. 18.4.0]

[si458]

U didn't follow the bug template.
What is ur config.json ?

[IamTaoChen]

I use OIDC and the /admins group is set as siteAdmin

{
    "$schema": "https://raw.githubusercontent.com/Ylianst/MeshCentral/master/meshcentral-config-schema.json",
    "settings": {
        "plugins": {
            "enabled": false
        },
        "mongoDb": "mongodb://XXXX:XXXX@mongo:27017/meshcentral",
        "mongoDbName": "",
        "cert": "rd.demo8.org",
        "_WANonly": true,
        "_LANonly": true,
        "sessionKey": "XXXXXX",
        "port": 4430,
        "aliasPort": 443,
        "redirPort": 80,
        "_redirAliasPort": 80,
        "AgentPong": 300,
        "TLSOffload": "127.0.0.1",
        "SelfUpdate": false,
        "AllowFraming": true,
        "AllowLoginToken": true,
        "WebRTC": false,
        "wsCompression": true
    },
    "domains": {
        "": {
            "title": "XXXXX",
            "title2": "RD",
            "minify": true,
            "ssh": true,
            "newAccountsUserGroups":["users"],
            "NewAccounts": true,
            "localSessionRecording": false,
            "userNameIsEmail": false,
            "certUrl": "https://example.org:",
            "showPasswordLogin": false,
            "auth": "ldap",
            "ldapOptions": {
                "url": "ldaps://XXXXXX:636/",
                "tlsOptions": {
                    "rejectUnauthorized": false
                },
                "bindDN": "XXXXX",
                "bindCredentials": "XXXX",
                "searchBase": "XXXXX",
                "searchFilter": "(sAMAccountName={{username}})",
                "reconnect": true
            },
            "LDAPUserKey": "sAMAccountName",
            "ldapUserName": "displayName",
            "LDAPUserGroups": "memberOf",
            "LDAPSyncWithUserGroups": true,
            "authStrategies": {
                "oidc": {
                    "_authorizationURL": "https://XXXXXX.com/protocol/openid-connect/auth",
                    "callbackURL": "https://rd.example.com/oidc-callback",
                    "clientid": "XXXXX",
                    "clientsecret": "XXXXXX",
                    "issuer": "https://XXXXXX.com",
                    "_tokenURL": "https://XXXXXX.com/protocol/openid-connect/token",
                    "_userInfoURL": "https://XXXXXX.com/protocol/openid-connect/userinfo",
                    "_logouturl": "https://XXXXXX.com/protocol/openid-connect/logout",
                    "newAccounts": true,
                    "logouturl" : "https:/XXXXXX.com/protocol/openid-connect/logout",
                    "scope": [
                        "openid",
                        "profile",
                        "email",
                        "groups"
                    ],
                    "groups": {
                        "required": [
                            "/admins",
                            "/members"
                        ],
                        "siteadmin": [
                            "/admins"
                        ],
                        "sync": {
                            "enabled": true
                        },
                        "claim": "groups"
                    }
                }
            }
        }
    },
    "_letsencrypt": {
        "__comment__": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before>",
        "_email": "myemail@mydomain.com",
        "_names": "myserver.mydomain.com",
        "production": false
    },
    "_smtp": {
        "host": "xxxxx",
        "port": 25,
        "from": "xxxx",
        "tls": false,
        "user": "xxxxx",
        "pass": "xxxxx"
    }
}

[si458]

You are mixing 2 authentication methods in ur config.json
You have auth: "ldap" set AND authStrategies set
You should only have one or the other!
So comment one to remove it _auth or _authStrategies
Then restart meshcentral and try again

[IamTaoChen]

You are mixing 2 authentication methods in ur config.json You have auth: "ldap" set AND authStrategies set You should only have one or the other! So comment one to remove it _auth or _authStrategies Then restart meshcentral and try again

it still doesn't work

[si458]

@IamTaoChen well which one did you comment out?
whats ur config.json look like now?
you wont be able to create groups with ldap because you have set LDAPSyncWithUserGroups

[IamTaoChen]

@IamTaoChen well which one did you comment out? whats ur config.json look like now? you wont be able to create groups with ldap because you have set LDAPSyncWithUserGroups

I only change the auth

"_auth": "ldap",

But I just tried to use 1.1.20 and it works.

[si458]

the was changes in 1.1.21 and 1.1.22 with the OIDC (a community member changed code for things)
so it might be something there is broken as the was a few other OIDC things that where broken and ive fixed recently.

so u use OIDC for the authentication and not LDAP?

whos the OIDC provider? (i use authentik for my testing)
just want to clarify so i can try replicate it tomorrow for you

[si458]

@IamTaoChen after a quick look at the new docs written by the community member
the sync: true feature will copy the oidc groups over, which might be why you cant create any groups manually
https://ylianst.github.io/MeshCentral/meshcentral/openidConnectStrategy/#groups-options

[IamTaoChen]

@IamTaoChen after a quick look at the new docs written by the community member the sync: true feature will copy the oidc groups over, which might be why you cant create any groups manually https://ylianst.github.io/MeshCentral/meshcentral/openidConnectStrategy/#groups-options

The reason I want to try to create a group manually is the groups didn't sync from OIDC groups, even I can see the group information was extracted by the MeshCentral.

[IamTaoChen]

the was changes in 1.1.21 and 1.1.22 with the OIDC (a community member changed code for things) so it might be something there is broken as the was a few other OIDC things that where broken and ive fixed recently.

so u use OIDC for the authentication and not LDAP?

whos the OIDC provider? (i use authentik for my testing) just want to clarify so i can try replicate it tomorrow for you

Yes, I use OIDC for authentication.

I use keycloak. MeshCentral can get the group infoemation

[si458]

The reason I want to try to create a group manually is the groups didn't sync from OIDC groups, even I can see the group information was extracted by the MeshCentral.

Ah right so it's not syncing the groups for starters but then u can't create groups either! I will have a look when I get chance for u

[si458]

ok ive just fixed a bug where using the oidc sync feature,
it wasnt syncing the groups correctly if you didnt specify any
5c13f17
but i dont think that fixes ur issue, im still looking into it for you 👍

[si458]

@IamTaoChen ok ive looked at this, because you have sync: true basically you arent allowed to create groups,
this is because they need to stay in sync with your oidc provider,
and this happens everytime a user logs in
so the way to create a user group, is create a group in your backend oidc provider,
then add your users you want into them again in using your backend provider
then when a user of that group logs in,
it will download its groups, see the new group, then create the group in meshcentral and add all the others users in it

// Check if we are in a mode that does not allow manual user group creation
if (
  (typeof domain.authstrategies == 'object') &&
  (typeof domain.authstrategies['oidc'] == 'object') &&
  (typeof domain.authstrategies['oidc'].groups == 'object') &&
  ((domain.authstrategies['oidc'].groups.sync == true) || ((typeof domain.authstrategies['oidc'].groups.sync == 'object') && (domain.authstrategies['oidc'].groups.sync.enabled == true)))
) {
  err = "Not allowed in OIDC mode with user group sync.";
}

but the is a bug where you dont get notified in the web ui, so ill fix that for you.

[IamTaoChen]

@IamTaoChen ok ive looked at this, because you have sync: true basically you arent allowed to create groups, this is because they need to stay in sync with your oidc provider, and this happens everytime a user logs in so the way to create a user group, is create a group in your backend oidc provider, then add your users you want into them again in using your backend provider then when a user of that group logs in, it will download its groups, see the new group, then create the group in meshcentral and add all the others users in it

// Check if we are in a mode that does not allow manual user group creation
if (
  (typeof domain.authstrategies == 'object') &&
  (typeof domain.authstrategies['oidc'] == 'object') &&
  (typeof domain.authstrategies['oidc'].groups == 'object') &&
  ((domain.authstrategies['oidc'].groups.sync == true) || ((typeof domain.authstrategies['oidc'].groups.sync == 'object') && (domain.authstrategies['oidc'].groups.sync.enabled == true)))
) {
  err = "Not allowed in OIDC mode with user group sync.";
}

but the is a bug where you dont get notified in the web ui, so ill fix that for you.

thanks, I'll test it

[si458]

@IamTaoChen you might need to use the newest master docker image again (built about 5mins ago)

[IamTaoChen]

the problem still exists.

The demo user is in two groups /members and /staff. The /members was synced by the 1.1.20vesion and the /staff is a new group I created at IdP.

And The demo user is in the /members, but /staff was not created.(also, I cannot create a group manually)

[si458]

ive just tested it here with my authentik, and it seemed to work?
created new group and new user, added new user to new group, logged into mc with new user, new group shows up?
even then i logged new user out, added new user into my ADMIN group for authentik,
relogged user back in, ADMIN group now shows 2 users on mc
(i had previosuly logged in the admin user to get this group created)

is ur config.json the same as above still? #6104 (comment)
try the latest master docker image from 2 mins ago
https://github.com/Ylianst/MeshCentral/pkgs/container/meshcentral/219060780?tag=master

[IamTaoChen]

It still doesn't work.
this is my image.

   docker image ls | grep meshcentral                                     
ghcr.io/ylianst/meshcentral                                         master            2fe1c56bb34f   16 minutes ago      910MB
ghcr.io/ylianst/meshcentral                                         <none>            7df036099ce2   About an hour ago   910MB
ghcr.io/ylianst/meshcentral                                         <none>            cd77d6ba8458   2 days ago          910MB
ghcr.io/ylianst/meshcentral                                         latest            7dab3f2d7509   8 weeks ago         905MB
ghcr.io/ylianst/meshcentral                                         1.1.20            da14354298e0   3 months ago        896MB
 docker pull ghcr.io/ylianst/meshcentral:master
master: Pulling from ylianst/meshcentral
Digest: sha256:1e8e0d7a97c6f0a30e0b9223322bc6ecdd09def4de3d0bee48fd52344513106e
Status: Image is up to date for ghcr.io/ylianst/meshcentral:master
ghcr.io/ylianst/meshcentral:master

Yes, I didn't change the config.json which can work with 1.1.20. The user can be added into the existing group, but Meshcentral doesn't create now group

[IamTaoChen]

how cloud I log more information?

[si458]

node node_modules/meshcentral --debug web,authlog
and with docker you set

environment:
  - ARGS=--debug web,authlog

[IamTaoChen]

✔ Container meshcentral  Started                                                                                                                    10.9s 
meshcentral  | Missing Modules: passport, openid-client, connect-flash
meshcentral  | Installing modules [ 'passport', 'openid-client', 'connect-flash' ]
meshcentral  | NPM Command Line: /usr/bin/node /usr/bin/npm install --save-exact --no-audit --omit=optional --no-fund passport openid-client connect-flash
meshcentral  | MeshCentral HTTP redirection server running on port 80.
meshcentral  | AUTHLOG: Server listening on 0.0.0.0 port 80.
meshcentral  | MeshCentral v1.1.22, Hybrid (LAN + WAN) mode, Production mode.
meshcentral  | MeshCentral Intel(R) AMT server running on example.com:4433.
meshcentral  | AUTHLOG: Server listening on 0.0.0.0 port 4433.
meshcentral  | AUTHLOG: OIDC: Setting up strategy for domain: 
meshcentral  | AUTHLOG: OIDC: OLD CONFIG: Moving old config to new location. strategy.clientid => strategy.client.client_id
meshcentral  | AUTHLOG: OIDC: OLD CONFIG: Moving old config to new location. strategy.clientsecret => strategy.client.client_secret
meshcentral  | AUTHLOG: OIDC: OLD CONFIG: Moving old config to new location. strategy.callbackurl => strategy.client.redirect_uri
meshcentral  | AUTHLOG: OIDC: Discovering Issuer Endpoints: https://auth.demo8.org/realms/iobs
meshcentral  | Loaded web certificate from "https://example.com:", host: "example.com"
meshcentral  |   SHA384 cert hash: 960e0e2645760b375cfca551691d822c022b8d5c8a7679fa7b6fa709d5ebad250408a5aa8b0c1f73cfb6f6e94efa17a2
meshcentral  | AUTHLOG: OIDC: Setup Complete
meshcentral  | AUTHLOG: Setting up authentication strategies login and callback URLs for root domain.
meshcentral  | AUTHLOG: OIDC: Authorization URL: /auth-oidc
meshcentral  | AUTHLOG: OIDC: Callback URL: /oidc-callback
meshcentral  | MeshCentral HTTP server running on port 4430, alias port 443.
meshcentral  | WEB: handleRootRequestEx: success.
meshcentral  | WEB: handleRootRequestEx: success.
meshcentral  | WEB: handleRootRequestEx: success.
meshcentral  | WEB: handleRootRequestEx: success.
meshcentral  | WEB: handleRootRequestLogin()
meshcentral  | WEB: 404 Error /loading=lazy
meshcentral  | AUTHLOG: User Authorized: {"strategy":"oidc","sid":"~oidc:0c1415dd-3480-4a91-b4ab-3c925af23c21","name":"示 演","email":"demo@ds.iobs","emailVerified":true,"groups":["/staff","/members"],"preset":null}
meshcentral  | AUTHLOG: OIDC: GROUPS: USER: "~oidc:0c1415dd-3480-4a91-b4ab-3c925af23c21" Found 2 memberships: ["/staff", "/members"]
meshcentral  | AUTHLOG: OIDC: GROUPS: USER: "~oidc:0c1415dd-3480-4a91-b4ab-3c925af23c21" Membership to required group found: "/members"
meshcentral  | AUTHLOG: OIDC: LOGIN SUCCESS: USER: "~oidc:0c1415dd-3480-4a91-b4ab-3c925af23c21"
meshcentral  | AUTHLOG: OIDC: User Authenticated: {"_id":"user//~oidc:0c1415dd-3480-4a91-b4ab-3c925af23c21","type":"user","name":"示 演","email":"demo@ds.iobs","creation":1716144528,"login":1716144528,"access":1716311879,"domain":"","emailVerified":true,"links":{"ugrp//VC70XOLJi$$RyDMIcO3czsYnChE2ZVixNeh2ySS4UHh4S0GACzBIr7ADq0TLwL0A":{"rights":1}},"subscriptions":["user//~oidc:0c1415dd-3480-4a91-b4ab-3c925af23c21","server-allusers","ugrp//VC70XOLJi$$RyDMIcO3czsYnChE2ZVixNeh2ySS4UHh4S0GACzBIr7ADq0TLwL0A"]}
meshcentral  | WEB: handleRootRequestEx: success.
meshcentral  | WEB: handleRootRequestEx: success.

[si458]

@IamTaoChen your config.json is incorrect! doh! just spotted!, the sync section should look like this

"groups": {
  "sync": true
}

https://ylianst.github.io/MeshCentral/meshcentral/openidConnectStrategy/#groups-options

so in your case

"groups": {
  "required": [
    "/admins",
    "/members"
  ],
  "siteadmin": [
    "/admins"
  ],
  "sync": true,
  "claim": "groups"
}

[IamTaoChen]

@IamTaoChen your config.json is incorrect! doh! just spotted!, the sync section should look like this

"groups": {
  "sync": true
}

https://ylianst.github.io/MeshCentral/meshcentral/openidConnectStrategy/#groups-options

so in your case

"groups": {
  "required": [
    "/admins",
    "/members"
  ],
  "siteadmin": [
    "/admins"
  ],
  "sync": true,
  "claim": "groups"
}

It works.

Sorry, I misunderstood this part. But it's wired that it works at before version.

[si458]

@IamTaoChen yes thats because the person who wrote the new oidc code, the code was years behind.
so when it was merged by @Ylianst things goofed up.
also the is a migrate script in to convert old oidc config to new one, but im guessing the sync: { enabled:true} isnt included!
i will sort that out now!

[si458]

ok done migrate groups.sync.enabled (spelt the commit message wrong like but hey ho) bc6451f

[si458]

are you ok to close this issue now?
as the original issue has been resolved
you cant create groups when using oidc and sync

[ainuoyan]

@IamTaoChen 老哥，请问在新版本 1.1.27 版本上有测试过 oidc 对接是好使的吗？我目前遇到个问题是单点认证通过后卡在下面背景页然后就没动静了，也不知道咋回事