Product Name/Version: AMP Release “Decadeus” v2.4.4, built 17/05/2023
Problem Description: I’ve been trying to configure my freshly installed Debian 11 Linux server to run AMP with LDAP authentication.
I was able to locate an existing bug that has been logged in github late last year that appears to match the errors in my logs. https://github.com/CubeCoders/AMP/issues/745
My logs have been added to that discussion for review. At the time they were generated on version 2.4.3.6 but I can confirm the the problem remains for the latest version (2.4.4.0)
I’d like to know if this bug is going to be addressed in the near future. LDAP support in AMP was one of the main reasons I’d purchased a network license (having owned a pro license beforehand). I aim to build a new server fleet with AMP (leveraging LDAP) as a management platform. I don’t wish to be using local accounts.
I’m willing to assist in any troubleshooting efforts to get this bug resolved.
Steps to reproduce:
Create new VM - Same OS and patching level.
Join Debian server to domain, able to query users/groups and login to ssh with LDAP creds.
Install and register AMP - Network edition, patch to latest.
Configure AMPConfig for LDAP
Actions taken to resolve so far: Examined plugin directory that is being presented in log files. Confirmed missing - Path: /home/amp/.ampdata/instances/ADS01/Plugins/Novell.Directory.Ldap.resources/
Created new VM, repeated installation process:
Installed Debian 11 (netinst)
Updated all packages
Joined server to domain, can make use of accounts and query LDAP users
Installed AMP
Followed instructions to configure ADS for LDAP
Unfortunately, had the same failure to authenticate and the same output in log messages.
I have other servers joined to the domain, a mixture of windows and linux systems. DNS is resolving correctly and I have the appropriate SOA records and _ldap service records (I saw this being asked about in a different thread). The Linux server itself has no issue using LDAP for other purposes.
The problem is more that I think it works in a much narrower set of circumstances than people expect. The code is very simple:
using var de = new DirectoryEntry("LDAP://" + domain, username, password, AuthenticationTypes.Encryption);
using var directorySearcher = new DirectorySearcher(de);
directorySearcher.Filter = $"(&(objectClass=user)(sAMAccountName={username}))";
directorySearcher.PropertiesToLoad.Add("SAMAccountName");
directorySearcher.PropertiesToLoad.Add("memberOf");
SearchResult searchResult = directorySearcher.FindOne();
I suspect that’s what’s missing is people need the ability to specify O and OU. In which case you might find actually that just doing myldapserver/OU=people,O=myorg as the LDAPDomain works.
I agree that having a bit more control over how we filter would be nice.
Just in relation to the issue at hand, it seems to me that AMP is expecting a missing plugin (Novell Directory).
The logs state that the following file is missing. /home/amp/.ampdata/instances/ADS01/Plugins/Novell.Directory.Ldap.resources/Novell.Directory.Ldap.resources.dll
It also seems the log message was common between Sauramel and I.
Why would AMP be looking for such a module?
I did a bit of digging around on it and found where you used to be able to get the dll. Novell Documentation
I’m just puzzled as to why this message is coming up.
Aside from the above, what user account is used to query LDAP? I don’t recall being able to provide any service account or credentials for AMP to run the lookups.
Is AMP passing the supplied credentials directly back to LDAP to run the query on the user’s group memberships?
You can ignore that, it’s looking for a resources file that it doesn’t actually need. The actual important bit is included in AMPs main executable.
The user account that is used to query the LDAP is the one you’re logging in as. It’s expected to be able to query itself to discover it’s own group membership.
I’ll provide a bit more information on some of the fiddling around I’ve done.
Within the AMPConfig.conf file, under the Login section.
I’ve left my Group prefix as AMP_ and I’ve made a number of groups for the various AMP roles. Each group has the prefix.
As for the Login.LDAPAuthDomain= parameter, I’ve tried using:
domain.tld
the FQDN of a DC (DChostname.domain.tld)
the short domain name: DOMAIN
Whilst logging in I’ve tried the following username formats:
username@domain.tld
username
domain\username
DOMAIN\username
domain.tld\username
It wasn’t too clear to me what format would be required by AMP so I’ve been testing all of these combinations out.
My user sits in an OU of my creation at the root of the directory. My AMP_ security groups are a few OU’s deep in a role based access layout that I’ve been using for other systems.
In your original reply you said
In which case you might find actually that just doing myldapserver/OU=people,O=myorg as the LDAPDomain works.
Could you please clarify if this was something you’d like me to try out and where I could make the change? Did you mean for me to try this on the Login.LDAPAuthDomain= parameter?
Should I try moving my users and or groups to the default locations?
I’m more than happy to chip away at this with you if you’d like me to test things. My environment isn’t running anything yet so I have zero risk of damaging a working installation (Plus VM snapshots are magic).
I’ve given it a shot. I altered the config file and restarted AMP.
Login screen gives me the same experience (spinning/loading wheel) and progresses no further.
The full log output from this attempt is shown below (I’ve just changed my domain details).
[13:48:35] [Logger Info] : Starting AMP version 2.4.4.0 (Decadeus), built 17/05/2023 17:54
[13:48:35] [Logger Info] : Stream: Mainline (Release) - built by CUBECODERS/buildbot on CCL-DEV
[13:48:35] [Logger Info] : Running in a VMware environment.
[13:48:35] [Logger Info] : Deleting 1 old log files…
[13:48:35] [Logger Warning] : Current time zone is set to AWST - It is recommended you switch to UTC+0 to avoid time-zone related issues
[13:48:35] [Logger Info] : OS: Linux / x86_64
[13:48:35] [Logger Info] : CPU: Intel(R) Xeon(R) CPU E5-2620 v2 @ 2.10GHz (1C/1T)
[13:48:35] [Logger Info] : RAM: 1983MB
[13:48:35] [Logger Info] : AMP Instance ID: 8eb02934-5d23-4a8b-9001-ef1b12d3078f
[13:48:36] [Logger Info] : LDAP authentication enabled for domain domain.tld/OU=Game_Admins,DC=domain,DC=tld
[13:48:36] [Logger Info] : Loaded ADSModule version 1.0.0.0 by CubeCoders Limited
[13:48:36] [Logger Info] : Loaded FileManagerPlugin by CubeCoders Limited
[13:48:36] [Logger Info] : Loaded EmailSenderPlugin by CubeCoders Limited
[13:48:36] [Logger Info] : Loaded WebRequestPlugin by CubeCoders Limited
[13:48:36] [Logger Info] : Loaded LocalFileBackupPlugin by CubeCoders Limited
[13:48:36] [Logger Info] : Loaded CommonCorePlugin by CubeCoders Limited
[13:48:36] [Logger Info] : ADSModule requests dependency InstanceManagerPlugin…
[13:48:36] [Logger Info] : Loaded InstanceManagerPlugin by CubeCoders Limited
[13:48:36] [Logger Info] : ADSModule requests dependency SystemUserManagerPlugin…
[13:48:36] [Logger Info] : Loaded SystemUserManagerPlugin by CubeCoders Limited
[13:48:37] [Logger Info] : Licence Present: AMP Network Standard Edition
[13:48:37] [Logger Info] : Loaded steamcmdplugin by CubeCoders Limited
[13:48:37] [Logger Info] : Metrics server started OK on port 12820
[13:48:37] [Logger Info] : ADS startup complete in 130ms
[13:48:37] [Logger Info] : Updating remote source CubeCoders/AMPTemplates
[13:48:37] [Logger Info] : Updating existing remote source GitHub - CubeCoders/AMPTemplates: For the AMP community to share Generic Module templates.…
hint: Pulling without specifying how to reconcile divergent branches is
hint: discouraged. You can squelch this message by running one of the following
hint: commands sometime before your next pull:
hint:
hint: git config pull.rebase false # merge (the default strategy)
hint: git config pull.rebase true # rebase
hint: git config pull.ff only # fast-forward only
hint:
hint: You can replace “git config” with “git config --global” to set a default
hint: preference for all repositories. You can also pass --rebase, --no-rebase,
hint: or --ff-only on the command line to override the configured default per
hint: invocation.
[13:48:38] [Logger Notice] : Using keypair with fingerprint qALd5UgZj6HfEukYrVSQyJCkdcramG6dVXCHuL+xVww=
Already up to date.
[13:48:38] [Logger Info] : SFTP Server started on 0.0.0.0:2223
[13:48:38] [Webserver Info] : Websockets are enabled.
[13:48:38] [Logger Info] : RouterTimer@10Hz with 2 jobs started
[13:48:38] [Logger Info] : Webserver started on http://0.0.0.0:8080
[13:48:38] [Core Info] : Checking for AMP updates…
[13:48:38] [Logger Info] : Startup mode is StartApplication.
[13:48:39] [Core Info] : AMP is up-to-date.
[13:49:15] [Logger Error] : Missing plugin/assembly: Novell.Directory.Ldap.resources (/home/amp/.ampdata/instances/ADS01/Plugins/Novell.Directory.Ldap.resources/Novell.Directory.Ldap.resources.dll) for
[13:49:15] [Logger Error] : Missing plugin/assembly: Novell.Directory.Ldap.resources (/home/amp/.ampdata/instances/ADS01/Plugins/Novell.Directory.Ldap.resources/Novell.Directory.Ldap.resources.dll) for
[13:49:15] [Logger Warning] : LDAP authentication failure: Invalid Credentials
[13:49:15] [Core Error] : LdapException
[13:49:15] [Logger Error] : [0] (LdapException) : Invalid Credentials
[13:49:15] [Core Error] : at Novell.Directory.Ldap.LdapResponse.chkResultCode ()
at Novell.Directory.Ldap.LdapConnection.chkResultCode (Novell.Directory.Ldap.LdapMessageQueue queue, Novell.Directory.Ldap.LdapConstraints cons, Novell.Directory.Ldap.LdapResponse response)
at Novell.Directory.Ldap.LdapConnection.Bind (Int32 version, String dn, SByte passwd, Novell.Directory.Ldap.LdapConstraints cons)
at Novell.Directory.Ldap.LdapConnection.Bind (Int32 version, String dn, String passwd, Novell.Directory.Ldap.LdapConstraints cons)
at Novell.Directory.Ldap.LdapConnection.Bind (String dn, String passwd, Novell.Directory.Ldap.AuthenticationTypes authenticationTypes)
at DirectoryServices.DirectorySearcher.InitBlock ()
at DirectoryServices.DirectorySearcher.DoSearch ()
at DirectoryServices.DirectorySearcher.get_SrchColl ()
at DirectoryServices.DirectorySearcher.FindOne ()
at (wrapper remoting-invoke-with-check) DirectoryServices.DirectorySearcher.FindOne()
at GSMyAdmin.Authentication.LDAPAuth.Authenticate (String username, String password)
[13:49:28] [Logger Warning] : LDAP authentication failure: Filter Error
[13:49:28] [Core Error] : LdapLocalException
[13:49:28] [Logger Error] : [0] (LdapLocalException) : Filter Error
[13:49:28] [Core Error] : at Novell.Directory.Ldap.Rfc2251.RfcFilter.unescapeString (String string_Renamed)
at Novell.Directory.Ldap.Rfc2251.RfcFilter.parseFilterComp ()
at Novell.Directory.Ldap.Rfc2251.RfcFilter.parseFilter ()
at Novell.Directory.Ldap.Rfc2251.RfcFilter.parseFilterList ()
at Novell.Directory.Ldap.Rfc2251.RfcFilter.parseFilterComp ()
at Novell.Directory.Ldap.Rfc2251.RfcFilter.parseFilter ()
at Novell.Directory.Ldap.Rfc2251.RfcFilter.parse (String filterExpr)
at Novell.Directory.Ldap.Rfc2251.RfcFilter…ctor (String filter)
at Novell.Directory.Ldap.LdapSearchRequest…ctor (String base_Renamed, Int32 scope, String filter, String attrs, Int32 dereference, Int32 maxResults, Int32 serverTimeLimit, Boolean typesOnly, Novell.Directory.Ldap.LdapControl cont)
at Novell.Directory.Ldap.LdapConnection.Search (String base_Renamed, Int32 scope, String filter, String attrs, Boolean typesOnly, Novell.Directory.Ldap.LdapSearchQueue queue, Novell.Directory.Ldap.LdapSearchConstraints cons)
at Novell.Directory.Ldap.LdapConnection.Search (String base_Renamed, Int32 scope, String filter, String attrs, Boolean typesOnly, Novell.Directory.Ldap.LdapSearchConstraints cons)
at DirectoryServices.DirectorySearcher.DoSearch ()
at DirectoryServices.DirectorySearcher.get_SrchColl ()
at DirectoryServices.DirectorySearcher.FindOne ()
at (wrapper remoting-invoke-with-check) DirectoryServices.DirectorySearcher.FindOne()
at GSMyAdmin.Authentication.LDAPAuth.Authenticate (String username, String password)
Could you please confirm for me which of the username login formats that AMP is expecting to see when LDAP auth is working correctly?
I’m assuming just the sAMAccountName (username) on it’s own, correct? I noticed that AMP no longer allows the local users to login whilst LDAP auth is True so I’d assume we don’t need to specify the domain at all in the username field.
Sorry for the delay in reply, I’ve been a bit sick.
Thanks for the clarification on the login format.
I’m using Zentyal 7.0 as my DC. It is a Linux project that aims to deliver an alternative to a Windows DC. It uses an Active Directory schema in LDAP and can work with other Windows DCs. I even administer it with the AD Users and computers snap in.
Edit:
Just to add some additional information to this, I’ve been able to query the “memberof” attribute via a ldapsearch string as a standard domain user, which returned a list of groups and their distinguished names of a test user.
Here’s the output of the query (and the syntax I used to generate it). I hope this is helpful.
I’d really appreciate some help with this. It has been 14 days since I’ve heard anything back. The issue is delaying my deployment of my AMP powered game server fleet.
There’s a few of us that are looking for a resolution on this issue. If there’s anything I can help with to assist with getting to the bottom of this, please let me know as I’d be glad to help.
If this does require some code change to resolve, please advise us. It’s not nice to be left wondering what’s going on. I recognise that you’re likely flat out but it’d be reassuring to know you haven’t forgotten about us with a quick update.
Basically - the user you’re logging in as has to have permission to make LDAP queries themselves in order to resolve their own group information. There doesn’t appear to be any way around this, LDAP doesn’t seem to have a way to let you verify a users password without binding as that user to perform a lookup.
That’s why you’re getting permission errors, because the user you’re authenticating doesn’t have permission to query themselves.
They only need sufficient rights to query themselves though rather than the entire directory.
In my case, I’ve demonstrated a test user (a basic LDAP user) can query LDAP and in fact even was able to look up another user in the same OU.
This test was run on the shell of the server running my AMP installation. “Iahmel” most definitely does have access to query LDAP as does my “fred” test user as shown with ldapsearch. It provided a list of users that “Iahmel” was a member of. “fred” can also look himself up with the same results.
I have since used these LDAP users in other systems/projects with no problem.
I feel like I might need to run a wireshark capture and see what’s being passed between the servers. Hopefully it might turn up something helpful.
