Cannot fill the LDAP parameters (binary and docker)

[fsainovich]

I got a problem to inform the LDAP parameters, even using the binary (semaphore setup) and docker image (using ENV):

I tried:

CN=svc.semaphore,OU=XXXX,DC=XXXX,DC=XXX,DC=XX -> raw
(CN=svc.semaphore,OU=XXXX,DC=XXXX,DC=XXX,DC=XX) -> With ( )
'CN=svc.semaphore,OU=XXXX,DC=XXXX,DC=XXX,DC=XX' -> With ' '
"CN=svc.semaphore,OU=XXXX,DC=XXXX,DC=XXX,DC=XX" -> With " "

I got always the same error:

An input error occurred: expected newline

LDAP DN for bind (default cn=user,ou=users,dc=example): CN=svc.semaphore,OU=XXXX,DC=XXXX,DC=XXX,DC=XX
WARN[0015] An input error occurred: expected newline
Password for LDAP bind user (default pa55w0rd): WARN[0015] An input error occurred: expected newline

LDAP DN for bind (default cn=user,ou=users,dc=example): (CN=svc.semaphore,OU=XXXX,DC=XXXX,DC=XXX,DC=XX)
WARN[0025] An input error occurred: expected newline
Password for LDAP bind user (default pa55w0rd): WARN[0025] An input error occurred: expected newline

LDAP DN for bind (default cn=user,ou=users,dc=example): 'CN=svc.semaphore,OU=XXXX,DC=XXXX,DC=XXX,DC=XX'
WARN[0021] An input error occurred: expected newline
Password for LDAP bind user (default pa55w0rd): WARN[0021] An input error occurred: expected newline

LDAP DN for bind (default cn=user,ou=users,dc=example): "CN=svc.semaphore,OU=XXXX,DC=XXXX,DC=XXX,DC=XX"
WARN[0019] An input error occurred: expected newline
Password for LDAP bind user (default pa55w0rd): WARN[0019] An input error occurred: expected newline

In docker image I got only:

An input error occurred: expected newline (but i think that is the same problem as the binary).

[lafayetteduarte]

does your LDAP string have spaces in it?
if it does this could be the cause.
i had one case last week an i was able to bypass the error by providing a config file in a volume bind of my docker-file.
see #419 for details.

[fsainovich]

Hi Lafayette.

Yes, I have spaces in LDAP string. Was your solution building a new image with the configs in the dockerfile or a volume bind in docker-compose.yaml ?

[lafayetteduarte]

So, what i did to circunvent this issue was:

1. created a config dir alongside the docker-compose folder and within i created the config.json file
2. the config.json file holds the ldap settings and expressions something like:

{
    "bolt":{
      "host": "semaphore.bolt"
    },
    "dialect":"bolt",
    "tmp_path": "/tmp/semaphore",
    "access_key_encryption": "ENCRYPTION_KEY",
    "ldap_enable": true,
    "ldap_needtls": false,
    "ldap_binddn": "CN=semaphore,OU=Administrative Accounts,OU=Users,DC=example,DC=com",
    "ldap_bindpassword": "ACCOUNT_PASSWORD",
    "ldap_server": "dc1.example.com:389",
    "ldap_searchdn": "OU=Users,DC=example,DC=com",
    "ldap_searchfilter": "(&(sAMAccountName=%s)(memberOf=CN=Domain Admins,CN=Users,DC=example,DC=com))",
    "ldap_mappings": {
      "dn": "dn",
      "mail": "mail",
      "uid": "sAMAccountName",
      "cn": "cn"
    },
    "email_sender": "[email protected]",
    "email_host": "mail.example.com",
    "email_port": "25",
    "email_alert": true
}

PS; Im using Active directory to authenticate users. note the spaces in the CN in ldap_binddn, and ldap_searchfilter
but as far as i could gather, this issue would present itself if you have spaces in any env variables

3. In my docker-compose file i have the following:

services:
  semaphore:
    restart: unless-stopped
    ports:
      - 3000:3000
    network_mode: "host"
    build:
      context: .
      dockerfile: Dockerfile
    privileged: true
    environment:
      SEMAPHORE_BOLT_HOST: "semaphore.bolt"
      SEMAPHORE_DB_DIALECT: bolt
      SEMAPHORE_DB: semaphore
      SEMAPHORE_PLAYBOOK_PATH: "/tmp/semaphore/"
      SEMAPHORE_ADMIN_PASSWORD: P@ssw0rd
      SEMAPHORE_ADMIN_NAME: admin
      SEMAPHORE_ADMIN_EMAIL: admin@localhost
      SEMAPHORE_ADMIN: admin
      ANSIBLE_HOST_KEY_CHECKING: "false"
 #   depends_on:
      #- mysql # for postgres, change to: postgres
    volumes:
      - type: bind
        source: ./semaphore/config.json
        target: /etc/semaphore/config.json
      - boltdata:/home/semaphore:rw

the important bit here is the bind volume.
i mapped the external config.json file to the /etc/semaphore/config.json inside the container.

nevermind the host networking, privileged bits . and the custom dockerfile referenced in build.
I need this because i need specific pip dependencies installed in order to connect to vmware and windows hosts
the privileged one is required , in my case in order to enable my playbooks to mount a network path on a windows host to deploy TLS certificates on our windows VMS.

After confirming it works you will probably ask yourself why the heck is this working?
After spending some time reading the code, i realized that, when you specify an existing config file, the code bit that reads a temp file in order to generate the config will be skipped.

the code bit that seems to cause this issue is discussed in #419
to be more specific, on this reply:
#419 (comment)

it seems that, when using the fmt.Sscanln function, the presence of a space is a boundary char that makes the reading stop.
this is used in the process of generating the config file from env variables.

since the space in the OU breaks the reading done by fmt.Sscanln, the config file generation process generates the input file with the wrong number of lines, resulting in a wrong config.json file.

I am part of a group o people that helps each other on devops stuff on discord. we scheduled a meeting today to try to debug this issue and make a PR with a fix if all goes well.

Hope this helps you figure it out.
Fell free to reach out if you need more help on this