Unexpected Exception occurred at X: 'group_base'

[paulmenzel]

One user is now actively using our Indico installation based on

$ git log --no-decorate --oneline -1
c6b5a3042a Fix showing nonbookable period outside admin UI

Just now, the logger sent the log below:

Unexpected Exception occurred at platsch.molgen.mpg.de: 'group_base'

2022-06-30 18:10:35,693  cddddabd26354a15  2       indico.flask - ERROR errors.py:110 -- 'group_base'

Traceback (most recent call last):
  File "/project/indico/home/.local/lib/python3.9/site-packages/flask/app.py", line 1523, in full_dispatch_request
    rv = self.dispatch_request()
  File "/project/indico/home/.local/lib/python3.9/site-packages/flask/app.py", line 1509, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
  File "/project/indico/home/.local/lib/python3.9/site-packages/indico/web/flask/util.py", line 79, in wrapper
    return obj().process()
  File "/project/indico/home/.local/lib/python3.9/site-packages/indico/web/rh.py", line 281, in process
    res = self._do_process()
  File "/project/indico/home/.local/lib/python3.9/site-packages/indico/web/rh.py", line 252, in _do_process
    rv = self._process()
  File "/project/indico/home/.local/lib/python3.9/site-packages/webargs/core.py", line 452, in wrapper
    return func(*args, **kwargs)
  File "/project/indico/home/.local/lib/python3.9/site-packages/indico/modules/groups/controllers.py", line 158, in _process
    groups = GroupProxy.search(name, exact=exact)
  File "/project/indico/home/.local/lib/python3.9/site-packages/indico/modules/groups/core.py", line 115, in search
    result |= {GroupProxy(g.name, g.provider.name, _group=g)
  File "/project/indico/home/.local/lib/python3.9/site-packages/indico/modules/groups/core.py", line 115, in <setcomp>
    result |= {GroupProxy(g.name, g.provider.name, _group=g)
  File "/project/indico/home/.local/lib/python3.9/site-packages/flask_multipass/core.py", line 437, in search_groups
    yield from provider.search_groups(name, exact=exact)
  File "/project/indico/home/.local/lib/python3.9/site-packages/flask_multipass/providers/ldap/providers.py", line 232, in search_groups
    for group_dn, group_data in self._search_groups(search_filter):
  File "/project/indico/home/.local/lib/python3.9/site-packages/flask_multipass/providers/ldap/providers.py", line 182, in _search_groups
    return search(self.ldap_settings['group_base'], search_filter, attributes=[self.ldap_settings['gid']])
KeyError: 'group_base'

{'data': {'get': {'name': 'Organisators'},
          'headers': {'Accept': 'application/json, text/plain, */*',
                      'Accept-Encoding': 'gzip, deflate, br',
                      'Accept-Language': 'fr-FR,fr;q=0.9',
                      'Cookie': 'XXX',
                      'Host': 'events.molgen.mpg.de',
                      'Referer': 'https://events.molgen.mpg.de/event/1/manage/protection',
                      'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X '
                                    '10_15_7) AppleWebKit/605.1.15 (KHTML, '
                                    'like Gecko) Version/15.5 Safari/605.1.15',
                      'X-Csrf-Token': '93165c3d-f87f-4e44-8215-66dfab63006e',
                      'X-Requested-With': 'XMLHttpRequest'},
          'json': None,
          'post': {},
          'url': {}},
 'endpoint': 'groups.group_search',
 'id': 'cddddabd26354a15',
 'ip': 'XXX'
 'method': 'GET',
 'referrer': 'https://events.molgen.mpg.de/event/1/manage/protection',
 'rh': 'RHGroupSearch',
 'time': '2022-06-30T18:10:35.819807',
 'url': 'https://events.molgen.mpg.de/groups/api/search?name=Organisators',
 'user': {'email': '[[email protected]](mailto:[email protected])',
          'id': 2,
          'name': 'XXX'},
 'user_agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) '
               'AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.5 '
               'Safari/605.1.15'}

We do not maintain a group field in LDAP, and configured it like below:

LOCAL_IDENTITIES = False

_ldap_config = {
    'uri': 'ldaps://ldap.molgen.mpg.de',
    'bind_dn': 'cn=indico,dc=ldap,dc=apps,dc=molgen,dc=mpg,dc=DE',
    'bind_password': 'X',
    'timeout': 30,
    'verify_cert': True,
    'page_size': 1500,

    'uid': 'uid',
    'user_base': 'dc=user,dc=apps,dc=molgen,dc=mpg,dc=de',
    'user_filter': '(objectClass=molgenUser)',
}

AUTH_PROVIDERS = {
    'ldap': {
        'type': 'ldap',
        'title': 'LDAP',
        'ldap': _ldap_config,
        'default': True
    }
}

IDENTITY_PROVIDERS = {
    'ldap': {
        'type': 'ldap',
        'title': 'LDAP',
        'ldap': _ldap_config,
        'mapping': {
            'first_name': 'givenName',
            'last_name': 'sn',
            'email': 'mail',
        },
        'trusted_email': True,
        'synced_fields': {'first_name', 'last_name'}
    }
}

[ThiefMaster]

Try setting that key to something that will never match anything. Adding an option to use this without groups would be useful nonetheless though.

[paulmenzel]

Please excuse my ignorance. What key do you mean? (I do not know, what the user did, and just got the trace via email.)

[ThiefMaster]

ah sorry, the error happens when the ldap config dict in indico.conf doesn't have a group_base key.

The user went to an event's protection page and searched for a group to add to the ACL.

PS: You always need to remove indico_session when posting a full error report. Otherwise someone can take over that user's Indico account! I also removed the full name of your user from the error report (since you already censored the email address but not the name)