Logged in Active Directory User is getting to much permissions

English:Fess
1

We faced another problem… Every user which login from AD is getting to much permissions, which the user not have from AD. A normal user is getting full admin permissions.

After configuring Active Directory in Fess on General Page, we can successfull logged in from other machines.

image
image743×464 25.4 KB

For example we can login as heinz.miller from the same domain.

image
image876×618 12.3 KB

But the normal user heinz.miller for example is getting to much permissions he never should get from Active Directory! heinz.miller for example is not an Admin, or an “Administrator”, he also is not in the group “FessVerwaltung”.

Output of audit.log:

action:LOGIN	user:heinz.miller	permissions:2Domänen-Admins|2Schema-Admins|2Gäste|2Finanzen|2System Managed Accounts Group|2Abgelehnte RODC-Kennwortreplikationsgruppe|RFessVerwaltung|2Organisations-Admins|1heinz.miller|2FessVerwaltung|2Administratoren|2Richtlinien-Ersteller-Besitzer|1heinz.miller	ip:192.168.110.101	time:2021-06-23T14:55:32.650865Z
action:UPDATE_PERMISSION	user:heinz.miller	permissions:2Domänen-Admins|2Schreibgeschützte Domänencontroller der Organisation|2Zertifikatherausgeber|RFessVerwaltung|2Domänencontroller|2FessVerwaltung|2DnsUpdateProxy|2Zulässige RODC-Kennwortreplikationsgruppe|2Schema-Admins|2DHCP-Administratoren|2Domänen-Benutzer|2Organisations-Admins|2Klonbare Domänencontroller|2Unternehmenssschlüsseladministratoren|2RAS- und IAS-Server|2Schlüsseladministratoren|2Domänencomputer|2Richtlinien-Ersteller-Besitzer|2Finanzen|2System Managed Accounts Group|2DnsAdmins|2Domänen-Gäste|2Protected Users|2DHCP-Benutzer|2Administratoren|2Gäste|2Abgelehnte RODC-Kennwortreplikationsgruppe|1heinz.miller|2Schreibgeschützte Domänencontroller	ip:-	time:2021-06-23T14:55:33.278742Z

He is just a normal user, who is not in this groups… The only group he belongs is Users:

image
image409×533 8.13 KB

You can see all the global group memberships of heinz.miller also in Powershell (he is just in the group “Domain Users”):
heinz.miller

The global group memberships of a fully admin looks like:
image

2

You can check it in fess.log with debug level logging.

3

It is very dangerous. Fess is assigning full admin permissions and other permissions from AD to just normal users!

[request] userRoles=[2Domänen-Admins, 2Schema-Admins, 2Gäste, 2Finanzen, 2System Managed Accounts Group, 2Abgelehnte RODC-Kennwortreplikationsgruppe, RFessVerwaltung, 2Organisations-Admins, 1heinz.miller, 2FessVerwaltung, 2Administratoren, 2Richtlinien-Ersteller-Besitzer]
  [request] username=heinz.miller
  [session] lastaflute.action.USER_BEAN.FessUserBean={userId=heinz.miller, sync=2021/06/24 06:54:35}@3d740e60

This user for example does not have the permissions above! He is just in the group Users.

image
image409×533 8.13 KB

Every normal user from Active Directory, which is login to Fess is getting full admin permissions. This is very dangerous.

Full output of fess.log when normal user heinz.miller who belongs just to group Users is logged in:

2021-06-24 06:54:30,357 [pool-6-thread-1] DEBUG Updating scheduled jobs. time:1624517640301
2021-06-24 06:54:35,229 [http-nio-8080-exec-6] DEBUG HTTP Request: POST
2021-06-24 06:54:35,267 [http-nio-8080-exec-6] DEBUG allowOrigin: *
2021-06-24 06:54:35,269 [http-nio-8080-exec-6] DEBUG * * * * * * * * * * {BEGIN}: /login/
  requestClass=org.apache.catalina.connector.RequestFacade ; sessionId=D7B5F8E776CAE761EBBDA72A64D2806C
  ; url=http://centos8:8080/login/
  ; method=POST ; protocol=HTTP/1.1 ; scheme=http ; secure=false ; remoteAddr=192.168.110.101 ; remoteHost=192.168.110.101
  ; characterEncoding=UTF-8 ; contentLength=128 ; contentType=application/x-www-form-urlencoded ; locale=de ; locales=de,en_US,en
  [header] accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  [header] accept-encoding=gzip, deflate
  [header] accept-language=de,en-US;q=0.7,en;q=0.3
  [header] connection=keep-alive
  [header] content-length=128
  [header] content-type=application/x-www-form-urlencoded
  [header] cookie=JSESSIONID=D7B5F8E776CAE761EBBDA72A64D2806C
  [header] host=centos8:8080
  [header] origin=http://centos8:8080
  [header] referer=http://centos8:8080/login/
  [header] upgrade-insecure-requests=1
  [header] user-agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
  [param] lastaflute.action.TRANSACTION_TOKEN=5f5b55736479ee71d59384bef5952ff4
  [param] login=Anmelden
  [param] password=Windversteck7
  [param] username=heinz.miller
  [cookie] JSESSIONID=D7B5F8E776CAE761EBBDA72A64D2806C
  [session] lastaflute.action.TRANSACTION_TOKEN={class org.codelibs.fess.app.web.login.LoginAction=5f5b55736479ee71d59384bef5952ff4}
  [session] lastaflute.action.USER_LOCALE=de
2021-06-24 06:54:35,271 [http-nio-8080-exec-6] DEBUG ...Routing to action: name=login_loginAction params=null
2021-06-24 06:54:35,272 [http-nio-8080-exec-6] DEBUG ...Saving user locale to session: de
2021-06-24 06:54:35,274 [http-nio-8080-exec-6] DEBUG #flow ...Calling back #before for LoginAction
2021-06-24 06:54:35,276 [http-nio-8080-exec-6] DEBUG roleSet: [1guest, Rguest]
2021-06-24 06:54:35,278 [http-nio-8080-exec-6] DEBUG Begin transaction: [FormatId=4360, GlobalId=1624517003313/30, BranchId=]
2021-06-24 06:54:35,279 [http-nio-8080-exec-6] DEBUG #flow ...Beginning #action LoginAction@login()
2021-06-24 06:54:35,281 [http-nio-8080-exec-6] DEBUG ...Removing double-submit token: group=LoginAction, token=5f5b55736479ee71d59384bef5952ff4
2021-06-24 06:54:35,289 [http-nio-8080-exec-6] DEBUG Logged in.
2021-06-24 06:54:35,291 [http-nio-8080-exec-6] DEBUG ...Regenerating session ID for security
2021-06-24 06:54:35,293 [http-nio-8080-exec-6] DEBUG ...Saving login info to session
2021-06-24 06:54:35,295 [http-nio-8080-exec-6] DEBUG Search Role: 1:heinz.miller=1heinz.miller
2021-06-24 06:54:35,298 [http-nio-8080-exec-6] DEBUG Account Filter: (&(objectCategory=person)(objectClass=user))
2021-06-24 06:54:35,301 [pool-3-thread-3] DEBUG #flow #async ...Running asynchronous call as secondary@37468045
2021-06-24 06:54:35,309 [pool-3-thread-3] DEBUG #flow #async ...Finishing asynchronous call as secondary@37468045:
[Asynchronous Result]
 performanceView: 00m00s000ms
2021-06-24 06:54:35,323 [http-nio-8080-exec-6] DEBUG LDAP search[4ms]: cn=Users,dc=em,dc=pri - (&(objectCategory=person)(objectClass=user))
2021-06-24 06:54:35,325 [http-nio-8080-exec-6] DEBUG entryDn: CN=Richtlinien-Ersteller-Besitzer,CN=Users,DC=em,DC=pri
2021-06-24 06:54:35,327 [http-nio-8080-exec-6] DEBUG Search Role: 2:Richtlinien-Ersteller-Besitzer=2Richtlinien-Ersteller-Besitzer
2021-06-24 06:54:35,328 [http-nio-8080-exec-6] DEBUG entryDn: CN=Domänen-Admins,CN=Users,DC=em,DC=pri
2021-06-24 06:54:35,331 [http-nio-8080-exec-6] DEBUG Search Role: 2:Domänen-Admins=2Domänen-Admins
2021-06-24 06:54:35,333 [http-nio-8080-exec-6] DEBUG entryDn: CN=Organisations-Admins,CN=Users,DC=em,DC=pri
2021-06-24 06:54:35,336 [http-nio-8080-exec-6] DEBUG Search Role: 2:Organisations-Admins=2Organisations-Admins
2021-06-24 06:54:35,340 [http-nio-8080-exec-6] DEBUG entryDn: CN=Schema-Admins,CN=Users,DC=em,DC=pri
2021-06-24 06:54:35,341 [http-nio-8080-exec-6] DEBUG Search Role: 2:Schema-Admins=2Schema-Admins
2021-06-24 06:54:35,343 [http-nio-8080-exec-6] DEBUG entryDn: CN=Administratoren,CN=Builtin,DC=em,DC=pri
2021-06-24 06:54:35,349 [http-nio-8080-exec-6] DEBUG Search Role: 2:Administratoren=2Administratoren
2021-06-24 06:54:35,350 [http-nio-8080-exec-6] DEBUG entryDn: CN=Gäste,CN=Builtin,DC=em,DC=pri
2021-06-24 06:54:35,352 [http-nio-8080-exec-6] DEBUG Search Role: 2:Gäste=2Gäste
2021-06-24 06:54:35,353 [http-nio-8080-exec-6] DEBUG entryDn: CN=System Managed Accounts Group,CN=Builtin,DC=em,DC=pri
2021-06-24 06:54:35,354 [http-nio-8080-exec-6] DEBUG Search Role: 2:System Managed Accounts Group=2System Managed Accounts Group
2021-06-24 06:54:35,356 [http-nio-8080-exec-6] DEBUG entryDn: CN=Abgelehnte RODC-Kennwortreplikationsgruppe,CN=Users,DC=em,DC=pri
2021-06-24 06:54:35,357 [http-nio-8080-exec-6] DEBUG Search Role: 2:Abgelehnte RODC-Kennwortreplikationsgruppe=2Abgelehnte RODC-Kennwortreplikationsgruppe
2021-06-24 06:54:35,358 [http-nio-8080-exec-6] DEBUG entryDn: CN=Finanzen,DC=em,DC=pri
2021-06-24 06:54:35,360 [http-nio-8080-exec-6] DEBUG Search Role: 2:Finanzen=2Finanzen
2021-06-24 06:54:35,365 [http-nio-8080-exec-6] DEBUG entryDn: CN=Administratoren,CN=Builtin,DC=em,DC=pri
2021-06-24 06:54:35,366 [http-nio-8080-exec-6] DEBUG Search Role: 2:Administratoren=2Administratoren
2021-06-24 06:54:35,368 [http-nio-8080-exec-6] DEBUG entryDn: CN=FessVerwaltung,OU=Role,DC=em,DC=pri
2021-06-24 06:54:35,369 [http-nio-8080-exec-6] DEBUG Search Role: R:FessVerwaltung=RFessVerwaltung
2021-06-24 06:54:35,371 [http-nio-8080-exec-6] DEBUG entryDn: CN=FessVerwaltung,OU=Group,DC=em,DC=pri
2021-06-24 06:54:35,372 [http-nio-8080-exec-6] DEBUG Search Role: 2:FessVerwaltung=2FessVerwaltung
2021-06-24 06:54:35,374 [http-nio-8080-exec-6] DEBUG entryDn: CN=Finanzen,DC=em,DC=pri
2021-06-24 06:54:35,375 [http-nio-8080-exec-6] DEBUG Search Role: 2:Finanzen=2Finanzen
2021-06-24 06:54:35,376 [http-nio-8080-exec-6] DEBUG entryDn: CN=Richtlinien-Ersteller-Besitzer,CN=Users,DC=em,DC=pri
2021-06-24 06:54:35,378 [http-nio-8080-exec-6] DEBUG Search Role: 2:Richtlinien-Ersteller-Besitzer=2Richtlinien-Ersteller-Besitzer
2021-06-24 06:54:35,379 [http-nio-8080-exec-6] DEBUG entryDn: CN=Domänen-Admins,CN=Users,DC=em,DC=pri
2021-06-24 06:54:35,380 [http-nio-8080-exec-6] DEBUG Search Role: 2:Domänen-Admins=2Domänen-Admins
2021-06-24 06:54:35,381 [http-nio-8080-exec-6] DEBUG entryDn: CN=Organisations-Admins,CN=Users,DC=em,DC=pri
2021-06-24 06:54:35,384 [http-nio-8080-exec-6] DEBUG Search Role: 2:Organisations-Admins=2Organisations-Admins
2021-06-24 06:54:35,386 [http-nio-8080-exec-6] DEBUG entryDn: CN=Schema-Admins,CN=Users,DC=em,DC=pri
2021-06-24 06:54:35,387 [http-nio-8080-exec-6] DEBUG Search Role: 2:Schema-Admins=2Schema-Admins
2021-06-24 06:54:35,389 [http-nio-8080-exec-6] DEBUG entryDn: CN=Administratoren,CN=Builtin,DC=em,DC=pri
2021-06-24 06:54:35,391 [http-nio-8080-exec-6] DEBUG Search Role: 2:Administratoren=2Administratoren
2021-06-24 06:54:35,393 [http-nio-8080-exec-6] DEBUG role: [2Domänen-Admins, 2Schema-Admins, 2Gäste, 2Finanzen, 2System Managed Accounts Group, 2Abgelehnte RODC-Kennwortreplikationsgruppe, RFessVerwaltung, 2Organisations-Admins, 1heinz.miller, 2FessVerwaltung, 2Administratoren, 2Richtlinien-Ersteller-Besitzer]
2021-06-24 06:54:35,399 [http-nio-8080-exec-6] DEBUG Commit transaction: [FormatId=4360, GlobalId=1624517003313/30, BranchId=]
2021-06-24 06:54:35,400 [http-nio-8080-exec-6] DEBUG #flow ...Calling back #finally for LoginAction
2021-06-24 06:54:35,402 [http-nio-8080-exec-6] DEBUG #flow ...Redirecting to /
2021-06-24 06:54:35,403 [http-nio-8080-exec-6] DEBUG 
  responseClass=org.apache.catalina.connector.ResponseFacade ; committed=true
  ; httpStatus=302 ; contentType=null ; locale=en_US
  [header] Access-Control-Allow-Credentials=true
  [header] Access-Control-Allow-Headers=Origin, Content-Type, Accept, Authorization, X-Requested-With
  [header] Access-Control-Allow-Methods=GET, POST, OPTIONS, DELETE, PUT
  [header] Access-Control-Allow-Origin=*
  [header] Access-Control-Max-Age=3600
  [header] Location=/
  [header] Set-Cookie=JSESSIONID=CA2BDAA92F90C2F73AAD1D810A66B750; Path=/; HttpOnly
  [request] VirtualHostValue=
  [request] lastaflute.action.ACTION_RUMTIME=runtime:{/login/, public HtmlResponse LoginAction@login(LoginForm), pathParam:{{}}, HtmlResponse:{redirect:{/, INNER}}, display=[searchLogSupport, favoriteSupport, thumbnailSupport, popularWords]}
  [request] lastaflute.action.FIRST_SUBMITTED_MARK=java.lang.Object@71b083aa
  [request] lastaflute.action.USER_LOCALE=de
  [request] lastaflute.config.ACTION_EXECUTE=execute:{public HtmlResponse LoginAction@login(LoginForm), urlPattern:{login, ^login$}}@1b6ab40c
  [request] lastaflute.dbflute.SQL_COUNT={total=0}
  [request] login_loginAction=org.codelibs.fess.app.web.login.LoginAction@2649e128
  [request] login_loginAction_login_Form=VirtualForm:{formMeta:{login_loginAction_login_Form, org.codelibs.fess.app.web.login.LoginForm, props=3}, realForm=org.codelibs.fess.app.web.login.LoginForm@1303e2e6}@3213cb1e
  [request] userRoles=[1guest, Rguest]
  [session] lastaflute.action.USER_BEAN.FessUserBean={userId=heinz.miller, sync=2021/06/24 06:54:35}@3d740e60
  [session] lastaflute.action.USER_LOCALE=de
* * * * * * * * * * {END}: /login/ [00m00s134ms]


2021-06-24 06:54:35,415 [http-nio-8080-exec-7] DEBUG * * * * * * * * * * {BEGIN}: /
  requestClass=org.apache.catalina.connector.RequestFacade ; sessionId=CA2BDAA92F90C2F73AAD1D810A66B750
  ; url=http://centos8:8080/
  ; method=GET ; protocol=HTTP/1.1 ; scheme=http ; secure=false ; remoteAddr=192.168.110.101 ; remoteHost=192.168.110.101
  ; characterEncoding=UTF-8 ; contentLength=-1 ; contentType=null ; locale=de ; locales=de,en_US,en
  [header] accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  [header] accept-encoding=gzip, deflate
  [header] accept-language=de,en-US;q=0.7,en;q=0.3
  [header] connection=keep-alive
  [header] cookie=JSESSIONID=CA2BDAA92F90C2F73AAD1D810A66B750
  [header] host=centos8:8080
  [header] referer=http://centos8:8080/login/
  [header] upgrade-insecure-requests=1
  [header] user-agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
  [cookie] JSESSIONID=CA2BDAA92F90C2F73AAD1D810A66B750
  [session] lastaflute.action.USER_BEAN.FessUserBean={userId=heinz.miller, sync=2021/06/24 06:54:35}@3d740e60
  [session] lastaflute.action.USER_LOCALE=de
2021-06-24 06:54:35,417 [http-nio-8080-exec-7] DEBUG ...Routing to action: name=rootAction params=null
2021-06-24 06:54:35,419 [http-nio-8080-exec-7] DEBUG ...Saving user locale to session: de
2021-06-24 06:54:35,421 [http-nio-8080-exec-7] DEBUG #flow ...Calling back #before for RootAction
2021-06-24 06:54:35,422 [http-nio-8080-exec-7] DEBUG refresh user info: false
2021-06-24 06:54:35,424 [http-nio-8080-exec-7] DEBUG roleSet: [2Domänen-Admins, 2Schema-Admins, 2Gäste, 2Finanzen, 2System Managed Accounts Group, 2Abgelehnte RODC-Kennwortreplikationsgruppe, RFessVerwaltung, 2Organisations-Admins, 1heinz.miller, 2FessVerwaltung, 2Administratoren, 2Richtlinien-Ersteller-Besitzer]
2021-06-24 06:54:35,434 [http-nio-8080-exec-7] DEBUG Begin transaction: [FormatId=4360, GlobalId=1624517003313/31, BranchId=]
2021-06-24 06:54:35,436 [http-nio-8080-exec-7] DEBUG #flow ...Beginning #action RootAction@index()
2021-06-24 06:54:35,437 [http-nio-8080-exec-7] DEBUG Commit transaction: [FormatId=4360, GlobalId=1624517003313/31, BranchId=]
2021-06-24 06:54:35,439 [http-nio-8080-exec-7] DEBUG #flow ...Calling back #finally for RootAction
2021-06-24 06:54:35,443 [http-nio-8080-exec-7] DEBUG #flow ...Forwarding to #jsp /index.jsp
2021-06-24 06:54:35,459 [http-nio-8080-exec-7] DEBUG 
  responseClass=org.apache.catalina.connector.ResponseFacade ; committed=true
  ; httpStatus=200 ; contentType=text/html;charset=UTF-8 ; locale=en_US
  [header] Cache-Control=no-cache, no-store
  [header] Connection=keep-alive
  [header] Content-Type=text/html;charset=UTF-8
  [header] Date=Thu, 24 Jun 2021 06:54:35 GMT
  [header] Expires=Thu, 01 Dec 1994 16:00:00 GMT
  [header] Keep-Alive=timeout=60
  [header] Pragma=no-cache
  [header] Transfer-Encoding=chunked
  [request] VirtualHostValue=
  [request] adminUser=false
  [request] as={}
  [request] conditions={}
  [request] developmentMode=false
  [request] displayLabelTypeItems=false
  [request] editableUser=false
  [request] eoled=false
  [request] extraQueries=[]
  [request] facetInfo=FacetInfo [field=[label], query=[timestamp:[now/d-1d TO *], timestamp:[now/d-7d TO *], timestamp:[now/d-1M TO *], timestamp:[now/d-1y TO *], content_length:[0 TO 9999], content_length:[10000 TO 99999], content_length:[100000 TO 499999], content_length:[500000 TO 999999], content_length:[1000000 TO *], filetype:html, filetype:word, filetype:excel, filetype:powerpoint, filetype:odt, filetype:ods, filetype:odp, filetype:pdf, filetype:txt, filetype:fb2, filetype:epub, filetype:ibooks, filetype:rtf, ...
  [request] favoriteSupport=false
  [request] fess.FacetForm=
  [request] fess.GeoForm=
  [request] fess.LabelValueMap={}
  [request] fields={}
  [request] geoInfo=org.codelibs.fess.entity.GeoInfo@74f0b78a
  [request] highlightInfo=org.codelibs.fess.entity.HighlightInfo@22d66d48
  [request] installationLink=https://fess.codelibs.org/13.13/install/install.html
  [request] labelTypeItems=[]
  [request] langItems=[{value=all, label=Alle Sprachen}, {value=ar, label=Arabisch}, {value=bg, label=Bulgarisch}, {value=bn, label=Bengalisch}, {value=ca, label=Katalanisch}, {value=ckb_IQ, label=Zentralkurdisch (Irak)}, {value=cs, label=Tschechisch}, {value=da, label=Dänisch}, {value=de, label=Deutsch}, {value=el, label=Griechisch}, {value=en_IE, label=Englisch (Irland)}, {value=en, label=Englisch}, {value=es, label=Spanisch}, {value=et, label=Estnisch}, {value=eu, label=Baskisch}, {value=fa, label=Persisch}, {valu...
  [request] languages=[]
  [request] lastaflute.action.ACTION_RUMTIME=runtime:{/, public HtmlResponse RootAction@index(), pathParam:{{}}, HtmlResponse:{forward:{/index.jsp}}, display=[searchLogSupport, favoriteSupport, thumbnailSupport, popularWords, notification, developmentMode, installationLink, eoled, osddLink, labelTypeItems, displayLabelTypeItems, langItems, username, editableUser, adminUser, pageLoginLink]}
  [request] lastaflute.action.PUSHED_ACTION_FORM=VirtualForm:{formMeta:{rootAction_index_Form, org.codelibs.fess.app.web.base.SearchForm, props=24}, realForm=org.codelibs.fess.app.web.base.SearchForm@57a73dd9}@77f4677f
  [request] lastaflute.action.USER_LOCALE=de
  [request] lastaflute.config.ACTION_EXECUTE=execute:{public HtmlResponse RootAction@index(), urlPattern:{, ^$}}@6babbc5f
  [request] lastaflute.dbflute.SQL_COUNT={total=0}
  [request] locale=de
  [request] notification=
  [request] osddLink=true
  [request] pageLoginLink=true
  [request] pageSize=10
  [request] popularWords=[]
  [request] rootAction=org.codelibs.fess.app.web.RootAction@269a9c40
  [request] rootAction_index_Form=VirtualForm:{formMeta:{rootAction_index_Form, org.codelibs.fess.app.web.base.SearchForm, props=24}, realForm=org.codelibs.fess.app.web.base.SearchForm@57a73dd9}@77f4677f
  [request] searchLogSupport=true
  [request] startPosition=0
  [request] thumbnailSupport=false
  [request] type=SEARCH
  [request] userRoles=[2Domänen-Admins, 2Schema-Admins, 2Gäste, 2Finanzen, 2System Managed Accounts Group, 2Abgelehnte RODC-Kennwortreplikationsgruppe, RFessVerwaltung, 2Organisations-Admins, 1heinz.miller, 2FessVerwaltung, 2Administratoren, 2Richtlinien-Ersteller-Besitzer]
  [request] username=heinz.miller
  [session] lastaflute.action.USER_BEAN.FessUserBean={userId=heinz.miller, sync=2021/06/24 06:54:35}@3d740e60
  [session] lastaflute.action.USER_LOCALE=de
* * * * * * * * * * {END}: / [00m00s044ms]


2021-06-24 06:54:36,364 [pool-6-thread-1] DEBUG Group Filter: (|(objectCategory=group)(objectCategory=group)(objectCategory=group)(objectCategory=group)(objectCategory=group)(objectCategory=group)(objectCategory=group)(objectCategory=group)(objectCategory=group)(objectCategory=group)(objectCategory=group))
2021-06-24 06:54:36,401 [pool-6-thread-1] DEBUG LDAP search[25ms]: cn=Users,dc=em,dc=pri - (|(objectCategory=group)(objectCategory=group)(objectCategory=group)(objectCategory=group)(objectCategory=group)(objectCategory=group)(objectCategory=group)(objectCategory=group)(objectCategory=group)(objectCategory=group)(objectCategory=group))
2021-06-24 06:54:36,402 [pool-6-thread-1] DEBUG groupDn: CN=Domänencomputer,CN=Users,DC=em,DC=pri
2021-06-24 06:54:36,403 [pool-6-thread-1] DEBUG Search Role: 2:Domänencomputer=2Domänencomputer
2021-06-24 06:54:36,404 [pool-6-thread-1] DEBUG groupDn: CN=Domänencontroller,CN=Users,DC=em,DC=pri
2021-06-24 06:54:36,406 [pool-6-thread-1] DEBUG Search Role: 2:Domänencontroller=2Domänencontroller
2021-06-24 06:54:36,407 [pool-6-thread-1] DEBUG groupDn: CN=Schema-Admins,CN=Users,DC=em,DC=pri
2021-06-24 06:54:36,421 [pool-6-thread-1] DEBUG Search Role: 2:Schema-Admins=2Schema-Admins
2021-06-24 06:54:36,423 [pool-6-thread-1] DEBUG groupDn: CN=Organisations-Admins,CN=Users,DC=em,DC=pri
2021-06-24 06:54:36,424 [pool-6-thread-1] DEBUG Search Role: 2:Organisations-Admins=2Organisations-Admins
2021-06-24 06:54:36,425 [pool-6-thread-1] DEBUG groupDn: CN=Zertifikatherausgeber,CN=Users,DC=em,DC=pri
2021-06-24 06:54:36,426 [pool-6-thread-1] DEBUG Search Role: 2:Zertifikatherausgeber=2Zertifikatherausgeber
2021-06-24 06:54:36,427 [pool-6-thread-1] DEBUG groupDn: CN=Domänen-Admins,CN=Users,DC=em,DC=pri
2021-06-24 06:54:36,428 [pool-6-thread-1] DEBUG Search Role: 2:Domänen-Admins=2Domänen-Admins
2021-06-24 06:54:36,429 [pool-6-thread-1] DEBUG groupDn: CN=Domänen-Benutzer,CN=Users,DC=em,DC=pri
2021-06-24 06:54:36,430 [pool-6-thread-1] DEBUG Search Role: 2:Domänen-Benutzer=2Domänen-Benutzer
2021-06-24 06:54:36,431 [pool-6-thread-1] DEBUG groupDn: CN=Domänen-Gäste,CN=Users,DC=em,DC=pri
2021-06-24 06:54:36,432 [pool-6-thread-1] DEBUG Search Role: 2:Domänen-Gäste=2Domänen-Gäste
2021-06-24 06:54:36,433 [pool-6-thread-1] DEBUG groupDn: CN=Richtlinien-Ersteller-Besitzer,CN=Users,DC=em,DC=pri
2021-06-24 06:54:36,434 [pool-6-thread-1] DEBUG Search Role: 2:Richtlinien-Ersteller-Besitzer=2Richtlinien-Ersteller-Besitzer
2021-06-24 06:54:36,435 [pool-6-thread-1] DEBUG groupDn: CN=RAS- und IAS-Server,CN=Users,DC=em,DC=pri
2021-06-24 06:54:36,435 [pool-6-thread-1] DEBUG Search Role: 2:RAS- und IAS-Server=2RAS- und IAS-Server
2021-06-24 06:54:36,436 [pool-6-thread-1] DEBUG groupDn: CN=Zulässige RODC-Kennwortreplikationsgruppe,CN=Users,DC=em,DC=pri
2021-06-24 06:54:36,437 [pool-6-thread-1] DEBUG Search Role: 2:Zulässige RODC-Kennwortreplikationsgruppe=2Zulässige RODC-Kennwortreplikationsgruppe
2021-06-24 06:54:36,439 [pool-6-thread-1] DEBUG groupDn: CN=Abgelehnte RODC-Kennwortreplikationsgruppe,CN=Users,DC=em,DC=pri
2021-06-24 06:54:36,440 [pool-6-thread-1] DEBUG Search Role: 2:Abgelehnte RODC-Kennwortreplikationsgruppe=2Abgelehnte RODC-Kennwortreplikationsgruppe
2021-06-24 06:54:36,441 [pool-6-thread-1] DEBUG groupDn: CN=Schreibgeschützte Domänencontroller,CN=Users,DC=em,DC=pri
2021-06-24 06:54:36,442 [pool-6-thread-1] DEBUG Search Role: 2:Schreibgeschützte Domänencontroller=2Schreibgeschützte Domänencontroller
2021-06-24 06:54:36,443 [pool-6-thread-1] DEBUG groupDn: CN=Schreibgeschützte Domänencontroller der Organisation,CN=Users,DC=em,DC=pri
2021-06-24 06:54:36,444 [pool-6-thread-1] DEBUG Search Role: 2:Schreibgeschützte Domänencontroller der Organisation=2Schreibgeschützte Domänencontroller der Organisation
2021-06-24 06:54:36,445 [pool-6-thread-1] DEBUG groupDn: CN=Klonbare Domänencontroller,CN=Users,DC=em,DC=pri
2021-06-24 06:54:36,446 [pool-6-thread-1] DEBUG Search Role: 2:Klonbare Domänencontroller=2Klonbare Domänencontroller
2021-06-24 06:54:36,447 [pool-6-thread-1] DEBUG groupDn: CN=Protected Users,CN=Users,DC=em,DC=pri
2021-06-24 06:54:36,448 [pool-6-thread-1] DEBUG Search Role: 2:Protected Users=2Protected Users
2021-06-24 06:54:36,449 [pool-6-thread-1] DEBUG groupDn: CN=Schlüsseladministratoren,CN=Users,DC=em,DC=pri
2021-06-24 06:54:36,450 [pool-6-thread-1] DEBUG Search Role: 2:Schlüsseladministratoren=2Schlüsseladministratoren
2021-06-24 06:54:36,450 [pool-6-thread-1] DEBUG groupDn: CN=Unternehmenssschlüsseladministratoren,CN=Users,DC=em,DC=pri
2021-06-24 06:54:36,451 [pool-6-thread-1] DEBUG Search Role: 2:Unternehmenssschlüsseladministratoren=2Unternehmenssschlüsseladministratoren
2021-06-24 06:54:36,453 [pool-6-thread-1] DEBUG groupDn: CN=DnsAdmins,CN=Users,DC=em,DC=pri
2021-06-24 06:54:36,454 [pool-6-thread-1] DEBUG Search Role: 2:DnsAdmins=2DnsAdmins
2021-06-24 06:54:36,455 [pool-6-thread-1] DEBUG groupDn: CN=DnsUpdateProxy,CN=Users,DC=em,DC=pri
2021-06-24 06:54:36,456 [pool-6-thread-1] DEBUG Search Role: 2:DnsUpdateProxy=2DnsUpdateProxy
2021-06-24 06:54:36,457 [pool-6-thread-1] DEBUG groupDn: CN=DHCP-Benutzer,CN=Users,DC=em,DC=pri
2021-06-24 06:54:36,458 [pool-6-thread-1] DEBUG Search Role: 2:DHCP-Benutzer=2DHCP-Benutzer
2021-06-24 06:54:36,460 [pool-6-thread-1] DEBUG groupDn: CN=DHCP-Administratoren,CN=Users,DC=em,DC=pri
2021-06-24 06:54:36,461 [pool-6-thread-1] DEBUG Search Role: 2:DHCP-Administratoren=2DHCP-Administratoren
2021-06-24 06:54:36,463 [pool-6-thread-1] DEBUG role(lazy loading): [2Domänen-Admins, 2Schreibgeschützte Domänencontroller der Organisation, 2Zertifikatherausgeber, RFessVerwaltung, 2Domänencontroller, 2FessVerwaltung, 2DnsUpdateProxy, 2Zulässige RODC-Kennwortreplikationsgruppe, 2Schema-Admins, 2DHCP-Administratoren, 2Domänen-Benutzer, 2Organisations-Admins, 2Klonbare Domänencontroller, 2Unternehmenssschlüsseladministratoren, 2RAS- und IAS-Server, 2Schlüsseladministratoren, 2Domänencomputer, 2Richtlinien-Ersteller-Besitzer, 2Finanzen, 2System Managed Accounts Group, 2DnsAdmins, 2Domänen-Gäste, 2Protected Users, 2DHCP-Benutzer, 2Administratoren, 2Gäste, 2Abgelehnte RODC-Kennwortreplikationsgruppe, 1heinz.miller, 2Schreibgeschützte Domänencontroller]
2021-06-24 06:54:38,953 [http-nio-8080-exec-4] DEBUG * * * * * * * * * * {BEGIN}: /admin/crawlinginfo/
4

I think it’s your configuration problem…

5

I´am sy, but this should not be a configuration problem.

We have a normal Active Directory (Windows Server 2016) and Fess 13.13. (Docker).

The users in the Active Directory have the right permissions, as you can see in the many screenshots.

But Fess is mapping the permissions of the users in the Active Directory wrong. Fess is applying all the Groups and Roles which can found in the AD to a normal user! This is very dangerous and a big problem for security…

6

We do not see a problem with AD…
If you need supports, please contact commercial support.