LDAP configuration

Security
1

In my case, LDAP in not working, getting an error:

odfe-node1 | [2019-04-24T10:41:51,543][WARN ][c.a.d.a.l.b.LDAPAuthorizationBackend] [e30M2PP] Unable to connect to ldapserver 192.168.36.30:389 due to [org.ldaptive.LdapException@789669260::resultCode=INVALID_CREDENTIALS, matchedDn=null, resp
onseControls=null, referralURLs=null, messageId=-1, message=javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580 ], providerException=javax.naming.Au
thenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580 ]]. Try next.

my configurations:
authc:
ldap:
enabled: true
transport_enabled: false
order: 1
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- 192.168.0.30:389
bind_dn: cn=user,dc=domain,dc=com
password: password
userbase: ‘ou=people,dc=domain,dc=com’
usersearch: ‘(sAMAccountName={0})’
username_attribute: uid

2

You may want to re-check those creds to a bind/admin user on your ldap side.

3

credentials are correct, but LDAP still not working

4

finally, LDAP auth start working, by changing CN to full name.
https://stackoverflow.com/questions/31411665/ldap-error-code-49-80090308-ldaperr-dsid-0c0903a9-comment-acceptsecurityc

          ldap:
    enabled: true
    order: 1
    http_authenticator:
      type: basic
      challenge: false 
    authentication_backend:
      type: ldap
      config:
        hosts:
          - 192.168.0.1:389
        bind_dn: cn=Firstname Lastame,ou=Companyusers,dc=domain,dc=com
        password: password
        userbase: 'ou=Companyusers,dc=domain,dc=com'
        usersearch: '(sAMAccountName={0})'
        username_attribute: cn
5

Hello thanks for sharing !
Can you explain to me how do you map LDAP accounts to their roles, tenants ?
I think I managed to connect my Active Directory, because it says that my account has “No tenant” but I have no idea how to match accounts to their specific roles.

Thank you.
Thi

6

at the moment i’m only working on that. Will provide information when succeed.

7

Nice article from AWS where example of LDAP authorization:

In my case I map LDAP group to role.
I have a Group UA located in UO=Country, and my users is a member of Group UA

authz:
  roles_from_myldap:
   enabled: true
    transport_enabled: false
    authorization_backend:
      type: ldap
      config:
        enable_ssl: false
        enable_start_tls: false
        enable_ssl_client_auth: false
        verify_hostnames: true
        hosts:
          - "192.168.0.0:389"
        bind_dn: "cn=user user,OU=Country,dc=domain,dc=com"
        password: "password"
        userbase: "OU=Country,dc=domain,dc=com"
        usersearch: "(uid={0})"
        rolebase: "OU=Country,dc=domain,dc=com"
        rolesearch: "(member={0})"                                                                                                                                                                                                               
        userrolename: "memberOf"
        rolename: "cn"
8

Replace “OU=Companyusers” to “CN=Companyusers”

9

Hi ogulman,
can you please share of your ldap configuration(authc,authz) with opendsitroforelasticsearch.

10

Hi, auth/authz configuration you can find in the comments above, in kinaba UI I map of AD group name to role, is it clear?

11

I have this same issue however the resolution did not work for me.