LDAP configuration

In my case, LDAP in not working, getting an error:

odfe-node1 | [2019-04-24T10:41:51,543][WARN ][c.a.d.a.l.b.LDAPAuthorizationBackend] [e30M2PP] Unable to connect to ldapserver 192.168.36.30:389 due to [org.ldaptive.LdapException@789669260::resultCode=INVALID_CREDENTIALS, matchedDn=null, resp
onseControls=null, referralURLs=null, messageId=-1, message=javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580 ], providerException=javax.naming.Au
thenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580 ]]. Try next.

my configurations:
authc:
ldap:
enabled: true
transport_enabled: false
order: 1
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- 192.168.0.30:389
bind_dn: cn=user,dc=domain,dc=com
password: password
userbase: ‘ou=people,dc=domain,dc=com’
usersearch: ‘(sAMAccountName={0})’
username_attribute: uid

You may want to re-check those creds to a bind/admin user on your ldap side.

credentials are correct, but LDAP still not working

finally, LDAP auth start working, by changing CN to full name.
https://stackoverflow.com/questions/31411665/ldap-error-code-49-80090308-ldaperr-dsid-0c0903a9-comment-acceptsecurityc

          ldap:
    enabled: true
    order: 1
    http_authenticator:
      type: basic
      challenge: false 
    authentication_backend:
      type: ldap
      config:
        hosts:
          - 192.168.0.1:389
        bind_dn: cn=Firstname Lastame,ou=Companyusers,dc=domain,dc=com
        password: password
        userbase: 'ou=Companyusers,dc=domain,dc=com'
        usersearch: '(sAMAccountName={0})'
        username_attribute: cn

Hello thanks for sharing !
Can you explain to me how do you map LDAP accounts to their roles, tenants ?
I think I managed to connect my Active Directory, because it says that my account has “No tenant” but I have no idea how to match accounts to their specific roles.

Thank you.
Thi

at the moment i’m only working on that. Will provide information when succeed.

Nice article from AWS where example of LDAP authorization:

In my case I map LDAP group to role.
I have a Group UA located in UO=Country, and my users is a member of Group UA

authz:
  roles_from_myldap:
   enabled: true
    transport_enabled: false
    authorization_backend:
      type: ldap
      config:
        enable_ssl: false
        enable_start_tls: false
        enable_ssl_client_auth: false
        verify_hostnames: true
        hosts:
          - "192.168.0.0:389"
        bind_dn: "cn=user user,OU=Country,dc=domain,dc=com"
        password: "password"
        userbase: "OU=Country,dc=domain,dc=com"
        usersearch: "(uid={0})"
        rolebase: "OU=Country,dc=domain,dc=com"
        rolesearch: "(member={0})"                                                                                                                                                                                                               
        userrolename: "memberOf"
        rolename: "cn"

Replace “OU=Companyusers” to “CN=Companyusers”

Hi ogulman,
can you please share of your ldap configuration(authc,authz) with opendsitroforelasticsearch.

Hi, auth/authz configuration you can find in the comments above, in kinaba UI I map of AD group name to role, is it clear?

I have this same issue however the resolution did not work for me.