question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Bind DN not used when performing ldap search-based authentication

See original GitHub issue

Hi there, I’m attempting to set up a local Para + Scoold deployment with AD authentication. At the moment I can’t get any LDAP authentication to work because it seems like the bind_dn and bind_pass attributes are being ignored. I verified this by setting up a test ldap server (using the bitnami/openldap docker image). My Scoold ldap configuration is as follows:

scoold.security.ldap.server_url = "ldap://ldap:1389/"
scoold.security.ldap.base_dn = "dc=example,dc=org"
scoold.security.ldap.bind_dn = "cn=admin,ou=users,dc=example,dc=org"
scoold.security.ldap.bind_pass = "adminpassword"

In the logs of the ldap server, you can see the bind DN/pass not being passed along (these logs were generated when attempting to log in using ldap on Scoold):

62deb147.148f7ec0 0x7f05c11c4700 conn=1049 fd=12 ACCEPT from IP=10.242.132.150:38336 (IP=0.0.0.0:1389)
62deb147.1496e3a1 0x7f05c09c3700 conn=1049 op=0 BIND dn="" method=128
62deb147.14984e53 0x7f05c09c3700 conn=1049 op=0 RESULT tag=97 err=0 qtime=0.000012 etime=0.000109 text=
62deb147.14e93a60 0x7f05c11c4700 conn=1049 op=1 SRCH base="dc=example,dc=org" scope=2 deref=3 filter="(cn=asd)"
62deb147.14eaa05e 0x7f05c11c4700 conn=1049 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000019 etime=0.000137 nentries=0 text=
62deb147.150990e1 0x7f05c09c3700 conn=1049 op=2 UNBIND

For reference, a successful bind looks like this:

62deb325.159603fa 0x7f05c09c3700 conn=1055 fd=12 ACCEPT from IP=10.242.132.150:43486 (IP=0.0.0.0:1389)
62deb325.1599400d 0x7f05c11c4700 conn=1055 op=0 BIND dn="cn=user01,ou=users,dc=example,dc=org" method=128
62deb325.159b560b 0x7f05c11c4700 conn=1055 op=0 BIND dn="cn=user01,ou=users,dc=example,dc=org" mech=SIMPLE bind_ssf=0 ssf=0
62deb325.159c4143 0x7f05c11c4700 conn=1055 op=0 RESULT tag=97 err=0 qtime=0.000017 etime=0.000234 text=
62deb325.15c0aa4c 0x7f05c09c3700 conn=1055 op=1 UNBIND
62deb325.15c196ef 0x7f05c09c3700 conn=1055 fd=12 closed

Can you see something that I’m maybe doing wrong? Any help would be greatly appreciated.

Scoold version: 1.50.1 Para: v1.46.1

Issue Analytics

  • State:closed
  • Created a year ago
  • Comments:8 (8 by maintainers)

github_iconTop GitHub Comments

1reaction
kobus-v-schoorcommented, Jul 29, 2022

Hi @albogdano, I got it to work, sorry for the confusion - I didn’t realize that it was possible to bind on AD not just using your full DN, but also using just your email address and password.

For those maybe stumbling across this in the future, when AD mode is enabled on Para it will attempt to bind using your-email@ad-domain.com and your password. Since it can bind using just your email it doesn’t need a separate bind dn and password (as one would need for OpenLDAP).

0reactions
albogdanocommented, Jul 29, 2022

Yes, exactly. LDAP is indeed a bit confusing at times. Thank you for the detailed notes! 👍

Read more comments on GitHub >

github_iconTop Results From Across the Web

In LDAP, what exactly IS a bind DN? - Server Fault
A bind DN is an object that you bind to inside LDAP to give you permissions to do whatever you're trying to do....
Read more >
How to obtain the Base DN or Bind DN Attributes for LDAP ...
With LDAP syntax the Bind DN, or the user authenticating to the LDAP Directory, is derived by using LDAP syntax and going up...
Read more >
Configuring LDAP Integration - Tetrate Documentation
Using a Search based Authentication. Using the Direct Bind Authentication is preferred as performance is better, but it requires user Distinguished Names (“DN”s) ......
Read more >
Jenkins LDAP Configuration Troubleshooting
I am not able to log-in to Jenkins using LDAP. LDAP groups are not recognized by Jenkins. In /whoAmI LDAP groups do not...
Read more >
Configuring LDAP user registries in Liberty - IBM
You can use an existing LDAP server for application authentication on Liberty. ... bindDN="cn=testuser,cn=users,dc=adtest,dc=mycity,dc=mycompany,dc=com" ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found