Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Deployment with docker-compose: authentication with LPAP does not work

See original GitHub issue

I have deployed scoold with docker-compose and it seems up and running: I can sign up, got verification link via email and login.

Now I am trying to get LDAP authentication working but got stuck.

(1) I have tested that connection to ldap works with ldapsearch:

ldapsearch -H ldap://192.168.30.10:7389 \
-x -D "uid=scoold,cn=users,dc=xyz,dc=com" \
-b "dc=xyz,dc=com" \
-w PASSWORD \
'(uid=abc)'

(2) my LDAP config in scoold-application.conf is:

para.security.ldap.server_url = "ldap://192.168.30.10:7389/"
para.security.ldap.base_dn = "dc=xyz,dc=com"
para.security.ldap.bind_dn = "uid=scoold,cn=users,dc=xyz,dc=com"
para.security.ldap.bind_pass = "PASSWORD"
para.security.ldap.user_search_base = "cn=users,dc=xyz,dc=com"
para.security.ldap.user_search_filter = "(uid={0})"
#para.security.ldap.user_dn_pattern = "uid={0}"
para.security.ldap.password_attribute = "userPassword"

(3) I enabled debugging by having this line in scoold.env: JAVA_OPTS=-Dconfig.file=/scoold/application.conf -Dlogging.level.com.erudika.para.client=DEBUG

(4) when docker-compose started, the following info was in log:

security.ldap.bind_dn=uid=scoold,cn=users,dc=xyz,dc=com
security.ldap.admins_group_node=
security.ldap.password_attribute=userPassword
security.ldap.server_url=ldap://192.168.30.10:7389
security.ldap.bind_pass=PASSWORD
security.ldap.base_dn=dc=xyz,dc=com
security.ldap.active_directory_domain=
security.ldap.user_dn_pattern=uid={0}
security.ldap.mods_group_node=
security.ldap.user_search_filter=(uid={0})
security.ldap.user_search_base=cn=users,dc=xyz,dc=com
security.ldap.username_as_name=false

(5) when abc user tried to login, I got in log:

scoold_1  | 2020-07-28 22:48:30 [DEBUG] POST /jwt_auth, entity: Entity{entity={provider=ldap, appid=app:scoold, token=abc:ABC_PASS}, variant=Variant[mediaType=application/json, language=null, encoding=null], annotations=[]}
para_1    | 2020-07-28 22:48:30 [WARN ] Failed to authenticate user with LDAP server: [LDAP: error code 32 - No Such Object]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'cn=users,dc=xyz,dc=com'
para_1    | 2020-07-28 22:48:30 [INFO ] Failed to authenticate 'abc' with LDAP server: LDAP user not found.
scoold_1  | 2020-07-28 22:48:31 [ERROR] 400 - Failed to authenticate user with 'ldap'. Check if user is active.

I cannot think of any other reason than the user with DN uid=scoold,cn=users,dc=xyz,dc=com cannot connect to the LDAP server. Therefore I have checked many many times the login credentials and I am sure it’s correct.

Any hint what else I could try to troubleshoot this problem?

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:7 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
hth2commented, Jul 29, 2020

I finally got it working after countless trial-and-errors. Here is a summary for reference:

  • install method: docker-compose, erudikaltd/scoold:1.39.3, erudikaltd/para:v1.37.0

  • ldap server: openldap-2.4.45 on UCS (which is based on debian)

  • users have DNs as uid=abc,cn=users,dc=xyz,dc=com

  • Java options in scoold.env: JAVA_TOOL_OPTIONS=-Dconfig.file=/scoold/application.conf -Dlogging.level.com.erudika.para.client=DEBUG

  • Java options in para.env (thanks to this post ) JAVA_TOOL_OPTIONS=-Dconfig.file=/para/application.conf -Dloader.path=lib -Dlogging.level.org.springframework.ldap=DEBUG -Dlogging.level.org.springframework.security=DEBUG

  • enable debugging on ldap server by having in slapd.conf (which helped me to see the requests from scoold): loglevel any

  • final ldap config:

para.security.ldap.server_url = "ldap://192.168.30.10:7389"
para.security.ldap.base_dn = "cn=users,dc=xyz,dc=com"
para.security.ldap.user_search_filter = "uid={0}"
0reactions
hth2commented, Jul 29, 2020

I tried the suggested config, unfortunately it made no difference.

I also tried the following:

  • use JAVA_TOOL_OPTIONS instead of JAVA_OPTS as suggested here
  • try both with and without quote

With quote I get a lot of errors in log, and scoold doesn’t seem up, so probably without quote is correct

JAVA_TOOL_OPTIONS seems to be picked up by both para & scoold:

para_1    | Picked up JAVA_TOOL_OPTIONS: -Dconfig.file=/para/application.conf -Dloader.path=lib -Dlogging.level.org.springframework.ldap=DEBUG
scoold_1  | Picked up JAVA_TOOL_OPTIONS: -Dconfig.file=/scoold/application.conf -Dlogging.level.com.erudika.para.client=DEBUG

however the login still fails with same messages as before.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Ldap authentication is not working - OHDSI Forums
Hi Team, I have configured the Altas through docker-compose by using reference of below code. Everything is working but ldap is not working...
Read more >
How to debug LDAP authentication? · Issue #15 - GitHub
I have setup the necessary LDAP config in docker-compose.override.yml, however the LDAP authentication still fails with This ...
Read more >
LDAP authentication doesn't work on Gitea custom image
The problem was the address 127.0.0.1 in the entrypoint file in --host, changing it to openldap (name of the service in the docker-compose...
Read more >
Deploy LDAP directory service with OpenLDAP Docker
In the docker-compose, I have defined the organization details as docker environment variables.
Read more >
LDAP configuration with docker - Self Hosted Redash Support
Hi ! I'm working on a self hosted instance of redash (v11, docker configuration) and I don't really understand how to create an...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

oauth2_auth only scoold Pro feature?

Next page

Specifying the account names when authenticating via LDAP