ERROR LDAP error validating user
davidsayers opened this issue · 6 comments
Hi,
I'm trying to get the plugin working with the OneLogin LDAP service, but I keep getting the error message "ERROR LDAP error validating user".
I'm using the 1.3 plugin with marathon 1.3.3.
Here is what I see in the logs:
https://gist.github.com/davidsayers/b98cb9d81460fa7c8f5d1a44b02703d5
Here is the config I am using:
https://gist.github.com/davidsayers/9673154d9b8a265f961faa7c014a278d
Hopefully you can point me in the right direction.
Thanks
David
Hi David,
Thanks for filing a ticket. I've setup an account on OneLogin and have asked them for opensource access to VLDAP. I'll keep you posted and if I get access I will be able to isolate the proper configuration and or remedy a fix.
I'll keep you updated this week.
-jeremy
Thanks!! Let me know if there is anything I can do to help.
I've actually run into this a couple of weeks ago but I still need to prepare a pull request. I solved it by doing this:
diff --git a/src/main/java/io/containx/marathon/plugin/auth/util/LDAPHelper.java b/src/main/java/io/containx/marathon/plugin/auth/util/LDAPHelper.java
index fed4843..b36789e 100644
--- a/src/main/java/io/containx/marathon/plugin/auth/util/LDAPHelper.java
+++ b/src/main/java/io/containx/marathon/plugin/auth/util/LDAPHelper.java
@@ -90,7 +90,7 @@ public final class LDAPHelper {
LOGGER.info("LDAP user search found {}", result.toString());
if(bindUser != null) {
- Attribute realDN = result.getAttributes().get("distinguishedname");
+ Attribute realDN = result.getAttributes().get("entrydn");
dn = realDN.get(0).toString();
if(userPassword == null || userPassword.isEmpty()) {
It will probably help to make this configurable. Besides that I think the nullpointer should never happen and show a normal error.
I am getting this exact error with OpenLDAP... I haven't tried the patch guidob posted, I am not gifted with Java building.
So I think the issue may be this:
The search for my username (jomernik) returns ok (see the return below) However, @ https://github.com/ContainX/marathon-ldap/blob/master/src/main/java/io/containx/marathon/plugin/auth/util/LDAPHelper.java#L93
It looks like it's trying to pull the realDN to be distinguishedname, but that doesn't exist, openLDAP is using entrydn as was the case for guidob. Ideally, I think we need a config entry to identify which is used, as @guidob stated. I don't want to change and recompile at this point, as I don't have the environment for it, is this a large change to make? Thanks!
John
Return from initial username search:
[2016-12-07 14:37:25,046] INFO LDAP user search found cn=jomernik: null:null:{givenname=givenName: John, entrydn=entryDN: cn=jomernik,ou=users,ou=zetashared,dc=marathon,dc=mesos, modifytimestamp=modifyTimestamp: 20161207202411Z, objectclass=objectClass: top, posixAccount, inetOrgPerson, createtimestamp=createTimestamp: 20161207202411Z, subschemasubentry=subschemaSubentry: cn=Subschema, uid=uid: jomernik, uidnumber=uidNumber: 1000002, cn=cn: jomernik, hassubordinates=hasSubordinates: FALSE, loginshell=loginShell: /bin/bash, modifiersname=modifiersName: cn=admin,dc=marathon,dc=mesos, creatorsname=creatorsName: cn=admin,dc=marathon,dc=mesos, gidnumber=gidNumber: 2501, structuralobjectclass=structuralObjectClass: inetOrgPerson, homedirectory=homeDirectory: /home/jomernik, sn=sn: Omernik, entryuuid=entryUUID: dbf68178-5106-1036-8144-eb1d1c2c2b3d, entrycsn=entryCSN: 20161207202411.939425Z#000000#000#000000} (io.containx.marathon.plugin.auth.util.LDAPHelper:pool-3-thread-1)
I've got the same error, so I discuss with some admins here and there is a bit confusion with the DN.
A distinguished name is a reference in the LDAP Directory Information Tree.
In the RFC5020, the attribute entrydn is a copy of the DN
This document describes the 'entryDN' operational attribute which holds a copy of the entry's distinguished name. This attribute may be used in search filters.
Maybe, it's better to get the DN directly instead of trying with an hypothetic attribute distinguishedname or entrydn or something else (in Spring there is getName)
update: I create a PR #10 with https://docs.oracle.com/javase/tutorial/jndi/newstuff/dn.html