Login via AD/LDAP - Githubissues

adis3421 commented 2 years ago

I have problem with logon to OpenCTI via LDAP/AD

My productions.json:

...

"providers": { "ldap": { "strategy": "LdapStrategy", "config": { "url": "ldap://mydomainhost:389", "bind_dn": "cn=User,ou=OU,dc=my,dc=domain,dc=my", "bind_credentials": "XX", "search_base": "dc=my,dc=domain,dc=my", "search_filter": "(sAMAccountName={{username}})", "mail_attribute": "mail", "account_attribute": "givenName" } }, "local": { "strategy": "LocalStrategy" } } }

Log: {"category":"APP","error":{"_error":{},"_showLocations":false,"_showPath":false,"data":{"category":"technical","http_status":401},"internalData":{},"name":"AuthFailure","time_thrown":"2022-03-17T14:53:34.004Z"},"level":"warn","message":"[AUTH] local","timestamp":"2022-03-17T14:53:34.004Z","version":"5.2.1"} {"auth":{"email":"myloginad","ip":"::ffff:MYIP","referer":"http://IP:4000/dashboard?"},"category":"AUDIT","level":"error","message":"LOGIN","resource":{"provider":"local"},"timestamp":"2022-03-17T14:53:34.005Z","version":"5.2.1"} (node:3228560) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead. (Use node --trace-deprecation ... to show where the warning was created) {"category":"APP","error":null,"info":{"message":"Invalid username/password"},"level":"warn","message":"[AUTH] ldapauth","timestamp":"2022-03-17T14:53:34.040Z","version":"5.2.1"} {"auth":{"email":"myloginad","ip":"::ffff:MYIP","referer":"http://IP:4000/dashboard?"},"category":"AUDIT","level":"error","message":"LOGIN","resource":{"provider":"ldapauth"},"timestamp":"2022-03-17T14:53:34.040Z","version":"5.2.1"} {"category":"APP","error":{"data":{"category":"technical","http_status":401},"stacktrace":["AuthFailure: Wrong name or password","at Q0 (/opt/OCTI/opencti/build/src/config/errors.js:8:10)","at tL (/opt/OCTI/opencti/build/src/config/errors.js:12:56)","at Object.token (/opt/OCTI/opencti/build/src/resolvers/user.js:117:13)","at runMicrotasks ()","at processTicksAndRejections (node:internal/process/task_queues:96:5)"]},"inner_relation_creation":0,"level":"warn","message":"API Call","operation":"LoginFormMutation","operation_query":"mutation LoginFormMutation($input:UserLoginInput!){token(input:$input)}","size":51,"time":163,"timestamp":"2022-03-17T14:53:34.043Z","type":"WRITE_ERROR","version":"5.2.1"}

And when I logon as local admin I have in Settings -> Authentication strategies:

local LocalStrategy
ldap LdapStrategy

Environment

OS (where OpenCTI server runs): Oracle Linux 8
OpenCTI version: 5.2.1
OpenCTI client: frontend
Other environment details: Manual deployment

adis3421 commented 2 years ago

Hi,

I change option keepNames it didn't work in my enviroment.

Regards, AN

SamuelHassine commented 2 years ago

Hello @adis3421,

This is a bug and it will be fixed in the next release. Sorry for the inconvenient.

Kind regards, Samuel

adis3421 commented 2 years ago

I confirm I use the version 5.2.4. Good job. Thanks.

robben-ar commented 2 years ago

I have problem again with logon to OpenCTI via LDAP/AD but in version 5.3.7.

Regards.-

ghost commented 2 years ago

Hello i have the problem too with LDAP ( 5.3.7) but it work well with the 5.2.4 (docker)

adis3421 commented 2 years ago

Hi, I use manual deployment in 5.3.7 version everything is ok. Maybe you can share the logs and config?

ghost commented 2 years ago

Hi, thanks adis 👍 there is my config :

      - PROVIDERS__LDAP__STRATEGY=LdapStrategy
      - PROVIDERS__LDAP__CONFIG__URL=ldap://ad.domain.com:389
      - PROVIDERS__LDAP__CONFIG__BIND_DN=CN=binduser,OU=Services,DC=domain,DC=com
      - PROVIDERS__LDAP__CONFIG__BIND_CREDENTIALS=password
      - PROVIDERS__LDAP__CONFIG__SEARCH_BASE=OU=Utilisateurs,DC=domain,DC=com
      - PROVIDERS__LDAP__CONFIG__SEARCH_FILTER={{`(sAMAccountName={{username}})`}}
      - PROVIDERS__LDAP__CONFIG__MAIL_ATTRIBUTE=userPrincipalName
      - PROVIDERS__LDAP__CONFIG__ACCOUNT_ATTRIBUTE=givenName
      - PROVIDERS__LDAP__CONFIG__ALLOW_SELF_SIGNED=true
      - PROVIDERS__LOCAL__STRATEGY=LocalStrategy

Where the logs about the LDAP auth ? nothing in /var/log/auth

adis3421 commented 2 years ago

hi,

I don't use docker deply, I use manula deployment and I have: "search_filter": "(sAMAccountName={{username}})", Mayby you try this:

PROVIDERSLDAPCONFIG__SEARCH_FILTER=(sAMAccountName={{username}}) I don,t know where is logs in docker deply. In manula deploy O have all in /opt/opencti/logs and /opt/opencti/nohup.out

I am not a supporter of docker :)

Regards, NS

smclinden commented 2 years ago

Here is the error message that I am seeing. I have manually identified the LDAP credentials and user credentials are correct.

{"category":"APP","error":{"context":{"category":"technical","http_status":401},"message":"Wrong name or password","name":"AuthFailure","stack":"AuthFailure: Wrong name \
or password\n    at error (/apps/usr/local/src/opencti/build/src/config/errors.js:8:10)\n    at AuthenticationFailure (/apps/usr/local/src/opencti/build/src/config/error\
s.js:12:56)\n    at login (/apps/usr/local/src/opencti/build/src/domain/user.js:515:21)\n    at runMicrotasks (<anonymous>)\n    at processTicksAndRejections (node:inter\
nal/process/task_queues:96:5)"},"level":"warn","message":"[AUTH] local","timestamp":"2022-08-15T13:43:18.746Z","version":"5.3.7"}
{"auth":{"email":"user@org.com","ip":"172.20.64.58","referer":"https://opencti.org.com:4000/dashboard"},"category":"AUDIT","level":"error","message":"LOGIN","\
resource":{"provider":"local"},"timestamp":"2022-08-15T13:43:18.747Z","version":"5.3.7"}
{"category":"APP","error":null,"info":{"message":"Invalid username/password"},"level":"warn","message":"[AUTH] ldapauth","timestamp":"2022-08-15T13:43:18.977Z","version"\
:"5.3.7"}
{"auth":{"email":"user@org.com","ip":"172.20.64.58","referer":"https://opencti.org.com:4000/dashboard"},"category":"AUDIT","level":"error","message":"LOGIN","\
resource":{"provider":"ldapauth"},"timestamp":"2022-08-15T13:43:18.977Z","version":"5.3.7"}
{"category":"APP","error":{"data":{"category":"technical","http_status":401},"stacktrace":["AuthFailure: Wrong name or password","at error (/apps/usr/local/src/opencti/b\
uild/src/config/errors.js:8:10)","at AuthenticationFailure (/apps/usr/local/src/opencti/build/src/config/errors.js:12:56)","at Object.token (/apps/usr/local/src/opencti/\
build/src/resolvers/user.js:117:13)","at runMicrotasks (<anonymous>)","at processTicksAndRejections (node:internal/process/task_queues:96:5)"]},"inner_relation_creation"\
:0,"level":"warn","message":"API Call","operation":"LoginFormMutation","operation_query":"mutation LoginFormMutation($input:UserLoginInput!){token(input:$input)}","size"\
:72,"time":1151,"timestamp":"2022-08-15T13:43:18.979Z","type":"WRITE_ERROR","version":"5.3.7"}

ghost commented 2 years ago

Here is the error message that I am seeing. I have manually identified the LDAP credentials and user credentials are correct.

{"category":"APP","error":{"context":{"category":"technical","http_status":401},"message":"Wrong name or password","name":"AuthFailure","stack":"AuthFailure: Wrong name \
or password\n    at error (/apps/usr/local/src/opencti/build/src/config/errors.js:8:10)\n    at AuthenticationFailure (/apps/usr/local/src/opencti/build/src/config/error\
s.js:12:56)\n    at login (/apps/usr/local/src/opencti/build/src/domain/user.js:515:21)\n    at runMicrotasks (<anonymous>)\n    at processTicksAndRejections (node:inter\
nal/process/task_queues:96:5)"},"level":"warn","message":"[AUTH] local","timestamp":"2022-08-15T13:43:18.746Z","version":"5.3.7"}
{"auth":{"email":"user@org.com","ip":"172.20.64.58","referer":"https://opencti.org.com:4000/dashboard"},"category":"AUDIT","level":"error","message":"LOGIN","\
resource":{"provider":"local"},"timestamp":"2022-08-15T13:43:18.747Z","version":"5.3.7"}
{"category":"APP","error":null,"info":{"message":"Invalid username/password"},"level":"warn","message":"[AUTH] ldapauth","timestamp":"2022-08-15T13:43:18.977Z","version"\
:"5.3.7"}
{"auth":{"email":"user@org.com","ip":"172.20.64.58","referer":"https://opencti.org.com:4000/dashboard"},"category":"AUDIT","level":"error","message":"LOGIN","\
resource":{"provider":"ldapauth"},"timestamp":"2022-08-15T13:43:18.977Z","version":"5.3.7"}
{"category":"APP","error":{"data":{"category":"technical","http_status":401},"stacktrace":["AuthFailure: Wrong name or password","at error (/apps/usr/local/src/opencti/b\
uild/src/config/errors.js:8:10)","at AuthenticationFailure (/apps/usr/local/src/opencti/build/src/config/errors.js:12:56)","at Object.token (/apps/usr/local/src/opencti/\
build/src/resolvers/user.js:117:13)","at runMicrotasks (<anonymous>)","at processTicksAndRejections (node:internal/process/task_queues:96:5)"]},"inner_relation_creation"\
:0,"level":"warn","message":"API Call","operation":"LoginFormMutation","operation_query":"mutation LoginFormMutation($input:UserLoginInput!){token(input:$input)}","size"\
:72,"time":1151,"timestamp":"2022-08-15T13:43:18.979Z","type":"WRITE_ERROR","version":"5.3.7"}

hi what look like your configuration file ?

Previously i'ved issues with 5.3.7 (docker), and since i've setup a vm with manual deployment im able to use LDAP auth. i'ved adapt my configuration file to correspond my AD (view users attributs)

"providers": { "ldap": { "strategy": "LdapStrategy", "config": { "url": "ldap://ad.domain.com:389", "bind_dn": "CN=opencti-ldap,OU=Services,DC=domain,DC=com", "bind_credentials": "PASSWORD", "search_base": "OU=Utilisateurs,DC=domain,DC=com", "search_filter": "(sAMAccountName={{username}})", "mail_attribute": "userPrincipalName", "account_attribute": "givenName" } }, "local": { "strategy": "LocalStrategy" } } }

OpenCTI-Platform / opencti

Login via AD/LDAP #1968

Environment