deadmanIsARabbit
commented
6 years ago I have struggled with this yesterday for six hours. Just set "Find user after login" to "no" in "Administration->LDAP"
Open lucasfersil opened 6 years ago
deadmanIsARabbit
commented
6 years ago I have struggled with this yesterday for six hours. Just set "Find user after login" to "no" in "Administration->LDAP"
lucasfersil
commented
6 years ago @deadmanIsARabbit I don't know if that was the expected behavior but worked for me, thanks!
rsimai
commented
6 years ago @deadmanIsARabbit you saved me, after 4 hours of analyzing in my test instance before I found @lucasfersil 's report.
I've seen similar (mis-)behavior after update to 0.66.3 (from 0.65.1). Same in my test instance 0.68.1. New users couldn't log in anymore, their accounts were not created. Already existing accounts were not affected. The LDAP behavior clearly has changed, I guess we could call that a regression!
As a wild guess, https://github.com/RocketChat/Rocket.Chat/pull/11264 might be related.
deadmanIsARabbit
commented
6 years ago @rsimai This is related. The question should be why the search or second lookup will always return 0 results.
rsimai
commented
6 years ago Yeah, and according to the log the dn it's looking for seems correct, just returns no result. Probably it's "optimized" for AD now, I've however only an openLDAP server to test (and to make it more complicated, which is a proxy to eDir :-)
Worth to be reopened? What do you think?
deadmanIsARabbit
commented
6 years ago In my opinion: yes. We have an univention UCS LDAP server which is active directory compliant and has returned this error as well. There is no proxy magic at our site. If we look up the DN by hand we do get results.
One thing i have noticed is that log contains something like that:
Auth.info#033[39m Bind successful but user was not found via search CN=norrisc,OU=ayeq,DC=ayeq-benu,DC=com { scope: 'sub',
As you can see the var searchOptions isn't returned correctly.
I am not quite sure if it is a logging problem or maybe the searchOptions aren't closed correctly before and this results in an invalid result.
rsimai
commented
6 years ago for me that log entry continues next line (indented) as
filter: PresenceFilter { attribute: 'objectclass', type: [Getter], json: [Getter] } }
I have no idea what that shall mean, however.
patsevanton
commented
6 years ago Hello!
RocketChat Version 0.68.3 Node Version v8.11.3 mongo 3.4.16 I think have same error:
rocketchat_logger rocketchat_logger.js:278 LDAPHandler ➔ info Init LDAP login ext.a.patsev
rocketchat_logger rocketchat_logger.js:278 LDAP ➔ Connection.info Init setup
rocketchat_logger rocketchat_logger.js:278 LDAP ➔ Connection.info Connecting ldaps://ldap-connection-url:636
rocketchat_logger rocketchat_logger.js:278 LDAP ➔ Connection.debug connectionOptions { url: 'ldaps://ldap-connection-url:636',
timeout: 60000,
connectTimeout: 1000,
idleTimeout: 1000,
reconnect: false,
log:
Logger {
domain: null,
_events: {},
_eventsCount: 0,
_maxListeners: undefined,
_level: 50,
streams: [ [Object] ],
serializers: null,
src: false,
fields:
{ name: 'ldapjs',
component: 'client',
hostname: 'df386a7041be',
pid: 1 } },
tlsOptions: { rejectUnauthorized: true } }
rocketchat_logger rocketchat_logger.js:278 LDAP ➔ Connection.info LDAP connected
rocketchat_logger rocketchat_logger.js:278 LDAP ➔ Bind.info Binding UserDN cn=rocketchat,ou=SysUsers,dc=organization,dc=ru
rocketchat_logger rocketchat_logger.js:278 LDAP ➔ Search.info Searching user ext.a.patsev
rocketchat_logger rocketchat_logger.js:278 LDAP ➔ Search.debug searchOptions { filter: '(&(objectclass=inetOrgPerson)(cn=ext.a.patsev))',
scope: 'sub',
sizeLimit: 1000,
paged: { pageSize: 250, pagePause: false } }
rocketchat_logger rocketchat_logger.js:278 LDAP ➔ Search.debug BaseDN ou=Users,dc=organization,dc=ru
rocketchat_logger rocketchat_logger.js:278 LDAP ➔ Search.info Search result count 0
rocketchat_logger rocketchat_logger.js:278 LDAPHandler ➔ info Search returned 0 record(s) for ext.a.patsev
rocketchat_logger rocketchat_logger.js:278 LDAPHandler ➔ error Error: User not Found
at MethodInvocation.<anonymous> (/app/bundle/programs/server/packages/rocketchat_ldap.js:647:13)
at /app/bundle/programs/server/packages/accounts-base.js:876:30
at tryLoginMethod (/app/bundle/programs/server/packages/accounts-base.js:702:14)
at AccountsServer.Ap._runLoginHandlers (/app/bundle/programs/server/packages/accounts-base.js:875:18)
at AccountsServer.Accounts._runLoginHandlers (/app/bundle/programs/server/packages/rocketchat_lib.js:3345:36)
at MethodInvocation.methods.login (/app/bundle/programs/server/packages/accounts-base.js:933:27)
at MethodInvocation.methodMap.(anonymous function) (packages/rocketchat_monitoring.js:2731:30)
at maybeAuditArgumentChecks (/app/bundle/programs/server/packages/ddp-server.js:1877:12)
at DDP._CurrentMethodInvocation.withValue (/app/bundle/programs/server/packages/ddp-server.js:902:126)
at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1186:12)
at DDPServer._CurrentWriteFence.withValue (/app/bundle/programs/server/packages/ddp-server.js:902:98)
at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1186:12)
at Promise (/app/bundle/programs/server/packages/ddp-server.js:902:46)
at new Promise (<anonymous>:null:null)
at Session.method (/app/bundle/programs/server/packages/ddp-server.js:875:23)
at /app/bundle/programs/server/packages/ddp-server.js:754:85
rocketchat_logger rocketchat_logger.js:278 LDAPHandler ➔ info Fallback to default account system { username: 'ext.a.patsev' }
earlng
commented
6 years ago Just want to say that I seem to be experiencing this issue as well on 0.70.3
doransmestad
commented
6 years ago I'm seeing this issue as well, Samba 4.7.6-11, RocketChat 0.70.4.
Unsure how long it's been affecting us as it only caused a problem when we added new users. Setting "Find user after login" to False allowed our new users to login. After that first login we could turn it back to True, and all users can continue to sign in without issue.
saschafoerster
commented
5 years ago I am using a Synology with Samba4 Active Directory, and after changing the setting, finally, after hours and hours, LDAP worked as expected.
coatmaker618
commented
4 years ago I'm having the same issue, cannot login with OpenLDAP user. I have been passively trying for days.
My "Find user after login" was already set to "no" in "Administration->LDAP", I tried toggling it but it didn't fix login :(
My setup is a new RocketChat install & existing (but tiny) LDAP.
Description:
LDAP: Authentication error
Steps to reproduce:
Login with current AD credentials for any user.
Expected behavior:
Successful login.
Actual behavior:
It returns that message: User not found or incorrect password (only works with old cached passwords - Login Fallback).
Server Setup Information:
Additional context
Recent issue - Installed since spring 2017.
Relevant logs:
20180718-17:31:38.427(-3) LDAP Auth.info Authenticating CN=testuser,OU=Users,DC=domain,DC=local 20180718-17:31:38.661(-3) LDAP Search.info Search result count 0 20180718-17:31:38.664(-3) LDAP Auth.info Bind successful but user was not found via search CN=testuser,OU=Users,DC=domain,DC=local { scope: 'sub', filter: PresenceFilter { attribute: 'objectclass', type: [Getter], json: [Getter] } } 20180718-17:31:38.665(-3) LDAPHandler info Wrong password for testuser 20180718-17:31:38.667(-3) LDAPHandler info Fallback to default account system { username: 'testuser' }
Testing:
ldapsearch -H ldap://172.16.100.1 -x -s sub -b 'cn=testuser,ou=Users,dc=domain,dc=local'
extended LDIF
LDAPv3 base with scope subtree
filter: (objectclass=*)
requesting: ALL
Testuser , Users, domain.local dn: CN=testuser,OU=Users,DC=domain,DC=local
objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Testuser [...]