search

RocketChat / Rocket.Chat

The communications platform that puts data protection first.
https://rocket.chat/
Other
40.62k stars 10.63k forks source link

Can't proceed successful login using LDAP via Samba4 AD Domain Controller #11712

Open tanertas opened 6 years ago

tanertas commented 6 years ago

Description:

RocketChat doesn't proceed to login with correct credentials on Samba4 DC's own LDAP implementation. Login proceeds with very similar setup on Windows 2008 AD DC but not on Samba4 AD DC.

Steps to reproduce:

  1. Configure required fields for LDAP authentication.
  2. Test configuration with "TEST CONNECTION" button.
  3. See the "Success Connection_success" notification: OK
  4. Then try to login with an actual user with correct credentials.

Expected behavior:

  1. RocketChat must proceed successful login with correct credentials.
  2. Then allow to user login.

Actual behavior:

  1. Login failed with "User not found or incorrect password" error.

Server Setup Information:

Additional context

Log level raised to "Trace" level. Correct credentials confirmed by logs: "LDAPResult\",\"status\":0"

Deliberate failed login with incorrect username: "Error: User not Found"

Deliberate failed login incorrect password: "Simple Bind Failed: NT_STATUS_LOGON_FAILURE"

Relevant logs:

rocket-ldap.log

tanertas commented 6 years ago

I found that, when "Find user after login" (at LDAP configuration) is "False" RC permits to login, but RC doesn't collect user names from LDAP.

ldapsearch with proxy user account has no problem with getting all related fields of corresponding users from same server.

Samba version is 4.3.11

deadmanIsARabbit commented 6 years ago

Relates to #11502

tanertas commented 6 years ago

Thanks @deadmanIsARabbit, at least good to see that I'm not the only one. Subbed.

suportecri1 commented 6 years ago

same issue here!

jsivak commented 6 years ago

I can confirm that having the "Find user after login" setting set to "True" seems to block users from logging in after they change their LDAP password. When I set "Find user after login" to False, then the user can log in.

It appears that when "Find user after login" is set to True, Rocket.Chat is sending the old/cached password rather than the new one?

Rocket.Chat server version: 0.68.4

Junich10 commented 5 years ago

I can confirm that having the "Find user after login" setting set to "True" seems to block users from logging in after they change their LDAP password. When I set "Find user after login" to False, then the user can log in.

It appears that when "Find user after login" is set to True, Rocket.Chat is sending the old/cached password rather than the new one?

Rocket.Chat server version: 0.68.4

Thanks for your information! I was looking all over the place. Even I had all the ldap setting configured correctly, I could not login with any samba ad user. I turned off the "Find user after login" setting, it all started working.

Rocket.Chat Server version: 0.74.2 CentOS 7 authenticating against Samba 4 AD