REST API - LDAP login not working

[eduardoarantes]

Your Rocket.Chat version: (make sure you are running the latest)

Hi, I have LDAP set and user can properly login from the UI. They are synchronized properly but when I try login in (first login) through the API I get 401 "Unauthorized" Is there any special configuration that I am missing?

After the initial load from login via UI the API login works fine

Tks

[eduardoarantes]

Could that be somehow related to the order of the authentication handlers?

[tntobias]

Can you check the logs and see if there are any errors generated during the api logons?

[eduardoarantes]

nothing on the logs when login in through API as the first request for a unexisting user. Not even 1 line. When I login in through the login page everything goes ok and I see lots of logs

It's really weird. After the first login through login page, the API works but still doesn't log anything

[tntobias]

Make sure you're at log level 2 in the Administration panel. Many LDAP messages only appear in debug logs. Also, there's a setting for Import Users from LDAP. If that is set to false, the user is only created on first login.

[eduardoarantes]

I can see all the LDAP's messages after the user is created and during the Sync data process.

is the UI login somehow different from the API login call?

My API call looks like: http://localhost:3000/api/login

Headers: Content-Type:application/x-www-form-urlencoded

Body: user:stan.test password:users_password

I have also tried with no headers

And also with additional params ldap=true ldapPass username instead of user

Always get the same result

{ "status": "error", "message": "Unauthorized" }

[eduardoarantes]

Hi,

I believe the API login is not being handled by the LDAP handler. I noticed that api/login only works when the password is already on the database.

UI login works regardless.

After the user was properly set (and api/login was working) I manually changed the password on the database and the the api/login failed. But UI login worked and updated the password

"createdAt" : ISODate("2016-12-01T02:33:04.810Z"),
    "services" : {
        "ldap" : {
            "id" : "73938633233612d662d303663333463656165653735",
            "idAttribute" : "ipa1UniqueID"
        },
        "password" : {
            "bcrypt" : "$2a$10$fdJ.TxcS3nYD1Yd.KVqeH9aHc8cs1XBrgSi"
        }
    },

[massimodeluisa]

Quote @eduardoarantes . I made the same test with same results.

[Flipez]

It would be nice if this can be fixed. It's very annoying if you relay on a LDAP backend and cannot use the API.

[abser]

Same problem here. I don't want to import all LDAP users on rocket chat.

[jusfeel]

Same issue here.

[Flipez]

@MartinSchoeler Any news on this? This issue is open for quite a while now and completely blocks usage of the API by LDAP users :/

[wgfreitas]

Any news about that? Thanks.

[Flipez]

@MartinSchoeler Both the REST and Live-API are completely useless for LDAP systems. This issue is now opened for nearly a year.

Is LDAP not considered as a important Feature for you developers? If so you might communicate that better in the docs and warn users before enabling LDAP for their instances :/

[ghost]

Anything new?

[photoninger]

I don't know much about js and the used frameworks in rocket.chat, but I guess LDAP-auth for the REST-API might be possible if the LDAP code also registers an auth method with RocketChat.API.v1.addAuthMethod()like it is done for the oauth2 providers in https://github.com/RocketChat/Rocket.Chat/blob/e1ef24b08c7d2c13ba834a384f9f16ab0d2c68f1/packages/rocketchat-oauth2-server-config/oauth/server/oauth2-server.js#L56 . Or am I wrong?