search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
13.57k stars 907 forks source link

`ldap_bind: Invalid credentials (49)` while `ldapsearch` at LDAP Generic Setup #8421

Closed kCyborg closed 9 months ago

kCyborg commented 9 months ago

Describe the bug I'm trying to use Authentik as an LDAP provider to use it in a web application that doesn't support SAML, OAuth, OICD or any other like :-( But when I end Authentik's installation and follow the LDAP Generic Support, while try to use ldapsearch command I get the ldap_bind: Invalid credentials (49) error.

To Reproduce I'm using an Ubuntu 22.04.3 as a base box, fully updated and upgraded, with a public IP. I installed docker from the official Docker repository.

  1. I install Authentik through the docker-compose file provided in this official guide.

  2. Follow the steps provided in the LDAP Provider - Generic Setup and the youtube tutorial.

2.1 In this steps the only thing I needed to change was at the time to create the Outpost (nearly at the end of the tutorial/official documentation) I needed to set the authentik_host_insecure: (which come false by default) to true

  1. When try the ldapsearch command I get the error: ldap_bind: Invalid credentials (49) 
ldapsearch \
    -x \ 
    -H ldap://XXX.XXX.XXX.187 \
    -D "cn=ldapservice,ou=users,dc=ldap,dc=goauthentik,dc=io" \ 
    -b 'DC=ldap,DC=goauthentik,DC=io' '(objectClass=user)' \
    -W
#answer
ldap_bind: Invalid credentials (49)

Expected behavior Get a positive answer from the previous commands.

Screenshots Not applicable

Logs Logs from the docker container Outpost:

### INITIAL LOGS ###
{"event":"Loaded config","level":"debug","path":"inbuilt-default","timestamp":"2024-02-05T20:12:42Z"}
{"event":"Loaded config from environment","level":"debug","timestamp":"2024-02-05T20:12:42Z"}
{"event":"not enabling debug server, set `AUTHENTIK_DEBUG` to `true` to enable it.","level":"info","logger":"authentik.go_debugger","timestamp":"2024-02-05T20:12:42Z"}
{"event":"initialised direct binder","level":"info","logger":"authentik.outpost.ldap.binder.direct","timestamp":"2024-02-05T20:12:43Z"}
{"event":"Update providers","level":"info","logger":"authentik.outpost.ldap","timestamp":"2024-02-05T20:12:43Z"}
{"event":"Starting Metrics server","level":"info","listen":"0.0.0.0:9300","logger":"authentik.outpost.metrics","timestamp":"2024-02-05T20:12:43Z"}
{"event":"Starting LDAP SSL server","level":"info","listen":"0.0.0.0:6636","logger":"authentik.outpost.ldap","timestamp":"2024-02-05T20:12:43Z"}
{"event":"Starting LDAP server","level":"info","listen":"0.0.0.0:3389","logger":"authentik.outpost.ldap","timestamp":"2024-02-05T20:12:43Z"}
{"event":"Starting authentik outpost","hash":"tagged","level":"info","logger":"authentik.outpost","timestamp":"2024-02-05T20:12:43Z","version":"2023.10.7"}
{"event":"Update providers","level":"info","logger":"authentik.outpost.ldap","timestamp":"2024-02-05T20:12:43Z"}
### LOGS WHEN I TRY TO USE `ldapsearch` ###
{"bindDN":"cn=ldapservice,ou=users,dc=ldap,dc=goauthentik,dc=io","event":"authenticated from session","level":"info","logger":"authentik.outpost.ldap.binder.session","timestamp":"2024-02-05T20:27:56Z"}
{"bindDN":"cn=ldapservice,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"199.91.69.187","event":"Bind request","level":"info","requestId":"a718c87e-0859-401c-8cf1-e3797e675e26","timestamp":"2024-02-05T20:27:56Z","took-ms":0}

Version and Deployment (please complete the following information):

Additional context I have seen some issues as here and here , the OPs claim to resolver the issue manipulating the flow, but to be honest I don't very familiarized with these flows... Any way I will leave mine here:

image

Thanks in advance 🙏

otaconix commented 9 months ago

Not trying to hijack your issue, but it turned out you had an authentication requirement ("Require authentication") on the flow you're using for LDAP authentication.

Removing that seems to have fixed the problem 🙂

kCyborg commented 9 months ago

Not trying to hijack your issue, but it turned out you had an authentication requirement ("Require authentication") on the flow you're using for LDAP authentication.

Removing that seems to have fixed the problem 🙂

Yes, that was exactly my issue, thanks so much!!!