[LDAP]Why is username used in the last bind request?

[oraclecaicai]

Hi guys,

I'm using Cerebro 0.8.5 installed with the RPM package. I want to authenticate the user via Microsoft Active Directory and the configuration for authentication is as below:

 
# Authentication
auth = {
  # either basic or ldap
  type: ldap
  settings {
    # LDAP
    url = "ldap://Active_Directory_IP:389"
    # OpenLDAP might be something like "ou=People,dc=domain,dc=com"
    base-dn = "DC=mycompany,DC=com"
    # Usually method should  be "simple" otherwise, set it to the SASL mechanisms to try
    method = "simple"
    # user-template executes a string.format() operation where
    # username is passed in first, followed by base-dn. Some examples
    #  - %s => leave user untouched
    #  - %s@domain.com => append "@domain.com" to username
    #  - uid=%s,%s => usual case of OpenLDAP
    user-template = "%s"
    // User identifier that can perform searches
    bind-dn = "admin_user_dn"
    bind-pw = "admin_user_password"
    group-search {
      // If left unset parent's base-dn will be used
      #base-dn = ${?LDAP_GROUP_BASE_DN}
      // Attribute that represent the user, for example uid or mail
      user-attr = "sAMAccountName"
      // Define a separate template for user-attr
      // If left unset parent's user-template will be used
      #user-attr-template = ${?LDAP_USER_ATTR_TEMPLATE}
      // Filter that tests membership of the group. If this property is empty then there is no group membership check
      // AD example => memberOf=CN=mygroup,ou=ouofthegroup,DC=domain,DC=com
      // OpenLDAP example => CN=mygroup
      group = "memberOf=CN=ehr-inf,OU=User Group,DC=mycompany,DC=com"
    }

    # Basic auth
    #username = ${?BASIC_AUTH_USER}
    #password = ${?BASIC_AUTH_PWD}
  }
}

Now the login action fails all the time and With Wireshark I find the authentication process has 3 steps:

a. Send a bind request with the admin user.

This step is ok.

b. See if the user exists and belongs to the specified group. In my case, this means the input username equals to the value of sAMAccountName (the user-attr parameter) and the value of memberOf contains the specified group DN (the group parameter).

This step is ok and a log of attributes of the account returns, such as cn, name, mail, distinguishedName (DN of the account in Active Directory).

c. Send another bind request with the user to authenticate.

This step fails and I find that Cerebro uses the username but the distinguishedName in the request. It seems that there isn't a parameter to specify the attribute used in the last bind request.

Anyone has a solution to this issue please kindly help me.

Thanks, Bruce

[moliware]

Hi!

a and b => Admin user checks that user belongs to group. This point is ok. c => Cerebro uses input of the user (i.e. username and password) to verify that the user can bind to the ldap server. To tune this a bit you can use user-template. I'll put an example:

• Say that credentialsfoo@bar.com / xxxx (for user / password) are valid
  • If user-template is "%s@bar.com". The login will succeed if user types foo as username
  • if user-template is "%s". The login will succeed if user types foo@bar.com as username

Hopefully you find this useful

[trenb]

I'm having a similar issue with authentication to ldap. If I comment out the group check, auth works fine. How do you debug this more? There seems to be zero logging for the ldap client. This is on version 0.9.0.