search

open-metadata / OpenMetadata

OpenMetadata is a unified metadata platform for data discovery, data observability, and data governance powered by a central metadata repository, in-depth column level lineage, and seamless team collaboration.
https://open-metadata.org
Apache License 2.0
5.53k stars 1.04k forks source link

LDAP authentication #17961

Open jgrocha opened 1 month ago

jgrocha commented 1 month ago

Affected module

Only affects LDAP authentication.

Describe the bug

After configuring LDAP authentication, the user name created in the database is: uid=jgr,ou=people,dc=geomaster,dc=pt.

This user name is compared with the one entered on the login form: jgr@geomaster.pt. The strings do not match.

The error is:

User with given email exists but is not associated with provider username. Matching User Found By Email [username:email] : [uid=jgr,ou=people,dc=geomaster,dc=pt:jgr@geomaster.pt], Provided User: [jgr:jgr@geomaster.pt]

To Reproduce

Configure LDAP:

ldapConfiguration:
    host: ${AUTHENTICATION_LDAP_HOST:-ldap.geomaster.pt}
    port: ${AUTHENTICATION_LDAP_PORT:-636}
    dnAdminPrincipal: ${AUTHENTICATION_LOOKUP_ADMIN_DN:-"uid=search,ou=Security,dc=geomaster,dc=pt"}
    dnAdminPassword: ${AUTHENTICATION_LOOKUP_ADMIN_PWD:-"xxxxxxx"}
    userBaseDN: ${AUTHENTICATION_USER_LOOKUP_BASEDN:-"dc=geomaster,dc=pt"}
    groupBaseDN: ${AUTHENTICATION_GROUP_LOOKUP_BASEDN:-""}
    roleAdminName: ${AUTHENTICATION_USER_ROLE_ADMIN_NAME:-}
    allAttributeName: ${AUTHENTICATION_USER_ALL_ATTR:-}
    mailAttributeName: ${AUTHENTICATION_USER_MAIL_ATTR:-mail}
    groupAttributeName: ${AUTHENTICATION_USER_GROUP_ATTR:-}
    groupAttributeValue: ${AUTHENTICATION_USER_GROUP_ATTR_VALUE:-}
    groupMemberAttributeName: ${AUTHENTICATION_USER_GROUP_MEMBER_ATTR:-}
    #the mapping of roles to LDAP groups
    authRolesMapping: ${AUTH_ROLES_MAPPING:-""}
    authReassignRoles: ${AUTH_REASSIGN_ROLES:-[]}
    #optional
    maxPoolSize: ${AUTHENTICATION_LDAP_POOL_SIZE:-3}
    sslEnabled: ${AUTHENTICATION_LDAP_SSL_ENABLED:-true}

also tried with:

    isFullDn: false
    usernameAttributeName: ${AUTHENTICATION_USER_NAME_ATTR:-"uid"}

The username created in the database (taken from the json field) is: uid=jgr,ou=people,dc=geomaster,dc=pt

This username should be just jgr.

Expected behavior

If I manually change the json to {"id": "...", "name": "jgr", "email": "jgr@geomaster.pt",, the login works.

Version:

Additional context

I may be missing some configuration variables.

Maybe related with #17452

AlexeySmirnov74 commented 1 month ago

I confirm that I have the same problem, starting with version 1.4.8. In version 1.4.7 it works ok