[LDAP] web ui tell that login failed while logs tell authorized via LDAP correctly !

[bioinfornatics]

Dear,

I created this docker-compose.yml file

---
version: '3'
services:
  db:
    image: mariadb:11.0.2
#    command: --default-authentication-plugin=mysql_native_password
    environment:
      MYSQL_ROOT_PASSWORD: "${MYSQL_ROOT_PASSWORD}"
      MYSQL_DATABASE: "${MYSQL_DATABASE}"
      MYSQL_USER: "${MYSQL_USER}"
      MYSQL_PASSWORD: "${MYSQL_PASSWORD}"
    volumes:
      - "${SEMAPHORE_HOME}/var/lib/mysql:/var/lib/mysql:rw"
    ports:
      - '3306:3306'
    networks:
      - semaphore
    restart: 'on-failure'
  semaphore:
    ports:
      - '8100:3000'
    image: 'semaphoreui/semaphore:v2.8.91'
    container_name: 'semaphore'
    user: "0:0"
    environment:
      SEMAPHORE_DB_USER: "${MYSQL_USER}"
      SEMAPHORE_DB_PASS: "${MYSQL_PASSWORD}"
      SEMAPHORE_DB_HOST: db
      SEMAPHORE_DB_PORT: 3306
      SEMAPHORE_DB: "${MYSQL_DATABASE}"
      SEMAPHORE_PLAYBOOK_PATH: "${SEMAPHORE_PLAYBOOK_PATH}"
      SEMAPHORE_ADMIN_PASSWORD: "${SEMAPHORE_ADMIN_PASSWORD}"
      SEMAPHORE_ADMIN_NAME: "${SEMAPHORE_ADMIN}"
      SEMAPHORE_ADMIN_EMAIL: "${SEMAPHORE_ADMIN_EMAIL}"
      SEMAPHORE_ADMIN: "${SEMAPHORE_ADMIN}"
      SEMAPHORE_ACCESS_KEY_ENCRYPTION: "${SEMAPHORE_ACCESS_KEY_ENCRYPTION}"
      SEMAPHORE_LDAP_ACTIVATED: 'yes'
      SEMAPHORE_LDAP_HOST: "${LDAP_HOST}"
      SEMAPHORE_LDAP_PORT: "${LDAP_PORT}"
      SEMAPHORE_LDAP_DN_SEARCH: "${LDAP_DN_SEARCH}"
      SEMAPHORE_LDAP_DN_BIND: "${SEMAPHORE_LDAP_DN_BIND}"
      SEMAPHORE_LDAP_PASSWORD: "${SEMAPHORE_LDAP_PASSWORD}"
      SEMAPHORE_LDAP_SEARCH_FILTER: "${SEMAPHORE_LDAP_SEARCH_FILTER}"
      SEMAPHORE_LDAP_MAPPING_DN: "${SEMAPHORE_LDAP_MAPPING_DN}"
      SEMAPHORE_LDAP_MAPPING_USERNAME: "${SEMAPHORE_LDAP_MAPPING_USERNAME}"
      SEMAPHORE_LDAP_MAPPING_FULLNAME: "${SEMAPHORE_LDAP_MAPPING_FULLNAME}"
      SEMAPHORE_LDAP_MAPPING_EMAIL: "${SEMAPHORE_LDAP_MAPPING_EMAIL}"
    volumes:
      - "${SEMAPHORE_HOME}/playbook:${SEMAPHORE_PLAYBOOK_PATH}:rw"
      - "${SEMAPHORE_HOME}/config:/etc/semaphore:rw"
    networks:
      - semaphore
    depends_on:
      - db
networks:
  semaphore:
    name: semaphore-network

Note: some vars are defined from .env file

while trying to login I have a 401 error

And logs at same time

time="2023-07-13T00:42:00Z" level=info msg="User jonathan with email jonathanxxxxxxx@xxxx.com authorized via LDAP correctly"

did you have an idea where to look ?

Note: indeed I checked credential through ldapsearch

$ ldapsearch -x  -W -b "${SEMAPHORE_LDAP_DN_SEARCH}" -D "${SEMAPHORE_LDAP_DN_BIND}" -H ldap://${SEMAPHORE_LDAP_HOST}:${SEMAPHORE_LDAP_PORT}

Thanks best regards

[viiwee]

This happened to me too. Most likely, it has to do with it still attempting to authenticate via the local credentials instead of LDAP. Most likely, that user already exists in its database as an internal user, so it's just confused. To fix this, I modified my user in the database to be an external user. UPDATE user SET external = 1 WHERE username = "username_here";

Edit: You might also be able to fix it by removing the existing user with that username from the site, or renaming it to a different username. It just might mess with the task history.

[ansibleguy]

Greetings!

What LDAP provider are you using? Currently an issue with multiple providers is known: https://github.com/ansible-semaphore/semaphore/pull/1317

- AnsibleGuy

[bioinfornatics]

Greetings, I use openldap

[ansibleguy]

Do you also get a 'Protocol error' response when running a 'ldapwhoami' test like described here: https://github.com/ansible-semaphore/semaphore/issues/1238

Then it might be the same issue

[bioinfornatics]

I close the issue my server is down I can not go forward on this topic