semaphoreui / semaphore

Modern UI and powerful API for Ansible, Terraform, OpenTofu, PowerShell and other DevOps tools.
https://semaphoreui.com
MIT License
10.61k stars 1.07k forks source link

Problem: LDAP Result Code 32 "No Such Object" #2306

Open quinten-lp opened 2 months ago

quinten-lp commented 2 months ago

Issue

Hi I'm using Semaphore with docker, version is v2.10.22.

I'm able to connect with admin account, run playbook etc... I want to configure ldap in order to connect with Active Directory accounts. I have an active directory with all users in "Users" organizational unit and I have also created a group called "Semaphore" with one account inside.

Here the parameters in config.json (because environment vars in docker compose don't work for ldap settings) :

     "ldap_enable": true,
        "ldap_binddn": "CN=Svc Semaphore,OU=ServiceAccounts,DC=fra,DC=example,DC=com",
        "ldap_bindpassword": "secret",
        "ldap_server": "ldap.fra.example.com:636",
        "ldap_searchdn": "OU=Users,DC=fra,DC=example,DC=com",
        "ldap_searchfilter": "(&(sAMAccountName=%s)(memberOf=cn=Semaphore,cn=Users,dc=fra,dc=example,dc=com)",
        "ldap_mappings": {
                "dn": "distinguishedName",
                "mail": "mail",
                "uid": "sAMAccountName",
                "cn": "cn"
        },

Then, on firefox, when I put my login, I got an error 500 and in docker logs, I have level=warning msg="LDAP Result Code 32 \"No Such Object\": 0000208D: NameErr: DSID-0310028D, problem 2001 (NO_OBJECT), data 0, best match of:\n\t'DC=fra,DC=example,DC=com'\n\x00"

When I test inside container with ldapsearch, it works, for example : ldapsearch -H ldaps://ldap.fra.example.com -d 1 -x -W -D "CN=Svc Semaphore,OU=ServiceAccounts,DC=fra,DC=example,DC=com" -b "CN=Semaphore,CN=Users,DC=fra,DC=example,DC=com" "(sAMAccountName=<account>)"

The only difference between config.json and ldapsearch is the "ldap_searchdn" field, I have to put

"ldap_searchdn": "OU=Users,DC=fra,DC=example,DC=com",

If I set "ldap_searchdn": "CN=Users,DC=fra,DC=example,DC=com", nothing appears in logs and on my browser, I got incorrect password.

And with ldapsearch, if I run the command on "CN=Users,DC=fra,DC=example,DC=com", I got an error.

I have also tested with :

 "ldap_searchfilter": "(uid=*)"
 "ldap_searchfilter": "(sAMAccountName=*)"
 "ldap_searchfilter": "(uid=%s)"
 "ldap_searchfilter": "(sAMAccountName=%s)"
"ldap_searchfilter": "(&(sAMAccountName=%s)(memberOf=cn=Semaphore,OU=Groups,dc=fra,dc=example,dc=com)",

and also

"ldap_searchdn": "OU=Users,DC=fra,DC=example,DC=com", ==> LDAP Result Code 32 / error 500
"ldap_searchdn": "DC=fra,DC=example,DC=com", => incorrect password on brower, nothing in logs
"ldap_searchdn": "CN=Users,DC=fra,DC=example,DC=com" => incorrect password on brower, nothing in logs

So what is the correct parameter to set if I want to connect with my login and ideally, restrict the connection to an AD group ?

Thanks for your help.

Impact

Configuration

Installation method

Docker

Database

MySQL

Browser

Firefox

Semaphore Version

v2.10.22-e44910d-1721658561

Ansible Version

No response

Logs & errors

No response

Manual installation - system information

No response

Configuration

No response

Additional information

No response

whafflez commented 2 months ago

Hey mate,

When you are using LDAPS you will have errors if you don't have this in your config file: "ldap_needtls": true,

If you're still having issues with LDAPS with that in your config file, might be worth going back a step and making sure that you are having connectivity over LDAP.

quinten-lp commented 2 months ago

Hi, with "ldap_needtls": true or "ldap_needtls": false, I have the same result.