LDAP authentificacion doesn't work

[mcortinas]

I'm working with my colleagues adding ldap authetification in this tool. I started with basic user auth and this is working as expected. My goal with this github issue is try to solve adding ldap authentication with Microsoft Windows Active Directory in my company.

Basically my Windows colleague has created 2 groups and 1 manageDN user and I'm trying to assign each group a specific role (reader or admin). The default role is the reader for users non authenticated and this is working as expected. I also added a basic user authentication for the operations team and this is working as expected. I can not authenticate any user from Windows Active Directory and I checked with telnet the TCP connection es established successfully.

Let me share the code used in my helm deployment.

## ------------------------------------------------------
## AKHQ WEB UI 
## ------------------------------------------------------
akhq:
  enabled: true
  image: 
    tag: 0.15.0

  configuration: |
    akhq:
      server:
        access-log: 
          enabled: false 
          name: org.akhq.log.access
      security:
        default-group: reader
        groups:
          reader: # just a key, no matter will be override by name below
            name: "reader" # Group name
            roles:  # roles for the group
              - topic/read
            attributes:
              # Regexp to filter topic available for group
              topics-filter-regexp: ".*"
          admin: # just a key, no matter will be override by name below
            name: "admin" # Group name
            roles:
              - topic/read
              - topic/insert
              - topic/delete
              - topic/config/update
              - node/read
              - node/config/update
              - topic/data/read
              - topic/data/insert
              - topic/data/delete
              - group/read
              - group/delete
              - group/offsets/update
              - registry/read
              - registry/insert
              - registry/update
              - registry/delete
              - registry/version/delete
              - acls/read
              - connect/read
              - connect/insert
              - connect/update
              - connect/delete
              - connect/state/update
            attributes:
              topics-filter-regexp: ".*"
        # Basic auth configuration
        basic-auth:
          gitops: # Username
            password: YYYYY # Password in sha256
            groups: # Groups for the user
              - admin
              - reader
        ldap:
          group:
            reader:
              groups:
                - COMPANY-kafkahq-Developer
            admin:
              groups:
                - COMPANY-kafkahq-Operations
    micronaut:
      security:
        ldap:
          default:
            enabled: true
            context:
              server: 'ldap://comapny.org:389'
              managerDn: 'CN=COMPANYLDAPKakfkaHQ,OU=LDAPUsers,OU=Users_Processes,OU=USER,DC=comapny,DC=org'
              managerPassword: 'XXXXXXXX'
            search:
              base: "OU=USER,DC=comapny,DC=org"
            groups:
              enabled: true
              base: "OU=Kafkahq,OU=GROUPS,DC=comapny,DC=org"

I don't know how to open trace logs of authentification, I think this helps me solve my issue. Do you help me opening log level?

Could you detect some error in my configuration helm values?

[tchiotludo]

Debuging ldap connection can be done with (on the pods running akhq) :

curl -i -X POST -H "Content-Type: application/json" \
       -d '{ "configuredLevel": "TRACE" }' \
       http://localhost:8080/loggers/io.micronaut.configuration.security

from what I see there is a mistake here :

        ldap:
          group:
            reader:
              groups:
                - COMPANY-kafkahq-Developer
            admin:
              groups:
                - COMPANY-kafkahq-Operations

that must be :

        ldap:
          group:
            dev:
              name: "COMPANY-kafkahq-Developer"
              groups:
                - reader
            ops:
              name: "COMPANY-kafkahq-Operations"
              groups:
                - admin

You inverted the ldap group and the akhq group I think

[mcortinas]

Thank you very much for curl command in order to do some troubleshooting, if you can translate this curl command to yaml configuration it could be more easy in order to do troubleshooting, I will avoid to do curl command in some change.

Thank you again for fixing my first mistake, it was very easy to understand my group mistake, I also check you fix the documentation about it, great!

I worked with my windows colleague and finally I think we have a final solution, let me share it:

      security:
        ldap:
          default:
            enabled: true
            context:
              server: 'ldap://COMPANY.org:389'
              managerDn: 'CN=COMPANY LDAP Kakfka HQ,OU=LDAPUsers,OU=Users_Processes,OU=USER,DC=COMPANY,DC=org'
              managerPassword: 'XXXXXXXXXXXX'
            search:
              enabled: true
              base: "OU=USER,DC=COMPANY,DC=org"
              filter: "sAMAccountName={0}"
            groups:
              enabled: true
              base: "OU=Kafkahq,OU=GROUPS,DC=COMPANY,DC=org"
              attribute: "cn"
              filter: "(&(objectclass=group)(cn=eDO-kafkahq-*)(member={0}))"

Let me share this link in order to know it all the options: https://micronaut-projects.github.io/micronaut-security/latest/guide/#ldap

[tchiotludo]

It's possible to add logger in configuration files :

If someone want to add PR on readme ;)

logger:
    levels:
        foo.bar: ERROR
``

[alexvaque]

Hi, Marc , I had the same issue than you and thanks to that issue https://github.com/tchiotludo/akhq/discussions/889 and the last solution shared by Javier... finally my LDAP integration works. thanks