bseenu
commented
4 years ago @obtix I have spent enough time on this today and would suggest to run the ldapsearch with the search filter given in the config
ldapsearch -v -H <
kafka-manager would be running this same search, if this does not work try to list all the users by removing the search filter from the command you will know what info is being returned from ldap, I had to replace "uid" with "sAMAccountName" i search-filter that way. If you get this working and still going in login loop, Try debug. I had to the following changes to get the debug log
~/work/kafka-manager * git diff Thu Dec 5 22:33:04 2019
diff --git a/app/controllers/BasicAuthenticationFilter.scala b/app/controllers/BasicAuthenticationFilter.scala
index b91ef05..63772d3 100644
--- a/app/controllers/BasicAuthenticationFilter.scala
+++ b/app/controllers/BasicAuthenticationFilter.scala
@@ -17,7 +17,7 @@ import play.api.mvc.Results.Unauthorized
import play.api.mvc.{Cookie, Filter, RequestHeader, Result}
import scala.collection.JavaConverters._
-import scala.util.{Success, Try}
+import scala.util.{Success, Try, Failure}
import grizzled.slf4j.Logging
import javax.crypto.Mac
import play.api.libs.Codecs
@@ -223,6 +223,9 @@ case class LDAPAuthenticator(config: LDAPAuthenticationConfig)(implicit val mat:
val searchRequest = new SearchRequest(baseDN, SearchScope.SUB, filter)
Try(connection.search(searchRequest)) match {
case Success(sr) if sr.getEntryCount > 0 => Some(sr.getSearchEntries.get(0).getDN)
+ case Failure(e) =>
+ logger.debug(e.getMessage)
+ None
case _ => None
}
}
diff --git a/conf/logback.xml b/conf/logback.xml
index e5a5c7d..93d5199 100644
--- a/conf/logback.xml
+++ b/conf/logback.xml
@@ -42,7 +42,7 @@
<logger name="com.gargoylesoftware.htmlunit.javascript" level="OFF" />
<logger name="org.apache.zookeeper" level="INFO"/>
- <root level="WARN">
+ <root level="DEBUG">
<appender-ref ref="ASYNCFILE" />
<appender-ref ref="ASYNCSTDOUT" />
</root>
benjph
dborysenko
MargeDog
atharvai
yumupdate
I am trying to setup LDAP authentication with our AD environment.
` basicAuthentication.enabled=true
basicAuthentication.realm="Kafka-Manager"
basicAuthentication.username="admin"
basicAuthentication.password="password"
basicAuthentication.excluded=["/api/health"] # ping the health of your instance without authentification
basicAuthentication.ldap.enabled=true basicAuthentication.ldap.server="ad-server.domain.local" basicAuthentication.ldap.port=389 basicAuthentication.ldap.username="CN=Kafka Service,OU=Kafka,OU=Prod,OU=Service,DC=Domain,DC=local" basicAuthentication.ldap.password="password" basicAuthentication.ldap.search-base-dn="dc=domain,dc=local" basicAuthentication.ldap.connection-pool-size=10 basicAuthentication.ldap.ssl=false `
For the search filter (which I think is where my issue is), I've tried a few different ways:
basicAuthentication.ldap.search-filter="(uid=$capturedLogin$)" basicAuthentication.ldap.search-filter="CN=Kafka Admins,OU=Groups,OU=Prod,OU=Service,DC=Domain,DC=local"andbasicAuthentication.ldap.search-filter="(&(cn=%u)(memberOf=CN=Kafka Admins,OU=Groups,OU=Prod,OU=Service,DC=Domain,DC=local))"No matter what I try I end up in a login loop (no error), and do not believe it is querying the account from the group in the search filter properly. I've enabled DEBUG logging and it does not output anything at all.I also feel like there should be a setting for me to associate the sAMAccountName or userPrinipalName from the users attributes.
Thanks for any help here!