kouncil icon indicating copy to clipboard operation
kouncil copied to clipboard
verified publisher icon Consdata

AD Bind user configuration

Open hyd3l opened this issue 6 months ago • 2 comments

Hi, I'm using the tag 1.9.1 of the official kouncil docker image.

This is my docker-compose.yml :

networks:
  base-network:
    name: base-network
    external: true

services:
  kouncil:
    container_name: kouncil
    restart: on-failure
    image: consdata/kouncil:1.9.1
    ports:
      - 127.0.0.1:8083:8080
    volumes:
      - /opt/apps/kouncil/_data:/config/
    networks:
      - base-network
    logging:
      options:
        max-size: 50m

In the /opt/apps/kouncil/_data folder I added this configuration for Kouncil:

# /opt/apps/kouncil/_data/kouncil.yaml

kouncil:
  auth:
    active-provider: ldap
    ldap:
      provider-url: "ldaps://ad.domain.com"
      technical-user-name: "CN=KouncilBindUser,OU=Service Accounts,DC=ad,DC=domain,DC=com"
      technical-user-password: "secret"
      search-base: "DC=ad,DC=domain,DC=com"
      search-filter: "(|(memberOf=CN=KOUNCIL-GRP,OU=Group Members,OU=Security Groups,DC=ad,DC=domain,DC=com))"

I can't understand from the documentation how I can configure it so that the username provided is the "sAMAccountName" parameter of Active Directory. I'm also not so sure that the technical-user-name is actually being properly configured, I used the cn , in many other apps like Jenkins it usually works this way.

Thanks in advance

hyd3l avatar Jul 04 '25 10:07 hyd3l

This is the error I obtain on login with the current configuration:

Image

hyd3l avatar Jul 04 '25 10:07 hyd3l

Hi, When configuring LDAP authentication, you can define separate filters for users and groups, as described in the (Kouncil Authorization Docs). In these filters, you can use sAMAccountName as the username. For example:

auth:
  active-provider: ldap 
  ldap:
    provider-url: "ldaps://ad.domain.com"
    search-base: "cn=Users,dc=domain,dc=com"
    search-filter: "(&(objectClass=user)(sAMAccountName={0}))"
    group-search-base: "cn=Users,dc=domain,dc=com"
    group-search-filter: "(&(objectClass=user)(sAMAccountName={0}))"
    group-role-attribute: "memberOf"
    technical-user-name: "CN=kouncilTechUser,CN=Users,DC=domain,DC=com"
    technical-user-password: "secret"

The values in search-base and group-search-base depends on your AD tree. The technical user should be specified using its full DN.

To help analyze the error you;re seeing on the login page, please provide additional information, such as the relevant logs.

pbelke avatar Aug 14 '25 16:08 pbelke