AMP
AMP copied to clipboard
CubeCoders
Invalid credentials when logging in with LDAP
Bug Report
System Information
- Ubuntu 20.04.4 LTS
- 2.4.0.4
- Mainline
I confirm:
- [x] that I have searched for an existing bug report for this issue.
- [x] that I am using the latest available version of AMP.
- [x] that my operating system is up-to-date.
Symptoms
I am trying to enable LDAP authentication on AMP with my Active Directory domain, When I enter the domain and enable LDAP. I am expecting to be able to sign in and have the appropriate groups mapped however I am unable to sign in at all, met with an invalid credentials error.
In the AMP logs I can see this error happening
[20:34:16] [ModuleLoader:Anonymous Error] : Missing plugin/assembly: Novell.Directory.Ldap.resources (/home/amp/.ampdata/instances/ADS01/Plugins/Novell.Directory.Ldap.resources/Novell.Directory.Ldap.resources.dll) for [20:34:16] [ModuleLoader:Anonymous Error] : Missing plugin/assembly: Novell.Directory.Ldap.resources (/home/amp/.ampdata/instances/ADS01/Plugins/Novell.Directory.Ldap.resources/Novell.Directory.Ldap.resources.dll) for [20:34:16] [LDAPAuth:Anonymous Warning] : LDAP authentication failure: Invalid Credentials
Reproduction
- Install AMP in a target/controller setup, controller is on Ubuntu 20.04.4
- Have fairly stock standard Active Directory ("fake.domain") setup on the local network, only users and AMP_ prefixed groups have been added
- Ensure "fake.domain" resolves directly on the AMP controller's server as well as the records for the domain controller
- Change AMP Controllers config to reflect the following:
Login.UseLDAPLogins=True Login.LDAPAuthDomain=fake.domain Login.LDAPGroupPrefix=AMP_
- Create new group in amp called LDAP
- Assign the AMP_LDAP group to fakeuser in active directory
- Restart AMP
- Attempt to authenticate with fakeuser
- Fail
Enter reproductions steps here.
I am also using LDAP clients in other applications on the same machine connected to the same AD server without issues.
If you do nslookup fake.domain from Ubuntu, does it resolve to the AD server? (I think the dll issue is actually a red herring)
Yes, it resolves to the AD server, which is also the DNS server. I get this exactly: https://i.imgur.com/Vmz5T9G.png This ip is what I get when searching for both the domain controller, dc.fake.domain AND fake.domain
Can you check this again with this most recent update?
I'm having the very same error. I can do some testing if it helps, let me know please
Hello, I can confirm that I am getting this exact issue as well on my Debian 11 system. My logs appear to display similar output shown by Sauramel.
I'm up to date with AMP (2.4.3.6)
Here's a small snip of my AMP logs:
[13:02:02] [Core Info] : AMP is up-to-date. [13:02:18] [Logger Error] : Missing plugin/assembly: Novell.Directory.Ldap.resources (/home/amp/.ampdata/instances/ADS01/Plugins/Novell.Directory.Ldap.resources/Novell.Directory.Ldap.resources.dll) for [13:02:18] [Logger Error] : Missing plugin/assembly: Novell.Directory.Ldap.resources (/home/amp/.ampdata/instances/ADS01/Plugins/Novell.Directory.Ldap.resources/Novell.Directory.Ldap.resources.dll) for [13:02:18] [Logger Warning] : LDAP authentication failure: Invalid Credentials [13:02:18] [Core Error] : LdapException [13:02:18] [Logger Error] : [0] (LdapException) : Invalid Credentials [13:02:18] [Core Error] : at Novell.Directory.Ldap.LdapResponse.chkResultCode () at Novell.Directory.Ldap.LdapConnection.chkResultCode (Novell.Directory.Ldap.LdapMessageQueue queue, Novell.Directory.Ldap.LdapConstraints cons, Novell.Directory.Ldap.LdapResponse response) at Novell.Directory.Ldap.LdapConnection.Bind (Int32 version, String dn, SByte[] passwd, Novell.Directory.Ldap.LdapConstraints cons) at Novell.Directory.Ldap.LdapConnection.Bind (Int32 version, String dn, String passwd, Novell.Directory.Ldap.LdapConstraints cons) at Novell.Directory.Ldap.LdapConnection.Bind (String dn, String passwd, Novell.Directory.Ldap.AuthenticationTypes authenticationTypes) at DirectoryServices.DirectorySearcher.InitBlock () at DirectoryServices.DirectorySearcher.DoSearch () at DirectoryServices.DirectorySearcher.get_SrchColl () at DirectoryServices.DirectorySearcher.FindOne () at (wrapper remoting-invoke-with-check) DirectoryServices.DirectorySearcher.FindOne() at GSMyAdmin.Authentication.LDAPAuth.Authenticate (String username, String password)
My domain has the required SOA and NS records. I've validated LDAPS is working. I have no other issue with my Debian system using domain credentials (can login to ssh based on LDAP group memberships).
I'm happy to assist in any testing efforts as well, Mike.
@sauramel I've been trying to see if we can get some support on this issue.
I've been raising this in Discord, didn't get any reply there so I've raised the problem in the support forums. I'll let you know if I have any luck with getting some help. Thread can be found here if you're interested: https://discourse.cubecoders.com/t/amp-ldap-integration-non-functional-linux/4204
Do you go by the same name in Discord? I was going to DM you there to let you know but I didn't want to possibly ping the wrong person. :)
The development build has some changes in that should help with this: https://github.com/CubeCoders/AMP/issues/903
I'm not using SSO but people, just saying it's still broken without any logs doesn't help. If you are getting errors, please share the error and the logs minus the sensitive data. That is the best way for Mike to look into it to see what is going on.
So the Development build has a tonne of changes to the LDAP handling, and it's all been documented. Check out the dev build and associated KB article. It works really well now.