dbeaver
LDAP auth failing
Hi all :)
I am having issues setting up LDAP on my CB Community container.
I have:
enabledAuthProviders: ["local", "ldap"],
authConfigurations: [
{
"id": "ldap",
"provider": "ldap",
"displayName": "LDAP",
"disabled": false,
"iconURL": "",
"description": "",
"parameters": {
"ldap-host": "example.com",
"ldap-port": "389",
"ldap-dn": "ou=MY_GROUP,dc=example,dc=com",
"ldap-enable-ssl": false
}
}
]
I am not able to login via <user>@example.com nor just <user>.
The domain and user are correct and I can run a manual ldapsearch and ldapwhoami for them via my shell and get a response. MY_GROUP is also correct and is returned for my user via ldapsearch:
dn: CN=<name>,OU=MY_GROUP,DC=example,DC=com
Is there something wrong with my config ?
Thanks for any advice you can provide !
Hi @avhz If that is the full configuration, then you can log in only with the full user dn (as the default user identifier attribute is cn). If you want to log in with email, please add the user login parameter:
"ldap-login": "your-email-attribute"
In that case, you also need to add a bind user:
"ldap-bind-user": "very-secret-name", "ldap-bind-user-pwd": "very-secret-password"
The list of other parameters and some examples you can find in wiki.
Is it possible to avoid the bind user ? I am not sure what user i would use for that.
It’s not possible to avoid the bind user if you want to log in with something other than the full DN.
The bind user is required to search the directory and resolve the DN from attributes like mail or givenName before authenticating.
Now you can use full DN:
cn=MY_USER,ou=MY_GROUP,dc=example,dc=com
or just cn=MY_USER (without base DN)
Why does there need to be a separate service user in order to resolve the user that is attempting to login? ldapsearch and Python's ldap3 don't require that, for example.
Edit: is it possible to allow users to login via <sAMAccountName> or <sAMAccountName>@<domain> (i.e. userPrincipalName) without binding a service user? I don't have a service user (nor can I create one as this is managed elsewhere). All of our other apps either use ldap3 or ldapsearch and this just requires the either the sAMAccountName or UPN.
e.g. via ldap3
server = Server(f"ldap://{DOMAIN}", get_info=ALL)
with Connection(server, f"{username}@{DOMAIN}", password, True) as connection:
...
We chose the implementation with a service account because LDAP servers may have access control: disable anonymous search requests or restrict access to certain attributes. In such cases, the service account is required to look up the full DN based on the provided attribute value. The actual login still happens with the full DN, but the user does not need to enter it manually.
Unfortunately, for now that’s the limitation: either log in with the full user DN, or use a service (bind) account to log in with another attribute.
We will review how this is implemented in the tools you mentioned. And evaluate whether it’s possible to add support for authentication without a service account for environments where the LDAP server does not impose any restrictions.
Hi,
LDAP authentification is not only available in Enterprise Edition ?
Matt
Hi @EvgeniaBzzz, Yes it' works.
Below how i configure the file if it will help someone.
"authConfigurations": [
{
"id": "ldap",
"provider": "ldap",
"displayName": "MY-DOMAIN",
"disabled": false,
"iconURL": "",
"description": "",
"parameters": {
"ldap-host": "XXXXXXXXXXXXXXXX",
"ldap-port": "XXXXXXXXX",
"ldap-login": "sAMAccountName",
"ldap-dn": "OU=XXXXXXXXXXX,DC=my-domain,DC=com",
"ldap-enable-ssl": false,
"ldap-ssl-cert": "",
"ldap-identifier-attr": "CN",
"ldap-bind-user": "CN=service-account,OU=XXXXX,DC=my-domain,DC=com",
"ldap-bind-user-pwd": "XXXXXXXXXXXXXXX",
"ldap-filter": "(&(sAMAccountName=*)(memberOf=CN=GRP_ACCESS_CBEAVER,OU=XXXXXXXXXXXX,DC=my-domain,DC=com))",
"ldap-ignore-referral": true
}
}
]
Thanks,
Matt