semaphore icon indicating copy to clipboard operation
semaphore copied to clipboard

Published 20 hours ago verified publisher icon semaphoreui

LDAP - not all providers support 'WhoAmI'

Open NiceRath opened this issue 1 year ago • 2 comments

Greetings.

Problem:

Not all LDAP providers support the extended action 'WhoAmI' (OID 1.3.6.1.4.1.4203.1.11.3)

For example -> see Google-LDAP

Google only supports the Extended action for StartTLS

This can be reproduced using 'ldapwhoami':

ldapwhoami -H ldap://server:389 -D "uid=user.name,ou=Users,dc=org,dc=com" -x -W -V -d1
> ...
> connect success
> ...
> ldap_bind: Success (0)
>         additional info: Valid access code
> ...
> request done: ld 0x55667aa11a40 msgid 2
> res_errno: 2, res_error: <>, res_matched: <>
> ...
> ldap_parse_result: Protocol error (2)

If one comments out the 'WhoAmI' call (api/login.go) in the development environment - the login works.

// Bind as the user
userdn := sr.Entries[0].DN
if err = l.Bind(userdn, password); err != nil {
        return nil, err
}

// Ensure authentication and verify itself with whoami operation
//var res *ldap.WhoAmIResult
//if res, err = l.WhoAmI(nil); err != nil {
//        return nil, err
//}
//if len(res.AuthzID) <= 0 {
//        return nil, fmt.Errorf("error while doing whoami operation")
//}

// Second time bind as read only user
if err = l.Bind(util.Config.LdapBindDN, util.Config.LdapBindPassword); err != nil {
        return nil, err
}

possible Solutions:

  • Replace the 'WhoAmI' call with some other logic that does not require extended LDAP-actions
  • Add a config-flag to disable this post-bind check if needed

- Rath

NiceRath avatar May 12 '23 14:05 NiceRath

I'm running into the same problem when trying to connect to an lldap instance I'm using. A flag to disable the whoami operation would be great to have as an option.

leanderjanssen avatar Jun 08 '23 16:06 leanderjanssen

@fiftin Greetings! Your Input would be appreciated. It seems the 'WhoAmI' LDAP-check is a problem. If you want a config-flag 'ldap_whoami' (or something like that) I can add it in a PR!

- Rath

NiceRath avatar Jun 09 '23 12:06 NiceRath

@NiceRath looks 👍

fiftin avatar Jun 10 '23 10:06 fiftin

Just as an additional information: The same problem seams to happen with Samba 4.17.4

Imkerix avatar Jun 14 '23 15:06 Imkerix

I've been experiencing this for ages.

At first, around a year ago my LDAP works, but after a while it stop working exclusively with semaphore. And I was forced to use internal login ever since.

PS. I use GLAuth

Zen3515 avatar Jun 26 '23 10:06 Zen3515

Also experiencing this. Feature flag would be much appreciated. @NiceRath can you do the honors to add the config-flag please? Would be much appreciated

aaronnad avatar Jul 06 '23 20:07 aaronnad

Thanks for the information here. I am running in docker and was able to patch out the whoami section as you have shown and build my own docker container with the patch. Suddenly my LDAP problems went away (I was getting a vague LDAP protocol error).

This was my first application setup with a new Authentik deployment (supporting LDAP via "outpost"), wasted a lot of time thinking it was a configuration issue!

koalaeagle avatar Jul 07 '23 00:07 koalaeagle

@aaronnad Sorry - have forgotten about it (; PR https://github.com/ansible-semaphore/semaphore/pull/1317 is here now.

- Rath

NiceRath avatar Jul 07 '23 06:07 NiceRath

Also experiencing the same issue attempting to use LDAP authentication via Authentik. Any update on if/when this PR will be merged?

CallMeTerdFerguson avatar Sep 07 '23 21:09 CallMeTerdFerguson

Also experiencing the same issue attempting to use LDAP authentication via Authentik. Any update on if/when this PR will be merged?

I wonder when it will get merge too, but I think people will just jump the ship to OIDC instead, take a look here

Zen3515 avatar Sep 08 '23 18:09 Zen3515

I don't see OIDC replacing LDAP completely. Not everybody has an Identiy Provider that supports that protocol.. No clue what is the problem with merging the PR :(

NiceRath avatar Sep 11 '23 12:09 NiceRath

Thanks @Zen3515 , while this does still need merged because not everyone can move to OIDC as @NiceRath pointed out, since I'm using Authentik I went ahead and did and have that up and running perfectly. Appreciate the heads up.

CallMeTerdFerguson avatar Sep 11 '23 13:09 CallMeTerdFerguson

Seem like this is the cause of the following error I get when trying to authenticate via LDAP.

semaphore[484204]: time="2023-10-17T16:39:53-04:00" level=warning msg="LDAP Result Code 2 \"Protocol Error\": Extended Operation(1.3.6.1.4.1.4203.1.11.3) not supported

The ldap server is samba running as a AD domain controller.

ohmer1 avatar Oct 17 '23 20:10 ohmer1

Seem like this is the cause of the following error I get when trying to authenticate via LDAP.

semaphore[484204]: time="2023-10-17T16:39:53-04:00" level=warning msg="LDAP Result Code 2 \"Protocol Error\": Extended Operation(1.3.6.1.4.1.4203.1.11.3) not supported

The ldap server is samba running as a AD domain controller.

same error is here

csakaszamok avatar Dec 04 '23 16:12 csakaszamok

WhoAmI-check has been removed.

fiftin avatar Mar 03 '24 13:03 fiftin