semaphoreui
LDAP logon fails because of "ldapwhoami" request.
Hi guys,
we have a running SAMBA-AD which is running perfectly fine. Unfortunately we are not able to connect sempahore to this system because SAMBA-AD is not supporting the "ldapwhoami" request and we think it never will (i think this is the same case with Microsoft AD).
The error is:
Semaphore v2.9.37 Server is running WARN[1174] LDAP Result Code 2 "Protocol Error": Extended Operation(1.3.6.1.4.1.4203.1.11.3) not supported
See here: https://pkg.go.dev/github.com/go-ldap/ldap/v3#LDAPResultProtocolError
LDAP config:
"ldap_enable": true, "ldap_needtls": false, "ldap_binddn": "CN=binduser techuser,CN=Users,DC=example,DC=com", "ldap_bindpassword": "long-bindpassword", "ldap_server": "samba-ad:389", "ldap_searchfilter": "(&(sAMAccountName=%s))", "ldap_searchdn": "CN=Users,DC=example,DC=com", "ldap_mappings": { "dn": "distinguishedName", "mail": "userPrincipalName", "uid": "sAMAccountName", "cn": "cn" }
RFC docs @ https://datatracker.ietf.org/doc/html/rfc4532 say: `2. The "Who am I?" Operation
The "Who am I?" operation is defined as an LDAP Extended Operation [RFC4511] identified by the whoamiOID Object Identifier (OID). This section details the syntax of the operation's whoami request and response messages.
whoamiOID ::= "1.3.6.1.4.1.4203.1.11.3"`
And the samba guys ( https://lists.samba.org/archive/samba/2012-January/165816.html ) say: `Andrew Bartlett abartlet at samba.org Thu Jan 19 22:03:08 MST 2012 [...]
So the question is does the Samba4 LDAP server support SASL/GSSAPI based binding?
We support SASL/GSSAPI. We do not (patches very welcome) currently support the extended operation ldapwhoami uses.
Andrew Bartlett`
I repeat: " We do not [...]support the extended operation ldapwhoami uses." This was in 2012(!). So i have no hope they will implement this in 2023 or anytime later.
Could you please remove the "ldapwhoami" request from semaphore?
best regards, Michael H.G. Schmidt
