semaphore icon indicating copy to clipboard operation
semaphore copied to clipboard

Published 20 hours ago verified publisher icon semaphoreui

LDAP login via webinterface not possible

Open pao-pirka opened this issue 3 years ago • 9 comments

Hello there!

LDAP is configured correctly, yet no user can login via the web interface. We tried "domain\user" + Password and "user" + Password, sadly neither worked.

Web-Interface address http://xxx.xxx.xxx.xxx:3000/auth/login

CLI output: sudo semaphore service --config=./config.json MySQL [email protected]:3306 semaphore Tmp Path (projects home) /tmp/semaphore Semaphore v2.8.53 Interface Port :3000 Server is running INFO[0059] User abc with email [email protected] authorized via LDAP correctly

Web-Interface error: image

Is there any solution or workaround to this?

Thank you and kind regards!

pao-pirka avatar Feb 28 '22 15:02 pao-pirka

I'm facing same problem.

is there a way to debug conversation between semaphore and LDAP server?

I'm using 389DS, a pure LDAP v3 , not AD.

muzzol avatar Mar 09 '22 10:03 muzzol

The weird thing is, that semaphore states "INFO[0059] User abc with email [email protected] authorized via LDAP correctly" into the console, but the web interface says otherwise. If LDAP uses e.g. sssd, maybe the e.g. sssd error logs can show some additional information?

pao-pirka avatar Mar 18 '22 10:03 pao-pirka

Hi @pao-pirka ,

I can't reproduce the issue. I use following setup https://gist.github.com/fiftin/a697b2a88722ebd4ef1293bd5d7bbc88 and it is works without issues. I need more details to reproduce.

fiftin avatar Mar 28 '22 18:03 fiftin

@pao-pirka, @muzzol

Please read this answer: https://github.com/ansible-semaphore/semaphore/issues/898#issuecomment-1076257198

fiftin avatar Mar 28 '22 18:03 fiftin

@muzzol,

I never used 389DS, I would appreciate for instruction how to setup it via Docker.

fiftin avatar Mar 28 '22 19:03 fiftin

You can try this one: https://hub.docker.com/r/389ds/dirsrv

is not mine, but is done by official mantainers so it should be ok.

besides docker,I want to point out that 389DS is a standard LDAPv3 server, so is compliant with any LDAP query without any kind of customizations or additional schemas.

searching typical attributes like cn, mail or uid should be completely transparent from the client side.

I'm using it with a lot of web projects without any kind of problem.

muzzol avatar Mar 28 '22 19:03 muzzol

It seems to me that the problem here is the same email address for the default user and the user who wants to login using LDAP. I had the same problem as @pao-pirka and after changing e-mail address for default admin account I can log in via web.

MichaIJarosz avatar Mar 14 '23 12:03 MichaIJarosz

It seems to me that the problem here is the same email address for the default user and the user who wants to login using LDAP. I had the same problem as @pao-pirka and after changing e-mail address for default admin account I can log in via web.

not sure about that. maybe the fix could also include some debugging to login process so we can know exactly what is happening, which query is being launched and what's the response from LDAP server.

muzzol avatar Mar 14 '23 13:03 muzzol

It seems to me that the problem here is the same email address for the default user and the user who wants to login using LDAP. I had the same problem as @pao-pirka and after changing e-mail address for default admin account I can log in via web.

I run into the same problem. Created default admin user with my e-mail address and LDAP login was success, but didn't get into the UI. User email has to be unique in database table:

CREATE TABLE user (
  ..., email varchar(255) NOT NULL,...,
  UNIQUE KEY email (email))

A warning message would be much helpful when database constraints get violated.

raunz avatar Jun 02 '23 14:06 raunz