AD LDAP authentification with Metabase v0.33.2

Hello Folks,

I experiencing a weird thing with Metabase and Active Directory LDAP authentification.
I do some setup with a previous version on Metabase, pretty sure v0.28.6, in LDAP setting panel, everything was good until I made an data export from another installation and an update to v0.33.2. As I understand because I remove the main data and recover another one, I lost my LDAP setup, so I redo it but now looks I have some issue to communicate with AD.
Here is the log error:
09-18 12:31:28 e[1mERROR api.sessione[0m :: Problem connecting to LDAP server, will fall back to local authentication
LDAPException(resultCode=87 (filter error), errorMessage=‘Unable to parse string ‘(&(objectClass=user)(mail=stephane.payet)|(sAMAccountName=stephane.payet))’ as an LDAP filter because it is missing parentheses around component ‘|(sAMAccountName=stephane.payet)’.’, ldapSDKVersion=4.0.4, revision=27051)

Here are the weirdo things I showed up.
I was able to recover the previous installation with data, works fine, and I did the AD LDAP setup on the second installation (the one I recovered the data on the first installation) and works good to, to notice this second installation is on v0.28.6

I do check on communication, TELNET is fine, the account for the lookup in AD is fine too, so I read lot documentation but I still have this issue, from the basis https://metabase.com/docs/v0.26.1/administration-guide/10-single-sign-on.html to the more complete LDAP Debugging

My setup:
server hostname : myad.domain.lan
LDAP port : 636
LDAP security : SSL
Username or dn : myUser
Pass : ******
User search base : OU=Usagers,DC=domain,DC=lan
User filter : (|(sAMAccountName={login})(mail={login}))
Attributes : default ones
Group Mappings : CN=Metabase Admins,CN=Builtin,DC=domain,DC=lan > Admin
Group search base : empty

Any thoughts ?

Stef.

Other thing, in this doc https://ldap.com/ldap-result-code-reference-core-ldapv3-result-codes/#rc-invalidDNSyntax
result code 34 means malformed request, is it cause by my setup ? The Metabase app ? Worst, is AD ?

Hi @AdminN

Can you sniff the traffic, when doing telnet, to make sure it’s using the exact same filter?

You’re getting error code 87, which is a filter error: https://ldap.com/ldap-result-code-reference-client-side-result-codes/#rc-filterError

From the looks of it, I think your filter should be something like this (notice the extra parentheses):
(&(objectClass=user)(|(sAMAccountName={login})(mail={login})))

Hi @flamber,

I changed the communication to not secure in 389, to be able to see it. I did a packet capture with an authentification, not sure if I should do with a telnet (telnet is blank packet, right ?)
I see the filter request corresponding to the change with your filter, so
Filter: (&(objectClass=user)(|(sAMAccountName=test3.stef@domain.com)(mail=test3.stef@domain.com)))

Extra fact, on my second installation, with setup working before, without any other changes than the .jar, I’m experiencing the same issue.

@AdminN

Yeah, I meant that you just needed to see traffic, when it was working and compare it to when it’s not working.

Since you’re upgrading between major versions, I guess there might have been LDAP changes, which broke something, but it’s difficult to say precisely which, since they’re more than a year apart.

I might be misreading your comments, but are you saying that it’s not working on 0.33.2 no matter what changes you’re making to the search filter?

:expressionless: ok, I change my test login name, I removed the number into it and it works !
I was not persistent on my test, this is the factor. To confirm, I created another new account with a number, test4.stef, I restored the previous installation and same issue.

So my bad :woozy_face: and thanks for the answer

Now I have an issue with the group mapping, this time I didn’t change anything, for sure, but it’s probably better to go on another tread

grr… when I switched back to port 636 in SSL, I reactivated the issue :pensive: :pensive: :pensive:

@AdminN
I don’t think reactivating SSL would (re-)create filter errors. Otherwise try playing with another LDAP client, so you can make the exact same setup.
But are you using sAMAccountName or only mail in the filter? Then change it as so:
(&(objectClass=user)(mail={login}))
Remember, check both the LDAP and Metabase log, since it will help while debugging.

ok moving forward, I was able to identify something, when I disable Group Mapping, it works, 389 or 636, SSL or not, I’ guessing my AD is able to trust, when I used another AD, I got “An error occurred while attempting to send the LDAP message to server AD2.domain.lan:636: SSLHandshakeException(Couldn’t kickstart handshaking), ldapSDKVersion=4.0.4, revision=27051”

filter was (&(objectClass=user)(mail={login})) at the beginning, now is (&(objectClass=user)(|(sAMAccountName={login})(mail={login}))), if I understand well, it’s allow login name or email at the login process

continuing investigations

it looks like linked https://github.com/metabase/metabase/issues/10788

Hi @AdminN
Okay, then I didn’t understand your problem correctly. By the way, 10788 was closed in favor of https://github.com/metabase/metabase/issues/7571
So you’re having problems with group memberships being wiped, when it syncs the LDAP?

Not wipe, but it looks interfere in my connexion and my group mapping is not working.
For my first issue, I observed an intermittent issue, perhaps with my test accounts, I'm able to connect with previous account, but with a brain new it's uncertain, probably because I change to many setting between my tests.
For now, I recovered my setup, with group mapping disable and it works

Blockquote server hostname : myad.domain.lan
LDAP port : 636
LDAP security : SSL
Username or dn : myUser
Pass : ******
User search base : OU=Usagers,DC=domain,DC=lan
User filter : (&(objectClass=user)(|(sAMAccountName={login})(mail={login})))
Attributes : default ones
Group Mappings : Disable
Group search base : empty

I will keep an eyes on the GitHub you mention and next releases

Thanks for your help

0.33.3 released and https://github.com/metabase/metabase/issues/10291

same issue, when mapping is disable it works :cry:

@AdminN
I think you’re seeing this issue: https://github.com/metabase/metabase/issues/10988

Yes looks the same. Wait & see