Really struggling to get LDAP up and running. I've read all the posts on the forum and think I know what settings need to be get I still get the dreaded {:errors {:password "did not match stored password"}}
This is what the user i'm trying to login as looks like in my LDAP directory
@lfbs Okay, the best way to figure out what’s going wrong with LDAP is to use Wireshark/tcpdump to capture the traffic from Metabase and from another working client, to compare the difference in what is being sent/received to/from the LDAP server.
@lfbs Place Metabase locally on your machine as a test. Or run Wireshark on the server where Metabase is.
Of course you cannot see traffic on your local machine from a server’s communication to another server - otherwise there would be zero security in this world
@lfbs Okay, then you’re not setting the filters correctly in Wireshark, since you should be able to see traffic from Metabase to LDAP as well - unless you’re running Metabase in Docker, which is similar to running Metabase on a separate server, so you would need to monitor other interfaces in that case.
@lfbs I don’t use Windows, so you have to search around for a solution for that, but I’m guess you’re not using Docker then. You can probably find a lot of tutorials on “LDAP debugging”
I would expect that after finding that the user exists in ldap, it should then try to rebind as that user? Only I can’t see any further rebinding requests…
One thing I’m noticing is that the quotes are removed on the search request.
And when you compare the requests to another (Java-based) LDAP client that works, does it have the exact same requests and results?
It would probably be a lot easier if you setup a local LDAP server, since I’m guessing you don’t have access to the logs of the external LDAP server. It will give you much more details on what’s going on.
The code looks to use the same logic I described but the verify-password might not be getting called. Can you recommend another java based ldap client I could test with wireshark?
(defn find-user
"Gets user information for the supplied username."
([username]
(with-connection find-user username))
([conn username]
(when-let [{:keys [dn], :as result} (u/lower-case-map-keys (search conn username))]
(let [{fname (keyword (ldap-attribute-firstname))
lname (keyword (ldap-attribute-lastname))
email (keyword (ldap-attribute-email))} result]
;; Make sure we got everything as these are all required for new accounts
(when-not (some empty? [dn fname lname email])
{:dn dn
:first-name fname
:last-name lname
:email email
:groups (when (ldap-group-sync)
;; Active Directory and others (like FreeIPA) will supply a `memberOf` overlay attribute for
;; groups. Otherwise we have to make the inverse query to get them.
(or (:memberof result) (get-user-groups dn) []))})))))
(defn verify-password
"Verifies if the supplied password is valid for the `user-info` (from `find-user`) or DN."
([user-info password]
(with-connection verify-password user-info password))
([conn user-info password]
(let [dn (if (string? user-info) user-info (:dn user-info))]
(ldap/bind? conn dn password))))
@lfbs I really haven’t worked with LDAP for 15 years, but a quick search gave this: http://jxplorer.org/
Are you using the latest 0.35.4 version of Metabase?
Do you know which LDAP server it is, OpenLDAP, AD, … ?