LDAP+SSL: where the root_ca_cert is set

Dear metabase team and community,

In case of LDAP authentication, and when using SSL,
could you please advise how I can provide the certificate info ?

I cannot see such a field so that I can parameterise it…

Nikos

Did you mean SSL for the webpage itself or SSL for the LDAP connection? We are using LDAP auth and SSL for the webpage itself and I made a handy little metabase start script, but we are running the .jar version of metabase.

#!/bin/bash

export MB_JETTY_SSL="true"
export MB_JETTY_SSL_Port="443"
export MB_JETTY_SSL_Keystore="/path/to/keystore/keystore.jks"
export MB_JETTY_SSL_Keystore_Password="password"

java -jar metabase.jar &

thanks @adunbrook but i am referring to ldaps (and not https)

unfortunately am not able to find in the docs, how to specify the certificate for LDAP auth… any ideas anyone ?

I have not tested this out, but I would assume you can use the standard Java mechanisms. So e.g. point to your keystore with a -D option when you start Metabase.jar. See some options here:

Let us know how it works out for you! :slight_smile:

thanks a lot. i am looking into it

guys, could you please advise how can i possibly troubleshoot LDAP issues ? when ldap-authentication fails, i cannot read anything in the logs …

I just tried switching my LDAP host to an invalid hostname and got this in the log (when I saved the wrong settings):

Jan 15 17:43:53 WARN metabase.api.ldap :: Problem connecting to LDAP server: An error occurred while attempting to resolve address 'myhost.example.com': java.net.UnknownHostException: myhost.example.com: unknown error 
Jan 15 17:43:53 ERROR metabase.middleware :: PUT /api/ldap/settings 500 (56 ms) (0 DB calls) {:errors {:ldap-host "Wrong host or port", :ldap-port "Wrong host or port"}}

According to the source code for LDAP there should be some other logging in there as well. Maybe you can start by setting up a test ldap host either with or without SSL and see if you can replicate what I did … then take baaaaaby steps from there?

stupid me :smiley: i forgot to toggle the switch that enables the LDAP auth.
Everything works! And I am a happy metabase user :slight_smile:

1 Like

Great you got it sorted! It’s always the little things that trips you up :wink:

In the meantime I figured out that:

  1. pointing to a valid SSL cert probably isn’t needed at all :trustcert here https://github.com/pauldorman/clj-ldap#connect-options for the underlying lib leaves me with that impression

  2. I could as well try to switch to SSL for our LDAP and I now seem to have it running fine on port 636 too. So I also got something out of this :+1: