What's wrong with LDAP

chen2liang4 · February 19, 2020, 7:55am

Our all apps are using openldap1.2.4 for authentication, so we'd like integrate metabase with ldap too.
unfortunately, we got:

password: did not match stored password

I'm pretty sure that user dn, search base dn are correct, I also set email , givenname and sn for users on our ldap server.

I have tried theses filters:

uid={login}
(&uid={login})
(&(objectClass=inetOrgPerson)(|(uid={login})(mail={login})))
......

still get same error.
Then, I don't have any more clue to figure out.
how do I get more details? Or any suggestions?

thanks

chen2liang4 · February 19, 2020, 8:11am

I just saw this https://www.metabase.com/enterprise/pricing.html, does it mean only enterprise supports ldap authentication?

AndrewMBaines · February 19, 2020, 9:03am

No, it’s just a pain to get it to work.

flamber · February 19, 2020, 12:51pm

Hi @chen2liang4
The LDAP (and Google Sign-In) are part of the Community Edition:
https://www.metabase.com/docs/latest/administration-guide/10-single-sign-on.html

Do you see more details in the Metabase log (Admin > Troubleshooting > Logs) or on the LDAP server?
Have you tried to enable debug logging on the LDAP server and see if the Metabase lookup filter matches other programs?

chen2liang4 · February 20, 2020, 1:18am

Thanks @flamber.

Finally, it works! what I want to share are:

ensure your ldap entry has these attributes: email, givenName, sn.
email value must match email format.
openldap’s email attribute is actually named “mail”, instead of “email”. Even phpLDAPAdmin show it as “email”.