Configuring Metabase Auth

Something’s not right. I can do an ldap search using unix utils and I get this:

dn: CN=Robert Harris,OU=Product,OU=Company Users,DC=company,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Robert Harris
sn: Harris
givenName: Robert
distinguishedName: CN=Robert Harris,OU=Product,OU=Company Users,DC=company,
DC=com
memberOf: CN=Support 4,OU=Company Groups,DC=company,DC=com
name: Robert Harris
userPrincipalName: robert.harris@company.com
mail: robert.harris@company.com

I have the following set up:
LDAP Security: have tried all 3
Username and Password: used a known good username ( actually the one used in the ldapsearch above )
User Schema: dc=company,dc=com
User Filter: (&(|(sAMAccountName={login})(userPrincipalName={login})))

No mapping configured.

I would like to allow members of the groups “Support” and "Engineering’ at company . com to be able to auth and log in.

Anyone able to help?

Hi @Robert.Harris
You say “something’s not right”, but you don’t describe the problem/error.
I would recommend that you have a look at some of the other LDAP debugging topics, since it has been covered multiple times and takes a long time to investigate:
https://discourse.metabase.com/search?q=ldap%20debug

I’ll try to give a bit more detail but there’s not much in the logs either.

I managed to lock myself out when testing, looked like I had it, but nope and after being so tired, I nuked it. Sucks but I felt better.

I have actually searched and read most of those, you’ll notice things like the User Filter is straight out of one of them.

I was getting “Unauthenticated” and then it started working, now I’m locked out, trying to figure out how to get back in I reset everything with the same config as below. I tried logging in with a generic service account, my searches don’t rule those out yet and I’m now getting:

[cde4b453-83e5-4575-b3b6-d4d1b2ffc202] 2020-07-15T08:43:00-06:00 DEBUG metabase.middleware.log POST /api/session 400 17.2 ms (1 DB calls) {:errors {:password “did not match stored password”}}

Nothing else. If I change the target AD server, I get a connection error so it’s atleast connecting.

@Robert.Harris Then you’re seeing the same issue as referenced here: LDAP - Can't Login

So it seems, kinda-sorta.

I can get it set up so that AD/LDAP is working right, somewhat. If user X tries to log in with LDAP, they can just fine, until their cookie/session expires. Then they can’t log in again. If user Y tries to log in with LDAP, no, just doesn’t let them in. Depending on situation, they either get “Unauthorized” or “did not match stored password” We ran through so many combinations, we lost track. I tried using my bind logins of:
svcUser@companycom
DN=svcUser,OU=Company Users,DC=company,DC=com
DN=svcUser,OU=“Company Users”,DC=company,DC=com
‘DN=svcUser,OU=“Company Users”,DC=company,DC=com’
and even had IT set up a new group,
DN=svcUser,OU=svcUsers,DC=company,DC=com
( No spaces ) and I get the same behavior.

This is on 0.36-rc2 and 0.35 ( docker containers )