Enabled LDAP but no Single Sign On option presents

tjw · April 22, 2021, 8:24pm

We've deployed metabase to our k8s cluster and configured an LDAP server through Admin>Authentication>LDAP

It shows a green light and says LDAP is active

However, nothing has changed with the service... The log in page is exactly the same, I still create users as an admin exactly the same, beyond the green light on the LDAP widget, I have no indication anything is different.

My expectation was that enabling LDAP would present logged-out or new users with a page prompting them to login with their Active Directory credentials but I'm not sure if I'm just wrong about that or if there is a setting somewhere I forgot to switch.

flamber · April 22, 2021, 8:45pm

Hi @tjw
Please post "Diagnostic Info" from Admin > Troubleshooting.
When you enable LDAP, then the login will say "Username or email address" instead of "Email address".
That's the only visual indication for the user.

tjw · April 22, 2021, 9:33pm

Here is the Diagnostic Info.

I'll ask someone in my org to try to login directly with their AD credentials to see if maybe it is working and I was just unable to notice.

EDIT: my AD credentials were not accepted and UI does say "Username or email address"

{
  "browser-info": {
    "language": "en-US",
    "platform": "MacIntel",
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36",
    "vendor": "Google Inc."
  },
  "system-info": {
    "file.encoding": "UTF-8",
    "java.runtime.name": "OpenJDK Runtime Environment",
    "java.runtime.version": "11.0.10+9",
    "java.vendor": "AdoptOpenJDK",
    "java.vendor.url": "https://adoptopenjdk.net/",
    "java.version": "11.0.10",
    "java.vm.name": "OpenJDK 64-Bit Server VM",
    "java.vm.version": "11.0.10+9",
    "os.name": "Linux",
    "os.version": "5.10.25-flatcar",
    "user.language": "en",
    "user.timezone": "GMT"
  },
  "metabase-info": {
    "databases": [
      "postgres"
    ],
    "hosting-env": "unknown",
    "application-database": "mysql",
    "application-database-details": {
      "database": {
        "name": "MySQL",
        "version": "5.7.12"
      },
      "jdbc-driver": {
        "name": "MariaDB Connector/J",
        "version": "2.6.2"
      }
    },
    "run-mode": "prod",
    "version": {
      "date": "2021-03-17",
      "tag": "v0.38.2",
      "branch": "release-x.38.x",
      "hash": "91f0ed6"
    },
    "settings": {
      "report-timezone": "America/New_York"
    }
  }
}

flamber · April 23, 2021, 9:22am

@tjw Do you have a user in Metabase with the same email as the one in the AD - then that is likely causing the problems.
Post the logs from Admin > Troubleshooting > Logs, and check your LDAP debug log for why it's failing.
Just want to make sure that you have read the last sections of the documentation:
https://www.metabase.com/docs/latest/administration-guide/10-single-sign-on.html#enabling-ldap-authentication

tjw · April 23, 2021, 5:21pm

THank you for your help flamber.

After reviewing those logs you linked I was able to work with someone to debug our LDAP configuration and it appears to be working now.

flamber · April 23, 2021, 7:02pm

@tjw Since others might be having similar issue, it would be helpful if you wrote what the problem was and how you solved it.

tjw · April 26, 2021, 3:26pm

The issue appears to have been with our LDAP configuration -- but I was working with someone else who configured the LDAP stuff. Looking at the logs as detailed above was where I was able to find the right error message that helped him understand the problem, but I never really did -- beyond knowing it was an issue with a configuration on the LDAP side, not metabase