LDAP auth + StartTLS not working


#1

Hi,

so far Metabase is doing great, so I just wanted to enable LDAP auth so it is easier for people to login. But when I enable LDAP authentication, fillout all the details and choose “StartTLS” and then save, I get this error message:

No matching method found: processExtendedOperation for class com.unboundid.ldap.sdk.LDAPConnection

When I choose “None” or “SSL” encryption and then save, it successfully saves.

Has anyone an idea what is the problem?
Thanks.


#2

Hi @shwurbel
Which version of Metabase? Do you see more information in the Metabase log?


#3

Hi @flamber

my setup is Metabase 0.31.2 running from docker image metabase/metabase on Ubuntu 18.04 on AWS

whole log output when clicking on save button:

04-09 08:12:24 DEBUG metabase.middleware :: GET /api/setting 200 (213 µs) (0 DB calls). Jetty threads: 8/50 (3 busy, 4 idle, 0 queued)
04-09 08:12:37 WARN api.ldap :: Problem connecting to LDAP server: No matching method found: processExtendedOperation for class com.unboundid.ldap.sdk.LDAPConnection
04-09 08:12:37 ERROR metabase.middleware :: PUT /api/ldap/settings 500 (36 ms) (0 DB calls).
{:message "No matching method found: processExtendedOperation for class com.unboundid.ldap.sdk.LDAPConnection"}

#4

@shwurbel
Can you test with Metabase 0.32.3? Remember to backup before upgrading.
If the new version still has that problem, then I think you should create a new issue in the bug tracker:
https://github.com/metabase/metabase/issues/new


#5

@flamber
Saving works with the new version. But authentication does not.

When I enter some wrong values (e.g. wrong password) in the ldap-settings, Metabase complains when saving (e.g. Bad DN or password). So I assume it tries to connect to the AD and only saves when this was successful. So these settings should be right.
The searchbase and userfilter settings I tried exactly the same setup in Apache Directory Studio and there I find the user.

The only output that I get from the metabase logfiles is:
04-09 16:31:25 DEBUG middleware.log :: POST /api/session 400 330 ms (2 DB calls) Jetty threads: 8/50 (3 busy, 4 idle, 0 queued) (53 total active threads)
{:errors {:password “did not match stored password”}}

I am not really familiar with AD so I dont know yet how to troubleshoot.

Do you have any idea how to debug this further?

setup metabase:


#6

setup in ldap browser, where I find exactly one user with the same setup as in metabase:


#7

@shwurbel
I don’t know much about LDAP - it’s been 15 years since I used it.
I think you need to check the logs of the AD to see exactly what is being sent, when you use the LDAP browser vs Metabase.
It seems like the specific error was supposed to be resolved in Metabase 0.30:
https://github.com/metabase/metabase/issues/7635
Someone had the same issue and checked the queries with Wireshark:
https://github.com/metabase/metabase/issues/6353
There are several other threads in the forum about debugging:
https://discourse.metabase.com/search?q=ldap%20debug