LDAP authentication fails with Windows Server 2016 AD

Hi all,

Trying to get LDAP authentication to work with a Active Directory LDAP. Initial setup is fine enough, and I actually got it working once or twice but as I’d like to work with user mapping I deleted these users again to start from scratch, that didn’t work out but I understand working with deleted users is a know problem that will be fixed in 0.30 (we’re running 0.28.6)

Not to worry, just create another user and try again. I never got it working again. Tried all kind of things but ik keep on reporting “Password: did not match stored password”.

I looked in the code and although I don’t know clojure it seems that this error msg is thrown when the user is known but password doesn’t exist.

However, when I enter a imaginary user name, it still throws the same error message? Strange.

Then I deployed the goodness of Wireshark and found that executing the LDAP search went fine, returning one result (with the imaginary user it returns 0 results though) but then it needs to verify the password. based on the code again I’m expecting it will do that by another ldap bind with that user and pwd. However, wireshark is reporting nothing of that kind anymore.

So I am a bit lost how to proceed. LDAP config seems to be fine, otherwise it would never return that user but still I don’t get any further anymore.

Any help is appreciated. Thanks!

I have it working fine towards AD (not sure it’s 2016, - maybe 2012 … but hopefully that shouldn’t matter)

Can you share your LDAP settings? - specifically User filter where I use (|(sAMAccountName={login})(mail={login})) <— it allows login with just username vs full email address

Also note I’ve seen from time to time that users had to enter credentials a few times before it worked … but never reported as a Metabase bug - because such a thing is super hard to repro i a reliable way. :wink:

For comparison (I shared some early one’s here - now I run with SSL + have also recently )


I got it working. It turned out to be caused by first and last name of the user not being filled in in AD.

I would say a bit more descriptive error message, or at least some meaningful log message about this would be handy, but as long as you know it you can deal with it :slight_smile:.

Thanks for your help!

And the settings we use now are:

server: just.the.server.name
Port: 389 (no SSL although I tried with SSL and think that works fine, and we will go there)
User name: domain\username
Search base: CN=Users,DC=what,DC=ever,DC=com
User filter: (&(|(sAMAccountName={login})(userPrincipalName={login})))
Email attribute: userPrincipalName (although we will change back to mail here)
Other attributes are default

1 Like