LDAP - Can't Login

Really struggling to get LDAP up and running. I’ve read all the posts on the forum and think I know what settings need to be get I still get the dreaded
{:errors {:password "did not match stored password"}}

This is what the user i’m trying to login as looks like in my LDAP directory


Here are my metabase config details

Any ideas what setting I have wrong?

I’m sure my bind user information is correct as I get no errors when clicking save, I just can’t get anyone to login.

I assume the users don’t need to be created in advance in metabase?

Hi @lfbs
At first look, I would guess the spaces in your DN’s OU might be causing this problem.
Try doing ...,OU="Some Spaces",...
Or some of the other ideas here: https://stackoverflow.com/questions/27964248/java-ldap-search-cant-seem-to-handle-spaces

Sorry still didn’t help :frowning:

@lfbs Okay, the best way to figure out what’s going wrong with LDAP is to use Wireshark/tcpdump to capture the traffic from Metabase and from another working client, to compare the difference in what is being sent/received to/from the LDAP server.

Thanks, tried wireshark I can see the http request to and from the server (green lines) but not the LDAP request

@lfbs Place Metabase locally on your machine as a test. Or run Wireshark on the server where Metabase is.
Of course you cannot see traffic on your local machine from a server’s communication to another server - otherwise there would be zero security in this world :wink:

Wireshark is running on my local machine which is where metabase is also running. The only thing remote is the ldap server

@lfbs Okay, then you’re not setting the filters correctly in Wireshark, since you should be able to see traffic from Metabase to LDAP as well - unless you’re running Metabase in Docker, which is similar to running Metabase on a separate server, so you would need to monitor other interfaces in that case.

At the moment I have no filters set, maybe I have the wrong adaptor selected?

@lfbs I don’t use Windows, so you have to search around for a solution for that, but I’m guess you’re not using Docker then. You can probably find a lot of tutorials on “LDAP debugging”

Ok managed to trace it. As far as I can tell, it successfully finds the user?

I would expect that after finding that the user exists in ldap, it should then try to rebind as that user? Only I can’t see any further rebinding requests…

@lfbs

One thing I’m noticing is that the quotes are removed on the search request.

And when you compare the requests to another (Java-based) LDAP client that works, does it have the exact same requests and results?

It would probably be a lot easier if you setup a local LDAP server, since I’m guessing you don’t have access to the logs of the external LDAP server. It will give you much more details on what’s going on.

Any idea of what should happen in terms of metabase’s auth logic?

If I look here, I see the correct traffic
https://support.citrix.com/article/CTX200252

It logs in as the service account, finds the user but then never attempts to rebind as that user to check the credentials are valid.

@lfbs
The LDAP code is mostly here:
https://github.com/metabase/metabase/blob/master/src/metabase/integrations/ldap.clj

When you compare the requests to another (Java-based) LDAP client that works, does it have the exact same requests and results?

The code looks to use the same logic I described but the verify-password might not be getting called. Can you recommend another java based ldap client I could test with wireshark?

(defn find-user
  "Gets user information for the supplied username."
  ([username]
   (with-connection find-user username))

  ([conn username]
   (when-let [{:keys [dn], :as result} (u/lower-case-map-keys (search conn username))]
     (let [{fname (keyword (ldap-attribute-firstname))
            lname (keyword (ldap-attribute-lastname))
            email (keyword (ldap-attribute-email))}    result]
       ;; Make sure we got everything as these are all required for new accounts
       (when-not (some empty? [dn fname lname email])
         {:dn         dn
          :first-name fname
          :last-name  lname
          :email      email
          :groups     (when (ldap-group-sync)
                        ;; Active Directory and others (like FreeIPA) will supply a `memberOf` overlay attribute for
                        ;; groups. Otherwise we have to make the inverse query to get them.
                        (or (:memberof result) (get-user-groups dn) []))})))))

(defn verify-password
  "Verifies if the supplied password is valid for the `user-info` (from `find-user`) or DN."
  ([user-info password]
   (with-connection verify-password user-info password))

  ([conn user-info password]
   (let [dn (if (string? user-info) user-info (:dn user-info))]
     (ldap/bind? conn dn password))))

@lfbs I really haven’t worked with LDAP for 15 years, but a quick search gave this: http://jxplorer.org/
Are you using the latest 0.35.4 version of Metabase?
Do you know which LDAP server it is, OpenLDAP, AD, … ?

I’m using 0.35.4 and it’s an AD LDAP server.

@lfbs It sounds like this issue:
https://github.com/metabase/metabase/issues/7105 - upvote by clicking :+1: on the first post