Local superuser verifies PW against LDAP?

CZvacko · May 5, 2022, 1:31pm

In past I set up Metabase to use LDAP authentication, but recently LDAP auth stopped working (address changed), so I wanted to use my superuser login to reconfigure the settings. But strangely it can't work, although such a user account was created during the initial setup (so it was a local account). Also, when I query Metabase DB, it shows ldap_auth = 0, but still it verifies PW against LDAP. This is a problem when LDAP is not available...

The LDAP server issue has been resolved in the meantime, so I was able to create another local superuser. But I'm still wondering why the original account verifies PW against LDAP ?

flamber · May 5, 2022, 1:54pm

Hi @CZvacko
Post "Diagnostic Info" from Admin > Troubleshooting.

CZvacko · May 5, 2022, 2:10pm

Here is it

Summary

{
"browser-info": {
"language": "cs-CZ",
"platform": "Win32",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.133 Safari/537.36",
"vendor": "Google Inc."
},
"system-info": {
"file.encoding": "UTF-8",
"java.runtime.name": "Java(TM) SE Runtime Environment",
"java.runtime.version": "1.8.0_331-b09",
"java.vendor": "Oracle Corporation",
"java.vendor.url": "http://java.oracle.com/",
"java.version": "1.8.0_331",
"java.vm.name": "Java HotSpot(TM) 64-Bit Server VM",
"java.vm.version": "25.331-b09",
"os.name": "Windows Server 2019",
"os.version": "10.0",
"user.language": "en",
"user.timezone": "Europe/Paris"
},
"metabase-info": {
"databases": [
"h2",
"sqlserver",
"oracle",
"mysql"
],
"hosting-env": "unknown",
"application-database": "mysql",
"application-database-details": {
"database": {
"name": "MariaDB",
"version": "10.4.12-MariaDB"
},
"jdbc-driver": {
"name": "MariaDB Connector/J",
"version": "2.6.2"
}
},
"run-mode": "prod",
"version": {
"tag": "v0.42.1",
"date": "2022-02-17",
"branch": "release-x.42.x",
"hash": "629f4de"
},
"settings": {
"report-timezone": null
}
}
}

CZvacko · May 5, 2022, 3:26pm

Maybe there is another explanation: the password was not verified against LDAP, but only synchronized for the account (the same user exists in AD). But then the password you have stored in the password manager stops working when the password in AD is modified. This is confusing, if ldap_auth = 0 then the password should remain the same.

flamber · May 5, 2022, 3:37pm

@CZvacko It's slightly more complicated. I've created an issue for this:
https://github.com/metabase/metabase/issues/22459 - upvote by clicking on the first post

CZvacko · May 5, 2022, 3:51pm

Thanks