Active Directory LDAP login fails

Added by Alberto Cennini almost 6 years ago

Hi, I have same user to check on Active Directory LDAP. I confirgured the server and the test connection is ok, but when I try to login whit UTREDMINETST user I receive Invalid user or password message.
This is the production.log informations:

Started POST "/redmine/login" for 127.0.0.1 at 2014-08-04 15:09:29 +0200
Processing by AccountController#login as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"MOQAYeO6PiaVKrlpjYi0WGO0cd4g8qmxPfiz1ufUloQ=", "back_url"=>"http://localhost:8080/redmine/", "username"=>"UTREDMINETST", "password"=>"[FILTERED]", "login"=>"Entra »"}
Current user: anonymous
Failed login for 'UTREDMINETST' from 127.0.0.1 at 2014-08-04 13:09:29 UTC
Rendered account/login.html.erb within layouts/base (2.0ms)
Completed 200 OK in 341ms (Views: 63.0ms | ActiveRecord: 4.0ms)

I user 389 port, dc=it as DN Base, sAMAccountName as Connection, givenName as Name, sn as Surname and mail as email attribute.
Any help ? Thanks

Environment:
Redmine version 2.3.2.stable
Ruby version 1.9.3-p231 (2012-05-25) [i386-mingw32]
Rails version 3.2.13
Environment production
Database adapter Mysql2
Redmine plugins:
extended_fields 0.2.2
redmine_hours 0.1.0
redmine_landing_page 0.1.0
redmine_plugin_views_revisions 0.0.1
redmine_smart_issues_sort 0.3.1
redmine_spent_time 2.4.0
redmine_watcher_groups 0.0.1
redmine_workload 1.0.2

Replies (15)

RE: Active Directory LDAP login fails - Added by Martin Denizet (redmine.org team member) almost 6 years ago

Hi Alberto,
Your DN base doesn't seem correct.
I recommend you use a tool such as LDAP Browser to find the correct path to your users.
Cheers,

RE: Active Directory LDAP login fails - Added by Alberto Cennini almost 6 years ago

Hi Martin, thanks for your replay.
I checked with ldap browser and changed the DN name with the same string (CN=Configuration,DC=gr-u,DC=it).
I still receive the message Invalid user or password
Is there any other test I can do ?
Thanks
Alberto

RE: Active Directory LDAP login fails - Added by Martin Denizet (redmine.org team member) almost 6 years ago

Mine looks like (edited):

CN=Users,DC=company,DC=lan

For the domain company.lan (edited).
When I had LDAP problems I would not understand, I would do some tcpdump on the server to capture the conversation between Redmine and AD.
It's not really simple if you never did it before.
Cheers,

RE: Active Directory LDAP login fails - Added by Andrey Grachev almost 6 years ago

Did you try using "mail" or "uid" as Connection string?
So you should provide full email or Short name/UID as login string.

RE: Active Directory LDAP login fails - Added by Alberto Cennini almost 6 years ago

Martin Denizet (redmine.org team member) wrote:

Mine looks like (edited):
[...]
For the domain company.lan (edited).
When I had LDAP problems I would not understand, I would do some tcpdump on the server to capture the conversation between Redmine and AD.
It's not really simple if you never did it before.
Cheers,

Hi Martin,
also with CN=Users I receive Invalid user or password error.
Thanks, Alberto

RE: Active Directory LDAP login fails - Added by Alberto Cennini almost 6 years ago

Andrey Grachev wrote:

Did you try using "mail" or "uid" as Connection string?
So you should provide full email or Short name/UID as login string.

Hi Andrey,
could you please give me a sample ? I don't understand what I have to change.
Thanks
Alberto

RE: Active Directory LDAP login fails - Added by Martin Denizet (redmine.org team member) almost 6 years ago

Andrey is on a good lead I think.
In my setup I use sAMAccountName so in order to login with LDAP I just input my username (firstname.lastname), in that case DOMAIN\firstname.lastname or firstname.lastname@domain.lan don't work.
Alberto, what did you put in the "Login" field in the LDAP configuration? And When you login what do you type as a login?
Cheers,

RE: Active Directory LDAP login fails - Added by Martin Denizet (redmine.org team member) almost 6 years ago

I forgot but it would be nice to know what you put in the "Account" field in the LDAP settings.

RE: Active Directory LDAP login fails - Added by Alberto Cennini almost 6 years ago

Hi Martin,
in attach the LDAP configuration. I don't have Account and Password setted: should I ?
In Login field I have sAMAccountName
This is the string I found in AD server:
CN=UTREDMINETST,OU=Service Account,OU=Servizio,DC=servizi,DC=gr-u,DC=it,"UTREDMINETST","UTREDMINETST","utenza tecnica di test per redmine"
I try to login inputing UTREDMINETST in user field.
Thanks
Alberto

ldap.jpeg (100 KB)

RE: Active Directory LDAP login fails - Added by Andrey Grachev almost 6 years ago

Hi Alberto,

When setting up LDAP authentification you have to set up what LDAP attribute to be sent for authorization. You use sANAccountName. I use mail. See an attached example (I assume LDAP port and LDAP server are set up correctly and connection test is successful).

PS Base DN field is not set in my settings.

RE: Active Directory LDAP login fails - Added by Alberto Cennini almost 6 years ago

Hi Andrey,
the test connection is ok.
I setted sAMAccountName in order to login with user id, I hope it's the right value.
Is there an easy way to try to login out of redmine ?
Thanks

RE: Active Directory LDAP login fails - Added by Andrey Grachev almost 6 years ago

Hi Alberto,

I am not skilled in LDAP, but there is free Softerra LDAP browser, I think it can help you.

RE: Active Directory LDAP login fails - Added by Alberto Cennini almost 6 years ago

Hi Andrey.
I tried Softerra and this is the log output of connection using UTREDMINETST user (cn=utredminetst):

  1. Search Request
  2. Message ID: 372
  3. Date: 20140828065613.0Z
  4. Server: ldap://ldap.servizi.gr-u.it:389
  5. Base DN: cn=utredminetst,ou=service account,ou=servizio,dc=servizi,dc=gr-u,dc=it
  6. Search scope: base
  7. Filter: (objectClass=*)
  8. Attributes: accountExpires, assistant, c, cn, company, department, description, displayName, division
  9. employeeID, facsimileTelephoneNumber, generationQualifier, givenName, homeDirectory, homeDrive
  10. homePhone, initials, ipPhone, l, logonHours, mail, manager, middleName, mobile, otherFacsimileTelephoneNumber
  11. otherHomePhone, otherIpPhone, otherMobile, otherPager, otherTelephone, ou, pager, physicalDeliveryOfficeName
  12. postOfficeBox, postalCode, profilePath, sAMAccountname, scriptPath, secretary, seeAlso, sn
  13. st, streetAddress, telephoneNumber, thumbnailPhoto, title, url, userAccountControl, userPrincipalName
  14. userWorkstations, wwwHomePage
  15. Attributes only: no
  16. Size limit: 0 (no limit)
  17. Time limit: 0 (no limit)
  18. Dereference aliases: 0 (Never)
  19. Referral chasing: 0x0 (query: None, mode: Merge)
  1. Search Result: Done
  2. Message ID: 372
  3. Date: 20140828065613.0Z
  4. Server: ldap://ldap.servizi.gr-u.it:389
  5. Result code: 0 (Operazioni riuscite)
  1. Search Result: Entry
  2. Message ID: 372
  3. Date: 20140828065613.0Z
  4. Server: ldap://ldap.servizi.gr-u.it:389
    dn: cn=utredminetst,ou=service account,ou=servizio,dc=servizi,dc=gr-u,dc=it
    cn: UTREDMINETST
    description: utenza tecnica di test per redmine
    givenName: UTREDMINETST
    displayName: UTREDMINETST
    userAccountControl: 66048
    accountExpires: 9223372036854775807
    sAMAccountName: UTREDMINETST
    userPrincipalName:

Thanks, Alberto

RE: Active Directory LDAP login fails - Added by Andrey Grachev almost 6 years ago

Hi Alberto,

It seems UTREDMINETST as login name should work. I'm afraid I have no idea what is a problem.

A.

(1-15/15)