Project

General

Profile

Forums » Help »

LDAP tests ok but users won't login

Added by Pav ata about 2 months ago

Hi guys.
Setting up my first Redmine - in container - with LDAP which conn-tests ok, but ldap users fail to login.
I also conn-test outside of Redmine - all seems okey.
My ldap is IPA - when I peek at its logs I see:
```
conn=226 op=0 BIND dn="uid=redmine,cn=sysaccounts,cn=etc,dc=mine,dc=priv" method=128 version=3
conn=226 op=0 RESULT err=53 tag=97 nentries=0 wtime=0.000134983 optime=0.000054222 etime=0.000188403
```
Which I think means misconfigured bind ?
All thoughts/suggestions on how to troubleshoot it are much appreciated.
thanks, L.


Replies (2)

RE: LDAP tests ok but users won't login - Added by Bonnie Hell about 1 month ago

Based on the LDAP log you provided, specifically `err=53`, it strongly indicates an unwilling to perform error. For a BIND operation, this typically means:

  • Incorrect DN (Distinguished Name) for the Bind User: The `dn="uid=redmine,cn=sysaccounts,cn=etc,dc=mine,dc=priv"` is what FreeIPA is seeing. Double-check that this is the exact and correct DN for the `redmine` user that Redmine is trying to bind with. Even a small typo or an incorrect component can cause this.
  • Incorrect Password for the Bind User: If the DN is correct, the password provided by Redmine for the `redmine` user is likely incorrect.
  • Insufficient Permissions for the Bind User: While less common for a simple bind, it's possible the `redmine` user account itself (or the container it's in) doesn't have the necessary permissions to perform a bind operation on the IPA server. However, `err=53` usually points to authentication issues rather than authorization for the bind itself.
  • Account Locked/Disabled: The `redmine` user account in FreeIPA might be locked, disabled, or expired.
  • Policy Violation: Less likely, but FreeIPA might have a policy that's being violated by the bind attempt (e.g., trying to bind with an insecure method if only secure binds are allowed, though this would typically yield a different error).

Troubleshooting Steps:

1. Verify the Bind DN and Password:

  • From FreeIPA: Use `ldapsearch` directly from a machine that can access your FreeIPA server to try and bind with the same credentials Redmine is using. This is the most crucial step to isolate the problem.
    ```bash
    ldapsearch -x -D "uid=redmine,cn=sysaccounts,cn=etc,dc=mine,dc=priv" -W -b "dc=mine,dc=priv"
    ```
    When prompted, enter the password Redmine is using. If this fails with `err=53` or a similar authentication error, your bind DN or password in Redmine is definitely wrong.
  • Within Redmine's LDAP settings: Carefully re-enter the "LDAP bind DN" and "Password" fields. Ensure there are no leading/trailing spaces or typos.

2. Check FreeIPA User Status:

  • Log into your FreeIPA UI or use the `ipa user-find redmine` command to ensure the `redmine` user account is active, not locked, and not expired.

3. Review FreeIPA Server Logs More Closely:

  • While `err=53` is a good indicator, check the logs around that time for any other related messages that might provide more context. Look for errors related to password policy, account status, or SASL binding if you're using more complex authentication.

4. Simplify for Testing (if possible):

  • If you have a very simple, non-production user in FreeIPA, try configuring Redmine to bind with that user instead. This can help rule out issues specific to the `redmine` system account.

5. Network Connectivity (Less likely given conn-test ok, but worth double-checking):

  • Ensure there are no firewalls or network ACLs blocking the Redmine container from reaching the FreeIPA server on the LDAP port (usually 389 or 636 for LDAPS). The "conn-test ok" suggests this isn't the primary issue, but it's good to reconfirm.

6. Redmine LDAP Configuration Details:

  • LDAP Host: Is it the correct IP address or hostname of your FreeIPA server?
  • Port: 389 for standard LDAP, 636 for LDAPS.
  • Base DN: This should be `dc=mine,dc=priv` (or whatever your actual base DN is).
  • Account ON-THE-FLY Creation: Is this enabled? If not, Redmine won't create new users, but a login failure would still point to the bind or user search issue.
  • Encryption: If you are using LDAPS (port 636), ensure your Redmine container has the necessary CA certificates to trust your FreeIPA server. If not, you might get SSL/TLS errors. Trying plain LDAP (port 389) temporarily for testing (in a secure environment\!) can help rule out certificate issues.

Summary of `err=53`:

`err=53` in LDAP (specifically `LDAP_UNWILLING_TO_PERFORM`) when performing a BIND operation is almost always related to an issue with the credentials provided for the bind: either the Distinguished Name (DN) is incorrect, or the password associated with that DN is incorrect.

Focus on meticulously verifying the `uid=redmine,cn=sysaccounts,cn=etc,dc=mine,dc=priv` DN and its corresponding password within Redmine's LDAP configuration against your FreeIPA setup.

Let me know the results of your `ldapsearch` test, as that will be the most telling. Good luck\!

RE: LDAP tests ok but users won't login - Added by Lionel BAKALA 2 days ago

Hi,

Have you been able to resolve your LDAP IPA login issue ?

    (1-2/2)