Active Directory Integration - LDAP problems - solved

This post is a solution that would have saved me quite a bit of time trying to get Rancher working with our active directory servers.

The first error was during LDAP authentication and was recorded on our Domain controllers.

80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 52e, v2580

The second error was in the logs of the rancher container

Failed to get service context for ldap. java.util.NoSuchElementException: Unable to validate object
at org.apache.commons.pool2.impl.GenericObjectPool.borrowObject(GenericObjectPool.java:497) ~[commons-pool2-2.1.jar:2.1]
at org.apache.commons.pool2.impl.GenericObjectPool.borrowObject(GenericObjectPool.java:360) ~[commons-pool2-2.1.jar:2.1]
at io.cattle.platform.iaas.api.auth.integration.ldap.LDAPIdentityProvider.getServiceContext(LDAPIdentityProvider.java:356) ~[cattle-iaas-auth-logic-0.5.0-SNAPSHOT.jar:na]
at io.cattle.platform.iaas.api.auth.integration.ldap.ad.ADIdentityProvider.userRecord(ADIdentityProvider.java:89) [cattle-iaas-auth-logic-0.5.0-SNAPSHOT.jar:na]
at io.cattle.platform.iaas.api.auth.integration.ldap.ad.ADIdentityProvider.getIdentities(ADIdentityProvider.java:224) [cattle-iaas-auth-logic-0.5.0-SNAPSHOT.jar:na]
at io.cattle.platform.iaas.api.auth.integration.ldap.ad.ADTokenCreator.getLdapToken(ADTokenCreator.java:44) [cattle-iaas-auth-logic-0.5.0-SNAPSHOT.jar:na]
at io.cattle.platform.iaas.api.auth.integration.ldap.ad.ADTokenCreator.getToken(ADTokenCreator.java:61) [cattle-iaas-auth-logic-0.5.0-SNAPSHOT.jar:na]
at io.cattle.platform.iaas.api.auth.identity.TokenResourceManager.createToken(TokenResourceManager.java:99) [cattle-iaas-auth-logic-0.5.0-SNAPSHOT.jar:na]
at io.cattle.platform.iaas.api.auth.identity.TokenResourceManager.createInternal(TokenResourceManager.java:82) [cattle-iaas-auth-logic-0.5.0-SNAPSHOT.jar:na]…

Both of these errors came from the same root cause - using a full DN with double quotes in the “User Search Base”, “Service Account Username*” and “Your Username*” fields.

I removed the double quotes and everything worked fine. Was a pain to diagnose, as ldapsearch was authenticating fine - ended up using tcpdump and comparing packets to note the difference…

Hopefully this might save someone a few hours of frustration.

Hello Lightray,

Where did you actually made the changes? I am currently stuck at the very same error while configuring the LDAP.
Can you please help me with this?
Thank you

Regards,
Yash

Hi Yash,

If I recall correctly, I updated these settings in the Rancher UI (version 2.3.1) under Security --> Authentication.

Alright thanks lightrays :slight_smile:

In our case, We had to install the ldpa certificates and confgiure the same on rancher server.
User and group search DN should be proper otherwise it doesn’t work.

Regards,
Yash