Active Directory Integration - LDAP problems - solved

lightray55 · August 28, 2017, 1:08am

This post is a solution that would have saved me quite a bit of time trying to get Rancher working with our active directory servers.

The first error was during LDAP authentication and was recorded on our Domain controllers.

80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 52e, v2580

The second error was in the logs of the rancher container

Failed to get service context for ldap. java.util.NoSuchElementException: Unable to validate object
at org.apache.commons.pool2.impl.GenericObjectPool.borrowObject(GenericObjectPool.java:497) ~[commons-pool2-2.1.jar:2.1]
at org.apache.commons.pool2.impl.GenericObjectPool.borrowObject(GenericObjectPool.java:360) ~[commons-pool2-2.1.jar:2.1]
at io.cattle.platform.iaas.api.auth.integration.ldap.LDAPIdentityProvider.getServiceContext(LDAPIdentityProvider.java:356) ~[cattle-iaas-auth-logic-0.5.0-SNAPSHOT.jar:na]
at io.cattle.platform.iaas.api.auth.integration.ldap.ad.ADIdentityProvider.userRecord(ADIdentityProvider.java:89) [cattle-iaas-auth-logic-0.5.0-SNAPSHOT.jar:na]
at io.cattle.platform.iaas.api.auth.integration.ldap.ad.ADIdentityProvider.getIdentities(ADIdentityProvider.java:224) [cattle-iaas-auth-logic-0.5.0-SNAPSHOT.jar:na]
at io.cattle.platform.iaas.api.auth.integration.ldap.ad.ADTokenCreator.getLdapToken(ADTokenCreator.java:44) [cattle-iaas-auth-logic-0.5.0-SNAPSHOT.jar:na]
at io.cattle.platform.iaas.api.auth.integration.ldap.ad.ADTokenCreator.getToken(ADTokenCreator.java:61) [cattle-iaas-auth-logic-0.5.0-SNAPSHOT.jar:na]
at io.cattle.platform.iaas.api.auth.identity.TokenResourceManager.createToken(TokenResourceManager.java:99) [cattle-iaas-auth-logic-0.5.0-SNAPSHOT.jar:na]
at io.cattle.platform.iaas.api.auth.identity.TokenResourceManager.createInternal(TokenResourceManager.java:82) [cattle-iaas-auth-logic-0.5.0-SNAPSHOT.jar:na]…

Both of these errors came from the same root cause - using a full DN with double quotes in the “User Search Base”, “Service Account Username*” and “Your Username*” fields.

I removed the double quotes and everything worked fine. Was a pain to diagnose, as ldapsearch was authenticating fine - ended up using tcpdump and comparing packets to note the difference…

Hopefully this might save someone a few hours of frustration.

yashbrahmani · November 29, 2019, 3:34pm

Hello Lightray,

Where did you actually made the changes? I am currently stuck at the very same error while configuring the LDAP.
Can you please help me with this?
Thank you

Regards,
Yash

lightray55 · December 1, 2019, 7:02pm

Hi Yash,

If I recall correctly, I updated these settings in the Rancher UI (version 2.3.1) under Security --> Authentication.

yashbrahmani · January 21, 2020, 7:53am

Alright thanks lightrays

In our case, We had to install the ldpa certificates and confgiure the same on rancher server.
User and group search DN should be proper otherwise it doesn’t work.

Regards,
Yash

Topic		Replies	Views
LDAP support on Rancher v0.35.0 Rancher 1.x	17	4749	June 3, 2016
Unable to set up Active Directory auth in Rancher Rancher 2.x	3	162	January 29, 2024
Can't get LDAP auth working Rancher 2.x	6	8530	April 3, 2020
Help troubleshooting Active Directory "Unauthorized" error in Rancher Server Rancher 1.x	8	4302	May 7, 2018
Internal server error after adding AD user accounts Rancher 1.x	2	1088	October 24, 2016

Active Directory Integration - LDAP problems - solved

Related Topics