Can't get LDAP auth working

I’ve got Rancher HA and trying to get LDAP working. I keep getting authentication failed error even though the credentials work. I verified the credentials in a separate LDAP client. I’ve tried plain LDAP and LDAPS, using the domain\username and user principle name format. I just can’t get this config working.

I got the logs from the rancher container, “2019/02/28 16:08:45 [ERROR] API error response 401 for POST /v3/activeDirectoryConfigs/activedirectory?action=testAndApply. Cause: LDAP Result Code 49 “Invalid Credentials”: 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839”

So we threw Rancher into debug mode and got this error,

[DEBUG] Failed to determine if object is type: person

Here is the config that work on my side on an active directory server… log in rancher using domain\user1 format.

but for the service account username in the rancher config, I use the format user.name@domain.com

Did your ldap server is an windows active directory ldap server?

the error message seem to tell that the connection is successful but the issue is on the object… look like your ldap user didn’t have right to see the object class of the user and/or object class is empty… (but i could be wrong… a connection error could also be the cause)

using your other ldap tool… are you able to see the object class/type?

General

Server: server.domain.com:389
TLS: No
Service Account Username: ldap.user@domain.com
Default Domain:
Server Connection Timeout: 5000

Users

Object Class: person
Login Attribute: sAMAccountName
Username Attribute: name
Search Attribute: sAMAccountName|sn|givenName
Status Attribute: userAccountControl
Disabled BitMask: 2

Stonedge

Thank you for your help,

I should clarify, I’m trying to use the Authentication mechanism, “Active Directory” as described in this document. https://rancher.com/docs/rancher/v2.x/en/admin-settings/authentication/ad/

The server we’re trying to connect to is a Windows Active Directory domain controller.

I’m using Apache Directory Studio as my ldap client. I can see the objectclass when I look at a user.

We tried using the OpenLDAP Authentication mechanism and that works.

We are seeing excalty same behaviour as mmarseglia suggests.

Has anyone got solution for this ?

Yes, with the following settings. Fill [values] with your settings, all other values should be pasted verbatim:

General

Service Account Username: [user]@[domain].[tld]
Service Account Password: [password]
Default Login Domain: [blank]
User Search Base: dc=[domain ],dc=[tld]
Group Search Base: dc=[domain ],dc=[tld]

Users

Object Class: person
Username Attribute: name
Login Attribute: userPrincipalName
User Member Attribute: memberOf
Search Filter: [blank]
User Enabled Attribute: userAccountControl
DisabledStatusBitmask: 2

Groups

Object Class: person
Name Attribute: name
Group Member User Attribute: distinguishedName
Search Attribute: sAMAccountName
Search Filter: [blank]
Group Member Mapping Attribute: member
Group DN Attribute: distinguishedName

Test

Your username: [user]@[domain].[tld]
Your Password: [password]

thanks , It worked , What we were missing was

Service Account Username Enter the username of an AD account with read-only access to your domain partition (see Prerequisites). The username can be entered in NetBIOS format (e.g. “DOMAIN\serviceaccount”) or UPN format (e.g. “serviceaccount@domain.com”).

With other providers we have used in CN=X,OU=Z,DC=Y, which was not working with rancher. Passing service account in above format worked for us. Thanks to Gaurav Mehta for guidance.