Fetch attributes in Bind DN context not available in LDAP (simple auth)


#1

I cannot use a template for the user dn as the structure varies. Given that I am using active directory, I have the luxury to bind as downlevel or upn format however the user attribute search fails after a successful bind. I see the LDAP bind dn based auth scheme offers the functionality to collect attributes during bind.

Does a workaround exist for this scenario?


#2

Sorry I’m not pro about LDAP related (though studying)

What is error message?


#3

Hi,
With LDAP (simple auth), this is the result:

[Macaron] 2018-04-01 17:33:31: Started POST /user/login for 172.18.0.201
2018/04/01 17:33:31 [TRACE] Session ID: ad5a966a8ed6b0d4
2018/04/01 17:33:31 [TRACE] CSRF Token: ly99H1VGYuOA_PwGKcxGJ6JukmY6MTUyMjYyNTI0MzkzMTI4NTg0NA==
2018/04/01 17:33:31 [TRACE] LDAP: Dialing with security protocol '0' without verifying: false
2018/04/01 17:33:31 [TRACE] LDAP will bind directly via UserDN template: %s@domain.com
2018/04/01 17:33:31 [TRACE] Binding with userDN: username@domain.com
2018/04/01 17:33:31 [TRACE] Bound successfully with userDN: username@domain.com
2018/04/01 17:33:31 [TRACE] Fetching attributes 'displayName', 'givenName', 'sn', 'mail', '' with filter '(&(objectClass=user)(sAMAccountName=username))' and base 'username@domain.com'
2018/04/01 17:33:31 [ERROR] [...kg/auth/ldap/ldap.go:235 SearchEntry()] LDAP: User search failed: LDAP Result Code 34 "Invalid DN Syntax": 0000208F: NameErr: DSID-0310022D, problem 2006 (BAD_NAME), data 8350, best match of:
        'username@domain.com'

2018/04/01 17:33:31 [ WARN] Failed to login 'username' via 'Active Directory': user does not exist [user_id: 0, name: username]
2018/04/01 17:33:31 [TRACE] Template: user/auth/login
[Macaron] 2018-04-01 17:33:31: Completed POST /user/login 200 OK in 8.426147ms

Using a bind account works however that is not an option. Typically LDAP allows a search against a single object by using the DN as the base address, however in this case that wont work.


#4

I think this is the core issue… but I’m not sure why it says invalid…