Re: [OpenXPKI-users] [External] Re: Issue with LDAP login on OpenXPKI

Thu, 17 Apr 2025 02:06:23 -0700 

Hi Fay,
did you generate your config using AI tools? The config you have posted in the very beginning is not valid, there is no "connector" attribute to a handler, please read the docs and sample configs or search the ML, there are working examples at a lot of places.. 


Oliver


On 16.04.25 11:17, Fay Knol via OpenXPKI-users wrote:

Oh sorry it seems I may have missed that (part of the) message.

I've reverted my config back to my original message for this.

there they are, this is it
command in the container: /var/log/openxpki# tail openxpki.log
2025/04/16 11:13:44 DEBUG Request stack info for LDAP [pid=10|sid=oqx5]
2025/04/16 11:13:44 DEBUG Incoming auth for stack LDAP [pid=10|sid=oqx5]
2025/04/16 11:13:44 DEBUG Request stack info for LDAP [pid=10|sid=oqx5]
2025/04/16 11:13:44 DEBUG Incoming auth for stack LDAP [pid=10|sid=oqx5]
2025/04/16 11:13:44 INFO Got invalid auth result from handler ldap [pid=10|sid=oqx5] 2025/04/16 11:13:44 DEBUG I18N_OPENXPKI_UI_LOGIN_USER_UNKNOWN [pid=10|sid=oqx5] 2025/04/16 11:13:44 WARN Login failed  (user: not set, error: I18N_OPENXPKI_UI_LOGIN_USER_UNKNOWN) [pid=10|sid=oqx5] 2025/04/16 11:13:44 ERROR I18N_OPENXPKI_UI_AUTHENTICATION_FAILED [pid=10|sid=oqx5] 
2025/04/16 11:13:44 DEBUG Incoming auth for stack LDAP [pid=10|sid=oqx5]
2025/04/16 11:13:44 DEBUG Request stack info for LDAP [pid=10|sid=oqx5]

Sorry I hope you're still willing to help out!

Kind Regards,
Fay Knol
-----------
Student Open-ICT University of Applied Science Utrecht

[email protected]
------------------------------------------------------------------------
*From:* Oliver Welter <[email protected]>
*Sent:* Tuesday, April 15, 2025 5:12 PM
*To:* [email protected] <[email protected]> *Subject:* Re: [OpenXPKI-users] [External] Re: Issue with LDAP login on OpenXPKI
Well, you have ignored my hint to check the logs with debug enabled - a lot of people here use this module so I am sure it works with the right filters and parameters but to understand what is going wrong we need the logs.. 


On 15.04.25 12:35, Fay Knol via OpenXPKI-users wrote:
Thanks for the Reply Killian, unfortunately even that config did not work.
so this is where I'll officially give up and we'll just have to make local accounts for all the people who want to make a cert. 

Thanks a lot for the help anyways!

Regards,
Fay Knol
-----------
Student Open-ICT University of Applied Science Utrecht

[email protected] <mailto:[email protected]>



------------------------------------------------------------------------
*From:* Killian, Edward [USA] via OpenXPKI-users <[email protected]> <mailto:[email protected]> 
*Sent:* Friday, April 11, 2025 6:05 PM
*To:* [email protected] <mailto:[email protected]> <[email protected]> <mailto:[email protected]> *Cc:* Killian, Edward [USA] <[email protected]> <mailto:[email protected]> *Subject:* Re: [OpenXPKI-users] [External] Re: Issue with LDAP login on OpenXPKI 

Here is the section of my connector.yaml:

user-ad:
    class: Connector::Builtin::Authentication::LDAP
    LOCATION: ldap://{server IP}
    base: dc=int,dc={domain},dc=us
    binddn: _{user@domain} <mailto:[email protected]>_
    password: PASSWORD
    filter: "(&(sAMAccountName=[% LOGIN %])(memberOf=CN=ca-admin,OU=groups,DC=int,DC={domain},DC=us))" 

We’re filtering on the user being a member of the ca-admin group.

*Edward Killian*

Systems Engineer – Lead Engineer

Global Defense Group

[email protected] <mailto:[email protected]>_

Booz | Allen | Hamilton

_BoozAllen.com <http://www.boozallen.com/>_

*From: *Oliver Welter <[email protected]> <mailto:[email protected]>
*Date: *Friday, April 11, 2025 at 4:35 AM
*To: *[email protected] <mailto:[email protected]> <[email protected]> <mailto:[email protected]> *Subject: *[External] Re: [OpenXPKI-users] Issue with LDAP login on OpenXPKI
Search in log. conf for the defintion of the  "connector" facility and set this to trace, this should help in seeing the LDAP error messages On 11. 04. 25 09: 32, Fay Knol via OpenXPKI-users wrote: Thanks for your reply Killian it seems that unfortunately
Search in log.conf for the defintion of the  "connector" facility and set this to trace, this should help in seeing the LDAP error messages 

On 11.04.25 09:32, Fay Knol via OpenXPKI-users wrote:

    Thanks for your reply Killian it seems that unfortunately that
    also doesn't work for me.

    as you can see here

    ra-ldap:

        class: Connector::Builtin::Authentication::LDAP

        LOCATION: ldap://{serverIP}

        base: dc=vault,dc=local

        binddn: [email protected] <mailto:[email protected]>_

        password: Secure123

        filter: "(&(sAMAccountName=[% LOGIN %]))"

    and I still get the following error message

    2025/04/11 09:27:00 WARN Group Not Defined.  Defaulting to EGID
    '0 0' [pid=1|pki_realm=prodrealm]

    2025/04/11 09:27:00 WARN User Not Defined.  Defaulting to EUID
    '0' [pid=1|pki_realm=prodrealm]

    2025/04/11 09:27:04 ERROR
    
I18N_OPENXPKI_SERVICE_DEFAULT_HANDLE_CONTINUE_SESSION_SESSION_CONTINUE_FAILED;
    __ID__ => 7F175Im4RC+EvQ5okCv5iw== [pid=10|pki_realm=prodrealm]

    2025/04/11 09:27:11 INFO Got invalid auth result from handler
    ldap [pid=10|sid=DAq/]

    2025/04/11 09:27:11 WARN Login failed  (user: not set, error:
    I18N_OPENXPKI_UI_LOGIN_USER_UNKNOWN) [pid=10|sid=DAq/]

    2025/04/11 09:27:11 ERROR I18N_OPENXPKI_UI_AUTHENTICATION_FAILED
    [pid=10|sid=DAq/]

    Thanks,

    Fay Knol

    -----------

    Student Open-ICT University of Applied Science Utrecht

    [email protected] <mailto:[email protected]>_

    ------------------------------------------------------------------------

    *From:* Killian, Edward [USA] _<[email protected]>
    <mailto:[email protected]>_
    *Sent:* Thursday, April 10, 2025 5:50 PM
    *To:* [email protected]
    
<mailto:[email protected]>__<[email protected]>
    <mailto:[email protected]>_
    *Cc:* Fay Knol _<[email protected]>
    <mailto:[email protected]>_
    *Subject:* Re: [OpenXPKI-users] Issue with LDAP login on OpenXPKI

    In my case I had to use the same binddn in connector.yaml that I
    used in the ldapsearch command. In your case the "-D"
    [email protected] <mailto:[email protected]>_ would be
    used in the connector.yaml as

    binddn: [email protected] <mailto:[email protected]>_

    *Edward Killian*

    Systems Engineer - Lead Engineer

    Global Defense Group

    [email protected] <mailto:[email protected]>_

    Booz | Allen | Hamilton

    _BoozAllen.com <https://www.boozallen.com/>_

    ------------------------------------------------------------------------

    *From:* Fay Knol via OpenXPKI-users
    _<[email protected]>
    <mailto:[email protected]>_
    *Sent:* Thursday, April 10, 2025 10:01 AM
    *To:* [email protected]
    
<mailto:[email protected]>__<[email protected]>
    <mailto:[email protected]>_
    *Cc:* Fay Knol _<[email protected]>
    <mailto:[email protected]>_
    *Subject:* [External] Re: [OpenXPKI-users] Issue with LDAP login
    on OpenXPKI

    This Message Is From an External Sender

    This message came from outside your organization.

    _Report Suspicious
    
<https://us-phishalarm-ewt.proofpoint.com/EWT/v1/May37g!hlrrf7aNkGxHwu3hRx30QiAUZNI8_B56qe65RSNJYMWmgTs0Cujk3h5NXnW_qJ0pRBNc7Sa8qp7DhfG64FQUO8tXJaZoKuKA2qjyN51621cHHDK1uQmhi7IImeo1-84lPK7BNgF9EFupqA$>_

    Hi Oliver,

    Thanks for your reply!

    I'm sure the openxpki service user had sufficient permissions
    because even with filtering the request works as you can see here

    ldapsearch -LLL -x -H ldap://{test server ip} -D
    _"[email protected]" <mailto:[email protected]>_ -w
    "Secure123" -b "DC=vault,DC=local"
    "(&(sAMAccountName=fay)(memberOf=CN=PKIAdmins,CN=Users,DC=vault,DC=local))"

    dn: CN=Fay's Test Account,CN=Users,DC=vault,DC=local

    objectClass: top

    objectClass: person

    objectClass: organizationalPerson

    objectClass: user

    cn: Fay's Test Account

    sn: Test Account

    givenName: Fay's

    distinguishedName: CN=Fay's Test Account,CN=Users,DC=vault,DC=local

    ...

    memberOf: CN=PKIAdmins,CN=Users,DC=vault,DC=local

    memberOf: CN=DnsAdmins,CN=Users,DC=vault,DC=local

    ...

    sAMAccountName: fay

    Additionally the login didn't work without a filter too

    I did however have another look at the logs (decided to check
    them via docker exec in the container this time instead of with
    docker logs) and got this when I tried to log in.
    2025/04/10 15:45:55 INFO Got invalid auth result from handler
    ldap [pid=10|sid=kPi4]

    2025/04/10 15:45:55 WARN Login failed  (user: not set, error:
    I18N_OPENXPKI_UI_LOGIN_USER_UNKNOWN) [pid=10|sid=kPi4]

    2025/04/10 15:45:55 ERROR I18N_OPENXPKI_UI_AUTHENTICATION_FAILED
    [pid=10|sid=kPi4]


    and this at restart
    2025/04/10 15:45:44 INFO Loaded auth handler Anonymous
    [pid=1|pki_realm=prodrealm]

    2025/04/10 15:45:44 INFO Loaded auth handler ldap
    [pid=1|pki_realm=prodrealm]

    2025/04/10 15:45:44 INFO Loaded auth handler System
    [pid=1|pki_realm=prodrealm]

    2025/04/10 15:45:44 INFO Loaded auth handler TestAccounts
    [pid=1|pki_realm=prodrealm]

    2025/04/10 15:45:44 INFO Loaded auth handler LocalPassword
    [pid=1|pki_realm=prodrealm]

    2025/04/10 15:45:44 WARN Group Not Defined.  Defaulting to
    EGID '0 0' [pid=1|pki_realm=prodrealm]

    2025/04/10 15:45:44 WARN User Not Defined.  Defaulting to EUID
    '0' [pid=1|pki_realm=prodrealm]

    could that help diagnose my issue? I couldn't find my error in
    the mailinglist archives
    Is there an even more verbose logging option so I can for example
    see the LDAP-output?

    By the way I'm running in Docker using the official compose.

    Regards,
    Fay

    ------------------------------------------------------------------------

    *From:* Oliver Welter _<[email protected]> <mailto:[email protected]>_
    *Sent:* Wednesday, April 9, 2025 7:27 PM
    *To:* [email protected]
    
<mailto:[email protected]>__<[email protected]>
    <mailto:[email protected]>_
    *Subject:* Re: [OpenXPKI-users] Issue with LDAP login on OpenXPKI

    Hi Fay,

    I can remember that there are some tricks to know but I can not
    remember them :(

    Did you try the memberOf query as filter to the ldap search?
    AFAIR you need permissions on the group tree to be able to search
    in this way, so those might be missing....I did not use this
    module for a long time and I am also not an LDAP expert.

    Oliver

    On 08.04.25 07:09, Fay Knol via OpenXPKI-users wrote:

        Dear mailing list users,

        I'm currently a 2^nd  year student at the HU University of
        Applied Sciences Utrecht working on setting up OpenXPKI as an
        issuing CA for our student "playground" to self sign
        certificates.
        I'm trying to set up LDAP authentication for operators.
        However, I've been having some issues I haven't been able to
        figure out for the past week or so.

        With a ldapsearch like below I get a proper return, so I
        think that isolates my Active Directory as a variable.
        ldapsearch -LLL -x -H ldap://{test server ip} -D
        _"[email protected]" <mailto:[email protected]>_ -w
        "Secure123" -b "DC=vault,DC=local" "(sAMAccountName=fay)"
        memberOf

        dn: CN=Fay's Test Account,CN=Users,DC=vault,DC=local

        memberOf: CN=PKIAdmins,CN=Users,DC=vault,DC=local

        memberOf: CN=DnsAdmins,CN=Users,DC=vault,DC=local

        So now I don't get why my configs don't work

        Connector config:

        ra-ldap:

            class: Connector::Builtin::Authentication::LDAP

            LOCATION: ldap://{test server ip}

            base: "DC=vault,DC=local"

            binddn: cn=openxpki

            password: "Secure123"

            filter: "(&(sAMAccountName=[% LOGIN
        %])(memberOf=CN=PKIAdmins,OU=Users,CN=Users,DC=vault,DC=local))"

        (mail also didn't work)

        Handler config:

        ldap:

            type: Password

            class: OpenXPKI::Server::Authentication::LDAP

            label: LDAP Authentication

            connector: ra-ldap

            role: RA Operator

        Stack config:

        LDAP:

            label: LDAP Login

            description: Login via Active Directory

            handler: ldap

            type: passwd

        The rest of the configuration related to LDAP is just so far
        just the default copied from the example, test account login
        works fine.

        Am I missing something obvious?
        Are there any other things I should look out for?

        Thanks in advance,

        Fay Knol

        _______________________________________________

        OpenXPKI-users mailing list

        [email protected]
        <mailto:[email protected]>_

        _https://lists.sourceforge.net/lists/listinfo/openxpki-users
        
<https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/openxpki-users__;!!May37g!IjUPhCPUakfP_RE1b2uGb1A_wW6lkuqbYWgmgE6CqHIqve-JAY_EuiwW3V-PPgvs9IZekZEoWd2MHGZf1pqVTR8a5bmpRYqpImzw$>_
-- 
    Protect your environment -  close windows and adopt a penguin!




    _______________________________________________

    OpenXPKI-users mailing list

    [email protected]
    <mailto:[email protected]>_

    _https://lists.sourceforge.net/lists/listinfo/openxpki-users
    
<https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/openxpki-users__;!!May37g!LDLb7ZiuatG0qgnr3h1fI9p_7NYGq2VeiBikC7LhN8HIocIKz25YcASOTwzPSh15UFcbdqOsxB9QqYWS$>_

--
Protect your environment -  close windows and adopt a penguin!


_______________________________________________
OpenXPKI-users mailing list
[email protected] 
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/openxpki-users 
<https://lists.sourceforge.net/lists/listinfo/openxpki-users>

--
Protect your environment -  close windows and adopt a penguin!


_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users


--
Protect your environment -  close windows and adopt a penguin!

_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to