[OpenXPKI-users] LDAP Authentication problem

Tom Mon, 19 May 2025 09:32:39 -0700

Hi,
I am fighting since to days with my LDAP authentication for openxpki.
Here is my config:


*stack.yaml*
_System:
ADAuth:
label: Active Directory
description: Login using Active Directory credentials
handler: dc01
type: passwd
####################################################
*handler.yaml*
dc01:
type: Connector
label: Active Directory Login
description: Authentifizierung über Active Directory
role: User
debug: true
config:
connector: dc01-ad

*connector.yaml*
dc01-ad:
class: Connector::Builtin::Authentication::LDAP
location: ldap://10.1.1.201
base: dc=demo,dc=local
binddn: cn=ldapuser,cn=users,dc=demo,dc=local
password: Demo123!
debug: true
filter: "(&(objectClass=user)(sAMAccountName=%s))"

>From my openxpli server I can query my AD-Server, to check the user pkiadmin
ldapsearch -b "dc=demo,dc=local" -D "cn=ldapuser,cn=users,dc=demo,dc=local"
-w "Demo123!" -H ldap://10.1.1.201
"(&(objectClass=user)(sAMAccountName=pkiadmin))"
extended LDIF LDAPv3 base <dc=demo,dc=local> with scope
subtree</dc=demo,dc=local> filter:
(&(objectClass=user)(sAMAccountName=pkiadmin)) requesting: ALL pkiadmin,
Users, demo.local

dn: CN=pkiadmin,CN=Users,DC=demo,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: pkiadmin
distinguishedName: CN=pkiadmin,CN=Users,DC=demo,DC=local
instanceType: 4
whenCreated: 20250513111914.0Z
whenChanged: 20250513134615.0Z
displayName: pkiadmin
uSNCreated: 53330
memberOf: CN=OpenXPKI-Admins,OU=OpenXPKI,DC=demo,DC=local
uSNChanged: 57388
name: pkiadmin
objectGUID:: BZiZVFRd3U2zjOQb1lEHGg==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 133916176408197364
pwdLastSet: 133916087547664586
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA4QG0zb0TtdoBMMvpVgQAAA==
accountExpires: 9223372036854775807
logonCount: 2
sAMAccountName: pkiadmin
sAMAccountType: 805306368
userPrincipalName: pkiadmin@demo.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=demo,DC=local
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 133916175755527098
search reference

ref: ldap://ForestDnsZones.demo.local/DC=ForestDnsZones,DC=demo,DC=local
search reference

ref: ldap://DomainDnsZones.demo.local/DC=DomainDnsZones,DC=demo,DC=local
search reference

ref: ldap://demo.local/CN=Configuration,DC=demo,DC=local
search result

search: 2
result: 0 Success
numResponses: 5 numEntries: 1 numReferences: 3

When I try to login to the openxpki webserver, I get this logs:
Login with the given credentials failed!
tail -f /var/log/openxpki/openxpki.logsudo tail -f
/var/log/openxpki/openxpki.log

2025/05/19 14:57:05 DEBUG Call get in Multi to system.server.name
[pid=5299|sid=Q6U9|pki_realm=democa]
2025/05/19 14:57:07 DEBUG Call get_hash in Multi to system.server.session
[pid=5470|]
2025/05/19 14:57:07 DEBUG Call get_hash in Multi to system.server.session
[pid=5470|]
2025/05/19 14:57:07 DEBUG Incoming auth for stack ADAuth [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Incoming auth for stack ADAuth [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Request stack info for ADAuth [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Request stack info for ADAuth [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Call get_hash in Multi to
realm.democa.auth.stack.ADAuth.param [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Call get_hash in Multi to
realm.democa.auth.stack.ADAuth.param [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Node does not exist at
realm|democa|auth|stack|ADAuth|param [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Node does not exist at
realm|democa|auth|stack|ADAuth|param [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Incoming auth for stack ADAuth [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Incoming auth for stack ADAuth [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Request stack info for ADAuth [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Request stack info for ADAuth [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Call get_hash in Multi to
realm.democa.auth.stack.ADAuth.param [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Call get_hash in Multi to
realm.democa.auth.stack.ADAuth.param [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Node does not exist at
realm|democa|auth|stack|ADAuth|param [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Node does not exist at
realm|democa|auth|stack|ADAuth|param [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Incoming auth for stack ADAuth [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Incoming auth for stack ADAuth [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Query username pkiadmin with mode authonly
[pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Query username pkiadmin with mode authonly
[pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Call get in Multi to
realm.democa.auth.handler.dc01.source.pkiadmin [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Call get in Multi to
realm.democa.auth.handler.dc01.source.pkiadmin [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Node does not exist at source [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Node does not exist at source [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Node does not exist at [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Node does not exist at [pid=5470|sid=+c6H]
2025/05/19 14:57:07 INFO Got invalid auth result from handler dc01
[pid=5470|sid=+c6H]
2025/05/19 14:57:07 INFO Got invalid auth result from handler dc01
[pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG I18N_OPENXPKI_UI_LOGIN_FAILED [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG I18N_OPENXPKI_UI_LOGIN_FAILED [pid=5470|sid=+c6H]
2025/05/19 14:57:07 WARN Login failed (user: pkiadmin, error:
I18N_OPENXPKI_UI_LOGIN_FAILED) [pid=5470|sid=+c6H]
2025/05/19 14:57:07 WARN Login failed (user: pkiadmin, error:
I18N_OPENXPKI_UI_LOGIN_FAILED) [pid=5470|sid=+c6H]
2025/05/19 14:57:07 ERROR I18N_OPENXPKI_UI_AUTHENTICATION_FAILED
[pid=5470|sid=+c6H]
2025/05/19 14:57:07 ERROR I18N_OPENXPKI_UI_AUTHENTICATION_FAILED
[pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Incoming auth for stack ADAuth [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Incoming auth for stack ADAuth [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Request stack info for ADAuth [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Request stack info for ADAuth [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Call get_hash in Multi to
realm.democa.auth.stack.ADAuth.param [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Call get_hash in Multi to
realm.democa.auth.stack.ADAuth.param [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Node does not exist at
realm|democa|auth|stack|ADAuth|param [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Node does not exist at
realm|democa|auth|stack|ADAuth|param [pid=5470|sid=+c6H]
2025/05/19 14:57:07 DEBUG Call get in Multi to system.server.name
[pid=5470|]

On my AD Server, I will not see any ldap request with wireshark.


I have no idea to solve that problem ...
Any help would be great!

_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

[OpenXPKI-users] LDAP Authentication problem

Reply via email to