LDAP: Incorrect login or password

[lakotajames]

LDAP server works with ldapwhoami.

Relevant bit of config:
"ldap_server": "localhost:636", "ldap_searchdn": "DC=atgfw,DC=com", "ldap_searchfilter": "(sAMAccountName=%s)", "ldap_mappings": { "dn": "dn", "mail": "mail", "uid": "sAMAccountName", "cn": "cn" },
Server log:

time="2023-06-13T20:06:42Z" level=info msg="User Lakota Morris with email lakotam@atgfw.com authorized via LDAP correctly"

[viiwee]

See my comment here:
#1341 (comment)

[lakotajames]

@viiwee this fixed one user that had already existed, but it doesn't let a new user sign in.

[ramiuslr]

+1

I have the same problem, here is my config:

{
  "port": "3000",
  "web_host": "https://semaphore.example.com",
  "tmp_path": "/tmp/semaphore/",
  "access_key_encryption": "<redacted>",
  "cookie_hash": "<redacted>",
  "cookie_encryption": "<redacted>",
  "ldap_enable": true,
  "ldap_needtls": false,
  "ldap_binddn": "<redacted>",
  "ldap_bindpassword": "<redacted>",
  "ldap_server": "<redacted>:389",
  "ldap_searchdn": "<redacted>",
  "ldap_searchfilter": "(&(mail=%s)(memberOf=<redacted>))",
  "ldap_mappings": {
    "dn": "",
    "mail": "mail",
    "uid": "mail",
    "cn": "cn"
  }
}

I can confirm everything works fine testing with ldapwhoami.
I'm using docker compose, and Semaphore v2.9.112-4f95ac8-1717065276.

I'm afraid there is absolutely nothing in docker logs, when I try to log in as a new LDAP account (from ActiveDirectory domain controller).

I use a Caddy reverse proxy in the same docker compose.

[fiftin]

@ramiuslr what LDAP server do you use?

[ramiuslr]

@fiftin it is a Windows Server 2016 Standard ActiveDirectory Server

[ramiuslr]

Is there a debug mode or something that could help me figuring out why this issue happens ?

[ramiuslr]

Okay that's interesting, I finally fixed my problem that wasn't an issue from Semaphore.
My user was in a group, and this group was inside a an other group called GG_Ansible.

So structure was:

   ┌─────────────────────┐      
   │                     │      
   │  GG_Ansible         │      
   │ ┌─────────────────┐ │      
   │ │                 │ │      
   │ │   Team group    │ │      
   │ │                 │ │      
   │ │ ┌────────────┐  │ │      
   │ │ │ My user    │  │ │      
   │ │ └────────────┘  │ │      
   │ │                 │ │      
   │ └─────────────────┘ │      
   │                     │      
   └─────────────────────┘      

So my user object wasn't directly into the GG_Ansible group, I was missing the nested argument in my ldap search filter.
Here is my new filter:

"ldap_searchfilter": "(&(mail=%s)(memberOf:1.2.840.113556.1.4.1941:=CN=GG_Ansible,OU=GG,OU=Groupes,DC=<redacted>,DC=local)(objectClass=user))",

With the 1.2.840.113556.1.4.1941 OID added it worked perfectly.

So I post this information here in case anyone needs it.
Hope this helps !

[fiftin]

Thank you @ramiuslr
it really interesting case.

I moving the issue to discussions.