Hello, I've just started using OBS and I'm having trouble integrating it with AD/LDAP. I've created a service account, OBS users and Admin Groups in Active directory then I've followed the example provided in the obs-admin-guide/User Guide to configure the "options.yml" configuration file. I keep receiving "Authentication Failed" messages when trying to login into OBS using an Active Directory user. I've tested my svc account/user and password (for the ldap bind) via ldapsearch and it works fine. Verified logs under /srv/www/obs/api/logs. production.log - only shows INFO. I can see the moment I try to login, but nothing else. Any tips or any other logs/tools I could check at this point? Sincerely, Fabiano T.
Hi, someone else likely knows how to retrieve more verbose output from OBS - but for now you could check if there actually are any binding attempts on the Windows Server, and if there are, if they match your manual `ldapsearch` queries. Best Georg On 2/3/22 17:32, Fabiano Teixeira wrote:
Hello,
I've just started using OBS and I'm having trouble integrating it with AD/LDAP. I've created a service account, OBS users and Admin Groups in Active directory then I've followed the example provided in the obs-admin-guide/User Guide to configure the "options.yml" configuration file.
I keep receiving "Authentication Failed" messages when trying to login into OBS using an Active Directory user.
I've tested my svc account/user and password (for the ldap bind) via ldapsearch and it works fine.
Verified logs under /srv/www/obs/api/logs.
production.log - only shows INFO. I can see the moment I try to login, but nothing else.
Any tips or any other logs/tools I could check at this point?
Sincerely, Fabiano T.
I can see a binding attempt in AD when using ldapsearch, but not when trying to login/auth via OBS. It would be interesting, as a feature a test mechanism to verify creds during AD/LDAP setup.
Can you please provide all the LDAP related configuration and auth settings you have provided? That could provide a clue to the issue.
On 4 Feb 2022, at 06:23, Fabiano Teixeira <fabianokteixeira@gmail.com> wrote:
I can see a binding attempt in AD when using ldapsearch, but not when trying to login/auth via OBS. It would be interesting, as a feature a test mechanism to verify creds during AD/LDAP setup.
-- Sincerely, William Brown Senior Software Engineer, Identity and Access Management SUSE Labs, Australia
Here is the LDAP portion of the options.yml -------------------------------------- ################## # LDAP options ################## #### WARNING: LDAP mode is not official supported by OBS! ldap_mode: :on #### WARNING: LDAP mode is not official supported by OBS! # LDAP Servers separated by ':'. # OVERRIDE with your company's ldap servers. Servers are picked randomly for # each connection to distribute load. ldap_servers: dc1.xyz.local # Max number of times to attempt to contact the LDAP servers ldap_max_attempts: 15 # The attribute the user memberof is stored in ldap_user_memberof_attr: memberof # Perform the group_user search with the member attribute of group entry or memberof attribute of user entry # It depends on your ldap define # The attribute the group member is stored in ldap_group_member_attr: member # If you're using ldap_authenticate=:ldap then you should ensure that # ldaps is used to transfer the credentials over SSL or use the StartTLS extension ldap_ssl: :on # Use StartTLS extension of LDAP ldap_start_tls: :off # LDAP port defaults to 636 for ldaps and 389 for ldap and ldap with StartTLS #ldap_port: # Authentication with Windows 2003 AD requires ldap_referrals: :off # OVERRIDE with your company's ldap search base for the users who will use OBS ldap_search_base: OU=Service,DC=xyz,DC=local # Sam Account Name is the login name for LDAP ldap_search_attr: sAMAccountName # The attribute the users name is stored in ldap_name_attr: cn # The attribute the users email is stored in ldap_mail_attr: mail # Credentials to use to search ldap for the username ldap_search_user: "cn=obs-svc,ou=service,dc=xyz,dc=local" ldap_search_auth: "MySecretPassword" # By default any LDAP user can be used to authenticate to the OBS # In some deployments this may be too broad and certain criteria should # be met; eg group membership # # To allow only users in a specific group uncomment this line: #ldap_user_filter: (memberof=CN=group,OU=Groups,DC=Domain Component) # # Note this is joined to the normal selection like so: # (&(#{ldap_search_attr}=#{login})#{ldap_user_filter}) # giving an ldap search of: # (&(sAMAccountName=#{login})(memberof=CN=group,OU=Groups,DC=Domain Component)) # # Also note that openLDAP must be configured to use the memberOf overlay # ldap_authenticate says how the credentials are verified: # :ldap = attempt to bind to ldap as user using supplied credentials # :local = compare the credentials supplied with those in # LDAP using #{ldap_auth_attr} & #{ldap_auth_mech} # if :local is used then ldap_auth_mech can be # :md5 # :cleartext ldap_authenticate: :ldap ldap_auth_mech: :md5 # This is a string ldap_auth_attr: userPassword # Whether to search group info from ldap, it does not take effect # when LDAP_GROUP_SUPPOR is not set. # Please also set below LDAP_GROUP_* configs correctly to ensure the operation works properly ldap_group_support: :mirror # OVERRIDE with your company's ldap search base for groups ldap_group_search_base: ou=service,dc=xyz,dc=local # The attribute the group name is stored in ldap_group_title_attr: cn # The value of the group objectclass attribute, leave it as "" if objectclass attr doesn't exist ldap_group_objectclass_attr: group -------------------------------------- From production.log: [2022-02-04T13:56:44.607972 #2216] INFO -- : [e4bf6a24-8b28-46d8-901f-6dfb99d9db0f] [2216:747.53] method=POST path=/session/create format=html controller=Webui::SessionController action=create status=302 duration=19.33 view=0.00 db=0.98 location=https://10.xx.xxx.xxx/session/new params={"utf8"=>"✓", "authenticity_token"=>"87xCoa2K4NzYde4_Bf55rWzQ1pkrLiBTseQzth34rWob7dbjHx__2uVBT1xFSfj47WHaVvTrmcDqgNX8r_JIQw", "username"=>"test", "password"=>"[FILTERED]", "login"=>"Log In"} host=10.xxx.xxx.xxx time=787.39 backend=0 user=
Found a couple more events in the production.log: I, [2022-02-07T09:44:25.667133 #177250] INFO -- : [ac1312f2-4de1-4727-9922-26cd7e9f7442] [177250:200.57] Not bound as CN=obs-svc,OU=service,DC=xyz,DC=local: Can't contact LDAP server E, [2022-02-07T09:44:25.667178 #177250] ERROR -- : [ac1312f2-4de1-4727-9922-26cd7e9f7442] [177250:200.57] Unable to bind to any LDAP server: dc1.xyz.local I, [2022-02-07T09:44:25.667200 #177250] INFO -- : [ac1312f2-4de1-4727-9922-26cd7e9f7442] [177250:200.57] Unable to connect to LDAP server Some observation: - OBS unable to connect to LDAP server. - Firewall is disabled on both OBS server and Domain Controller. - DC is pingable via IP and FQDN. - Able to connect via ldapsearch tool and search the whole directory. - Domain Controller not showing any event ID 4625 in the Security Event logs, which would provide more clue in regards the issue (e.g. wrong username or password, etc) Questions: - What kind of calls does OBS make in order to communicate with LDAP server(s)? - Is there a verbose log that can help me figure out this issue?
On 5 Feb 2022, at 06:00, Fabiano Teixeira <fabianokteixeira@gmail.com> wrote:
Here is the LDAP portion of the options.yml
-------------------------------------- ################## # LDAP options ##################
#### WARNING: LDAP mode is not official supported by OBS! ldap_mode: :on #### WARNING: LDAP mode is not official supported by OBS!
# LDAP Servers separated by ':'. # OVERRIDE with your company's ldap servers. Servers are picked randomly for # each connection to distribute load. ldap_servers: dc1.xyz.local
The only thing that stands out is this, could it be this has to be an ldaps:// url? I dont see any configuration of the CACERT here? Could it be an issue with CA validation? Can you do "ldapsearch -H ldaps://dc1.xyz.local " without a CA warning/error from the cli of the obs machine?
# Max number of times to attempt to contact the LDAP servers ldap_max_attempts: 15
# The attribute the user memberof is stored in ldap_user_memberof_attr: memberof
# Perform the group_user search with the member attribute of group entry or memberof attribute of user entry # It depends on your ldap define # The attribute the group member is stored in ldap_group_member_attr: member
# If you're using ldap_authenticate=:ldap then you should ensure that # ldaps is used to transfer the credentials over SSL or use the StartTLS extension ldap_ssl: :on
# Use StartTLS extension of LDAP ldap_start_tls: :off
# LDAP port defaults to 636 for ldaps and 389 for ldap and ldap with StartTLS #ldap_port:
Set this explicitly in case that's the issue.
# Authentication with Windows 2003 AD requires ldap_referrals: :off
# OVERRIDE with your company's ldap search base for the users who will use OBS ldap_search_base: OU=Service,DC=xyz,DC=local # Sam Account Name is the login name for LDAP ldap_search_attr: sAMAccountName # The attribute the users name is stored in ldap_name_attr: cn # The attribute the users email is stored in ldap_mail_attr: mail # Credentials to use to search ldap for the username ldap_search_user: "cn=obs-svc,ou=service,dc=xyz,dc=local" ldap_search_auth: "MySecretPassword"
# By default any LDAP user can be used to authenticate to the OBS # In some deployments this may be too broad and certain criteria should # be met; eg group membership # # To allow only users in a specific group uncomment this line: #ldap_user_filter: (memberof=CN=group,OU=Groups,DC=Domain Component) # # Note this is joined to the normal selection like so: # (&(#{ldap_search_attr}=#{login})#{ldap_user_filter}) # giving an ldap search of: # (&(sAMAccountName=#{login})(memberof=CN=group,OU=Groups,DC=Domain Component)) # # Also note that openLDAP must be configured to use the memberOf overlay
# ldap_authenticate says how the credentials are verified: # :ldap = attempt to bind to ldap as user using supplied credentials # :local = compare the credentials supplied with those in # LDAP using #{ldap_auth_attr} & #{ldap_auth_mech} # if :local is used then ldap_auth_mech can be # :md5 # :cleartext ldap_authenticate: :ldap ldap_auth_mech: :md5 # This is a string ldap_auth_attr: userPassword
likely worth commenting out the ldap_auth_mech/attr since they aren't used.
# Whether to search group info from ldap, it does not take effect # when LDAP_GROUP_SUPPOR is not set. # Please also set below LDAP_GROUP_* configs correctly to ensure the operation works properly ldap_group_support: :mirror # OVERRIDE with your company's ldap search base for groups ldap_group_search_base: ou=service,dc=xyz,dc=local
# The attribute the group name is stored in ldap_group_title_attr: cn # The value of the group objectclass attribute, leave it as "" if objectclass attr doesn't exist ldap_group_objectclass_attr: group --------------------------------------
From production.log:
[2022-02-04T13:56:44.607972 #2216] INFO -- : [e4bf6a24-8b28-46d8-901f-6dfb99d9db0f] [2216:747.53] method=POST path=/session/create format=html controller=Webui::SessionController action=create status=302 duration=19.33 view=0.00 db=0.98 location=https://10.xx.xxx.xxx/session/new params={"utf8"=>"✓", "authenticity_token"=>"87xCoa2K4NzYde4_Bf55rWzQ1pkrLiBTseQzth34rWob7dbjHx__2uVBT1xFSfj47WHaVvTrmcDqgNX8r_JIQw", "username"=>"test", "password"=>"[FILTERED]", "login"=>"Log In"} host=10.xxx.xxx.xxx time=787.39 backend=0 user=
-- Sincerely, William Brown Sesion Software Engineer, Identity and Access Management SUSE Labs, Australia
Hi William, I got OBS to connect to my Active Directory yesterday. Had to change a few ldap attributes to match with AD, but the most important I had to disable ldap_ssl as I'm not using secure LDAP (636) for my test. According to the Admin Guide, if option ldap_port is not set, it will use 389 for ldap and 636 for sldap. I honestly thought OBS would try both ports (as I have not specified any), however with the ldap_ssl option set to enable (on) by default it only tries port 636, causing the "Unable to connect to LDAP server" error (as I dont have any CACERT configuration in place). Thanks for the help. Sincerely, Fabiano T.
On 9 Feb 2022, at 05:43, Fabiano Teixeira <fabianokteixeira@gmail.com> wrote:
Hi William,
I got OBS to connect to my Active Directory yesterday. Had to change a few ldap attributes to match with AD, but the most important I had to disable ldap_ssl as I'm not using secure LDAP (636) for my test.
According to the Admin Guide, if option ldap_port is not set, it will use 389 for ldap and 636 for sldap.
I honestly thought OBS would try both ports (as I have not specified any), however with the ldap_ssl option set to enable (on) by default it only tries port 636, causing the "Unable to connect to LDAP server" error (as I dont have any CACERT configuration in place).
Right, it sounds like the issue is your CA configuration rather than anything else. You could try to set 'LDAPTLS_REQCERT=never' in your environment variables when launching OBS, or you could alter /etc/openldap/ldap.conf and set 'TLS_REQCERT never' in there instead. Given that you are likely sending passwords via ldap over the network, TLS is really important to protect this from interception and attacks.
Thanks for the help.
Sincerely, Fabiano T.
-- Sincerely, William Brown Sesion Software Engineer, Identity and Access Management SUSE Labs, Australia
participants (3)
-
Fabiano Teixeira -
Georg Pfuetzenreuter -
William Brown