Thanks for your reply Killian it seems that unfortunately that also
doesn't work for me.
as you can see here
ra-ldap:
class: Connector::Builtin::Authentication::LDAP
LOCATION: ldap://{serverIP}
base: dc=vault,dc=local
binddn: [email protected]
password: Secure123
filter: "(&(sAMAccountName=[% LOGIN %]))"
and I still get the following error message
2025/04/11 09:27:00 WARN Group Not Defined. Defaulting to EGID '0 0'
[pid=1|pki_realm=prodrealm]
2025/04/11 09:27:00 WARN User Not Defined. Defaulting to EUID '0'
[pid=1|pki_realm=prodrealm]
2025/04/11 09:27:04 ERROR
I18N_OPENXPKI_SERVICE_DEFAULT_HANDLE_CONTINUE_SESSION_SESSION_CONTINUE_FAILED;
__ID__ => 7F175Im4RC+EvQ5okCv5iw== [pid=10|pki_realm=prodrealm]
2025/04/11 09:27:11 INFO Got invalid auth result from handler ldap
[pid=10|sid=DAq/]
2025/04/11 09:27:11 WARN Login failed (user: not set, error:
I18N_OPENXPKI_UI_LOGIN_USER_UNKNOWN) [pid=10|sid=DAq/]
2025/04/11 09:27:11 ERROR I18N_OPENXPKI_UI_AUTHENTICATION_FAILED
[pid=10|sid=DAq/]
Thanks,
Fay Knol
-----------
Student Open-ICT University of Applied Science Utrecht
[email protected]
------------------------------------------------------------------------
*From:* Killian, Edward [USA] <[email protected]>
*Sent:* Thursday, April 10, 2025 5:50 PM
*To:* [email protected]
<[email protected]>
*Cc:* Fay Knol <[email protected]>
*Subject:* Re: [OpenXPKI-users] Issue with LDAP login on OpenXPKI
In my case I had to use the same binddn in connector.yaml that I used
in the ldapsearch command. In your case the "-D" [email protected]
would be used in the connector.yaml as
binddn: [email protected]
*Edward Killian*
Systems Engineer - Lead Engineer
Global Defense Group
[email protected]
Booz | Allen | Hamilton
BoozAllen.com <https://www.boozallen.com/>
------------------------------------------------------------------------
*From:* Fay Knol via OpenXPKI-users <[email protected]>
*Sent:* Thursday, April 10, 2025 10:01 AM
*To:* [email protected]
<[email protected]>
*Cc:* Fay Knol <[email protected]>
*Subject:* [External] Re: [OpenXPKI-users] Issue with LDAP login on
OpenXPKI
This Message Is From an External Sender
This message came from outside your organization.
Report Suspicious
<https://us-phishalarm-ewt.proofpoint.com/EWT/v1/May37g!hlrrf7aNkGxHwu3hRx30QiAUZNI8_B56qe65RSNJYMWmgTs0Cujk3h5NXnW_qJ0pRBNc7Sa8qp7DhfG64FQUO8tXJaZoKuKA2qjyN51621cHHDK1uQmhi7IImeo1-84lPK7BNgF9EFupqA$>
Hi Oliver,
Thanks for your reply!
I'm sure the openxpki service user had sufficient permissions because
even with filtering the request works as you can see here
ldapsearch -LLL -x -H ldap://{test server ip} -D
"[email protected]" -w "Secure123" -b "DC=vault,DC=local"
"(&(sAMAccountName=fay)(memberOf=CN=PKIAdmins,CN=Users,DC=vault,DC=local))"
dn: CN=Fay's Test Account,CN=Users,DC=vault,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Fay's Test Account
sn: Test Account
givenName: Fay's
distinguishedName: CN=Fay's Test Account,CN=Users,DC=vault,DC=local
...
memberOf: CN=PKIAdmins,CN=Users,DC=vault,DC=local
memberOf: CN=DnsAdmins,CN=Users,DC=vault,DC=local
...
sAMAccountName: fay
Additionally the login didn't work without a filter too
I did however have another look at the logs (decided to check them via
docker exec in the container this time instead of with docker logs)
and got this when I tried to log in.
2025/04/10 15:45:55 INFO Got invalid auth result from handler ldap
[pid=10|sid=kPi4]
2025/04/10 15:45:55 WARN Login failed (user: not set, error:
I18N_OPENXPKI_UI_LOGIN_USER_UNKNOWN) [pid=10|sid=kPi4]
2025/04/10 15:45:55 ERROR I18N_OPENXPKI_UI_AUTHENTICATION_FAILED
[pid=10|sid=kPi4]
and this at restart
2025/04/10 15:45:44 INFO Loaded auth handler Anonymous
[pid=1|pki_realm=prodrealm]
2025/04/10 15:45:44 INFO Loaded auth handler ldap
[pid=1|pki_realm=prodrealm]
2025/04/10 15:45:44 INFO Loaded auth handler System
[pid=1|pki_realm=prodrealm]
2025/04/10 15:45:44 INFO Loaded auth handler TestAccounts
[pid=1|pki_realm=prodrealm]
2025/04/10 15:45:44 INFO Loaded auth handler LocalPassword
[pid=1|pki_realm=prodrealm]
2025/04/10 15:45:44 WARN Group Not Defined. Defaulting to EGID '0 0'
[pid=1|pki_realm=prodrealm]
2025/04/10 15:45:44 WARN User Not Defined. Defaulting to EUID '0'
[pid=1|pki_realm=prodrealm]
could that help diagnose my issue? I couldn't find my error in the
mailinglist archives
Is there an even more verbose logging option so I can for example see
the LDAP-output?
By the way I'm running in Docker using the official compose.
Regards,
Fay
------------------------------------------------------------------------
*From:* Oliver Welter <[email protected]>
*Sent:* Wednesday, April 9, 2025 7:27 PM
*To:* [email protected]
<[email protected]>
*Subject:* Re: [OpenXPKI-users] Issue with LDAP login on OpenXPKI
Hi Fay,
I can remember that there are some tricks to know but I can not
remember them :(
Did you try the memberOf query as filter to the ldap search? AFAIR you
need permissions on the group tree to be able to search in this way,
so those might be missing....I did not use this module for a long time
and I am also not an LDAP expert.
Oliver
On 08.04.25 07:09, Fay Knol via OpenXPKI-users wrote:
Dear mailing list users,
I'm currently a 2^nd year student at the HU University of Applied
Sciences Utrecht working on setting up OpenXPKI as an issuing CA
for our student "playground" to self sign certificates.
I'm trying to set up LDAP authentication for operators. However,
I've been having some issues I haven't been able to figure out for
the past week or so.
With a ldapsearch like below I get a proper return, so I think
that isolates my Active Directory as a variable.
ldapsearch -LLL -x -H ldap://{test server ip} -D
"[email protected]" <mailto:[email protected]> -w
"Secure123" -b "DC=vault,DC=local" "(sAMAccountName=fay)" memberOf
dn: CN=Fay's Test Account,CN=Users,DC=vault,DC=local
memberOf: CN=PKIAdmins,CN=Users,DC=vault,DC=local
memberOf: CN=DnsAdmins,CN=Users,DC=vault,DC=local
So now I don't get why my configs don't work
Connector config:
ra-ldap:
class: Connector::Builtin::Authentication::LDAP
LOCATION: ldap://{test server ip}
base: "DC=vault,DC=local"
binddn: cn=openxpki
password: "Secure123"
filter: "(&(sAMAccountName=[% LOGIN
%])(memberOf=CN=PKIAdmins,OU=Users,CN=Users,DC=vault,DC=local))"
(mail also didn't work)
Handler config:
ldap:
type: Password
class: OpenXPKI::Server::Authentication::LDAP
label: LDAP Authentication
connector: ra-ldap
role: RA Operator
Stack config:
LDAP:
label: LDAP Login
description: Login via Active Directory
handler: ldap
type: passwd
The rest of the configuration related to LDAP is just so far just
the default copied from the example, test account login works fine.
Am I missing something obvious?
Are there any other things I should look out for?
Thanks in advance,
Fay Knol
_______________________________________________ OpenXPKI-users
mailing list [email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/openxpki-users
<https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/openxpki-users__;!!May37g!IjUPhCPUakfP_RE1b2uGb1A_wW6lkuqbYWgmgE6CqHIqve-JAY_EuiwW3V-PPgvs9IZekZEoWd2MHGZf1pqVTR8a5bmpRYqpImzw$>
-- Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
