Oh sorry it seems I may have missed that (part of the) message. I've reverted my config back to my original message for this.
there they are, this is it command in the container: /var/log/openxpki# tail openxpki.log 2025/04/16 11:13:44 DEBUG Request stack info for LDAP [pid=10|sid=oqx5] 2025/04/16 11:13:44 DEBUG Incoming auth for stack LDAP [pid=10|sid=oqx5] 2025/04/16 11:13:44 DEBUG Request stack info for LDAP [pid=10|sid=oqx5] 2025/04/16 11:13:44 DEBUG Incoming auth for stack LDAP [pid=10|sid=oqx5] 2025/04/16 11:13:44 INFO Got invalid auth result from handler ldap [pid=10|sid=oqx5] 2025/04/16 11:13:44 DEBUG I18N_OPENXPKI_UI_LOGIN_USER_UNKNOWN [pid=10|sid=oqx5] 2025/04/16 11:13:44 WARN Login failed (user: not set, error: I18N_OPENXPKI_UI_LOGIN_USER_UNKNOWN) [pid=10|sid=oqx5] 2025/04/16 11:13:44 ERROR I18N_OPENXPKI_UI_AUTHENTICATION_FAILED [pid=10|sid=oqx5] 2025/04/16 11:13:44 DEBUG Incoming auth for stack LDAP [pid=10|sid=oqx5] 2025/04/16 11:13:44 DEBUG Request stack info for LDAP [pid=10|sid=oqx5] Sorry I hope you're still willing to help out! Kind Regards, Fay Knol ----------- Student Open-ICT University of Applied Science Utrecht fay.k...@student.hu.nl ________________________________ From: Oliver Welter <m...@oliwel.de> Sent: Tuesday, April 15, 2025 5:12 PM To: openxpki-users@lists.sourceforge.net <openxpki-users@lists.sourceforge.net> Subject: Re: [OpenXPKI-users] [External] Re: Issue with LDAP login on OpenXPKI Well, you have ignored my hint to check the logs with debug enabled - a lot of people here use this module so I am sure it works with the right filters and parameters but to understand what is going wrong we need the logs.. On 15.04.25 12:35, Fay Knol via OpenXPKI-users wrote: Thanks for the Reply Killian, unfortunately even that config did not work. so this is where I'll officially give up and we'll just have to make local accounts for all the people who want to make a cert. Thanks a lot for the help anyways! Regards, Fay Knol ----------- Student Open-ICT University of Applied Science Utrecht fay.k...@student.hu.nl<mailto:fay.k...@student.hu.nl> ________________________________ From: Killian, Edward [USA] via OpenXPKI-users <openxpki-users@lists.sourceforge.net><mailto:openxpki-users@lists.sourceforge.net> Sent: Friday, April 11, 2025 6:05 PM To: openxpki-users@lists.sourceforge.net<mailto:openxpki-users@lists.sourceforge.net> <openxpki-users@lists.sourceforge.net><mailto:openxpki-users@lists.sourceforge.net> Cc: Killian, Edward [USA] <killian_edw...@bah.com><mailto:killian_edw...@bah.com> Subject: Re: [OpenXPKI-users] [External] Re: Issue with LDAP login on OpenXPKI Here is the section of my connector.yaml: user-ad: class: Connector::Builtin::Authentication::LDAP LOCATION: ldap://{server IP} base: dc=int,dc={domain},dc=us binddn: {user@domain}<mailto:svc_cam...@int.griffiss.us> password: PASSWORD filter: "(&(sAMAccountName=[% LOGIN %])(memberOf=CN=ca-admin,OU=groups,DC=int,DC={domain},DC=us))" We’re filtering on the user being a member of the ca-admin group. Edward Killian Systems Engineer – Lead Engineer Global Defense Group killian_edw...@bah.com<mailto:killian_edw...@bah.com> Booz | Allen | Hamilton BoozAllen.com<http://www.boozallen.com/> From: Oliver Welter <m...@oliwel.de><mailto:m...@oliwel.de> Date: Friday, April 11, 2025 at 4:35 AM To: openxpki-users@lists.sourceforge.net<mailto:openxpki-users@lists.sourceforge.net> <openxpki-users@lists.sourceforge.net><mailto:openxpki-users@lists.sourceforge.net> Subject: [External] Re: [OpenXPKI-users] Issue with LDAP login on OpenXPKI Search in log. conf for the defintion of the "connector" facility and set this to trace, this should help in seeing the LDAP error messages On 11. 04. 25 09: 32, Fay Knol via OpenXPKI-users wrote: Thanks for your reply Killian it seems that unfortunately Search in log.conf for the defintion of the "connector" facility and set this to trace, this should help in seeing the LDAP error messages On 11.04.25 09:32, Fay Knol via OpenXPKI-users wrote: Thanks for your reply Killian it seems that unfortunately that also doesn't work for me. as you can see here ra-ldap: class: Connector::Builtin::Authentication::LDAP LOCATION: ldap://{serverIP} base: dc=vault,dc=local binddn: openxpki@vault.local<mailto:openxpki@vault.local> password: Secure123 filter: "(&(sAMAccountName=[% LOGIN %]))" and I still get the following error message 2025/04/11 09:27:00 WARN Group Not Defined. Defaulting to EGID '0 0' [pid=1|pki_realm=prodrealm] 2025/04/11 09:27:00 WARN User Not Defined. Defaulting to EUID '0' [pid=1|pki_realm=prodrealm] 2025/04/11 09:27:04 ERROR I18N_OPENXPKI_SERVICE_DEFAULT_HANDLE_CONTINUE_SESSION_SESSION_CONTINUE_FAILED; __ID__ => 7F175Im4RC+EvQ5okCv5iw== [pid=10|pki_realm=prodrealm] 2025/04/11 09:27:11 INFO Got invalid auth result from handler ldap [pid=10|sid=DAq/] 2025/04/11 09:27:11 WARN Login failed (user: not set, error: I18N_OPENXPKI_UI_LOGIN_USER_UNKNOWN) [pid=10|sid=DAq/] 2025/04/11 09:27:11 ERROR I18N_OPENXPKI_UI_AUTHENTICATION_FAILED [pid=10|sid=DAq/] Thanks, Fay Knol ----------- Student Open-ICT University of Applied Science Utrecht fay.k...@student.hu.nl<mailto:fay.k...@student.hu.nl> ________________________________ From: Killian, Edward [USA] <killian_edw...@bah.com><mailto:killian_edw...@bah.com> Sent: Thursday, April 10, 2025 5:50 PM To: openxpki-users@lists.sourceforge.net<mailto:openxpki-users@lists.sourceforge.net> <openxpki-users@lists.sourceforge.net><mailto:openxpki-users@lists.sourceforge.net> Cc: Fay Knol <fay.k...@student.hu.nl><mailto:fay.k...@student.hu.nl> Subject: Re: [OpenXPKI-users] Issue with LDAP login on OpenXPKI In my case I had to use the same binddn in connector.yaml that I used in the ldapsearch command. In your case the "-D" openxpki@vault.local<mailto:openxpki@vault.local> would be used in the connector.yaml as binddn: openxpki@vault.local<mailto:openxpki@vault.local> Edward Killian Systems Engineer - Lead Engineer Global Defense Group killian_edw...@bah.com<mailto:killian_edw...@bah.com> Booz | Allen | Hamilton BoozAllen.com<https://www.boozallen.com/> ________________________________ From: Fay Knol via OpenXPKI-users <openxpki-users@lists.sourceforge.net><mailto:openxpki-users@lists.sourceforge.net> Sent: Thursday, April 10, 2025 10:01 AM To: openxpki-users@lists.sourceforge.net<mailto:openxpki-users@lists.sourceforge.net> <openxpki-users@lists.sourceforge.net><mailto:openxpki-users@lists.sourceforge.net> Cc: Fay Knol <fay.k...@student.hu.nl><mailto:fay.k...@student.hu.nl> Subject: [External] Re: [OpenXPKI-users] Issue with LDAP login on OpenXPKI This Message Is From an External Sender This message came from outside your organization. Report Suspicious<https://us-phishalarm-ewt.proofpoint.com/EWT/v1/May37g!hlrrf7aNkGxHwu3hRx30QiAUZNI8_B56qe65RSNJYMWmgTs0Cujk3h5NXnW_qJ0pRBNc7Sa8qp7DhfG64FQUO8tXJaZoKuKA2qjyN51621cHHDK1uQmhi7IImeo1-84lPK7BNgF9EFupqA$> Hi Oliver, Thanks for your reply! I'm sure the openxpki service user had sufficient permissions because even with filtering the request works as you can see here ldapsearch -LLL -x -H ldap://{test server ip} -D "openxpki@vault.local"<mailto:openxpki@vault.local> -w "Secure123" -b "DC=vault,DC=local" "(&(sAMAccountName=fay)(memberOf=CN=PKIAdmins,CN=Users,DC=vault,DC=local))" dn: CN=Fay's Test Account,CN=Users,DC=vault,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Fay's Test Account sn: Test Account givenName: Fay's distinguishedName: CN=Fay's Test Account,CN=Users,DC=vault,DC=local ... memberOf: CN=PKIAdmins,CN=Users,DC=vault,DC=local memberOf: CN=DnsAdmins,CN=Users,DC=vault,DC=local ... sAMAccountName: fay Additionally the login didn't work without a filter too I did however have another look at the logs (decided to check them via docker exec in the container this time instead of with docker logs) and got this when I tried to log in. 2025/04/10 15:45:55 INFO Got invalid auth result from handler ldap [pid=10|sid=kPi4] 2025/04/10 15:45:55 WARN Login failed (user: not set, error: I18N_OPENXPKI_UI_LOGIN_USER_UNKNOWN) [pid=10|sid=kPi4] 2025/04/10 15:45:55 ERROR I18N_OPENXPKI_UI_AUTHENTICATION_FAILED [pid=10|sid=kPi4] and this at restart 2025/04/10 15:45:44 INFO Loaded auth handler Anonymous [pid=1|pki_realm=prodrealm] 2025/04/10 15:45:44 INFO Loaded auth handler ldap [pid=1|pki_realm=prodrealm] 2025/04/10 15:45:44 INFO Loaded auth handler System [pid=1|pki_realm=prodrealm] 2025/04/10 15:45:44 INFO Loaded auth handler TestAccounts [pid=1|pki_realm=prodrealm] 2025/04/10 15:45:44 INFO Loaded auth handler LocalPassword [pid=1|pki_realm=prodrealm] 2025/04/10 15:45:44 WARN Group Not Defined. Defaulting to EGID '0 0' [pid=1|pki_realm=prodrealm] 2025/04/10 15:45:44 WARN User Not Defined. Defaulting to EUID '0' [pid=1|pki_realm=prodrealm] could that help diagnose my issue? I couldn't find my error in the mailinglist archives Is there an even more verbose logging option so I can for example see the LDAP-output? By the way I'm running in Docker using the official compose. Regards, Fay ________________________________ From: Oliver Welter <m...@oliwel.de><mailto:m...@oliwel.de> Sent: Wednesday, April 9, 2025 7:27 PM To: openxpki-users@lists.sourceforge.net<mailto:openxpki-users@lists.sourceforge.net> <openxpki-users@lists.sourceforge.net><mailto:openxpki-users@lists.sourceforge.net> Subject: Re: [OpenXPKI-users] Issue with LDAP login on OpenXPKI Hi Fay, I can remember that there are some tricks to know but I can not remember them :( Did you try the memberOf query as filter to the ldap search? AFAIR you need permissions on the group tree to be able to search in this way, so those might be missing....I did not use this module for a long time and I am also not an LDAP expert. Oliver On 08.04.25 07:09, Fay Knol via OpenXPKI-users wrote: Dear mailing list users, I'm currently a 2nd year student at the HU University of Applied Sciences Utrecht working on setting up OpenXPKI as an issuing CA for our student "playground" to self sign certificates. I'm trying to set up LDAP authentication for operators. However, I've been having some issues I haven't been able to figure out for the past week or so. With a ldapsearch like below I get a proper return, so I think that isolates my Active Directory as a variable. ldapsearch -LLL -x -H ldap://{test server ip} -D "openxpki@vault.local"<mailto:openxpki@vault.local> -w "Secure123" -b "DC=vault,DC=local" "(sAMAccountName=fay)" memberOf dn: CN=Fay's Test Account,CN=Users,DC=vault,DC=local memberOf: CN=PKIAdmins,CN=Users,DC=vault,DC=local memberOf: CN=DnsAdmins,CN=Users,DC=vault,DC=local So now I don't get why my configs don't work Connector config: ra-ldap: class: Connector::Builtin::Authentication::LDAP LOCATION: ldap://{test server ip} base: "DC=vault,DC=local" binddn: cn=openxpki password: "Secure123" filter: "(&(sAMAccountName=[% LOGIN %])(memberOf=CN=PKIAdmins,OU=Users,CN=Users,DC=vault,DC=local))" (mail also didn't work) Handler config: ldap: type: Password class: OpenXPKI::Server::Authentication::LDAP label: LDAP Authentication connector: ra-ldap role: RA Operator Stack config: LDAP: label: LDAP Login description: Login via Active Directory handler: ldap type: passwd The rest of the configuration related to LDAP is just so far just the default copied from the example, test account login works fine. Am I missing something obvious? Are there any other things I should look out for? Thanks in advance, Fay Knol _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net<mailto:OpenXPKI-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/openxpki-users<https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/openxpki-users__;!!May37g!IjUPhCPUakfP_RE1b2uGb1A_wW6lkuqbYWgmgE6CqHIqve-JAY_EuiwW3V-PPgvs9IZekZEoWd2MHGZf1pqVTR8a5bmpRYqpImzw$> -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net<mailto:OpenXPKI-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/openxpki-users<https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/openxpki-users__;!!May37g!LDLb7ZiuatG0qgnr3h1fI9p_7NYGq2VeiBikC7LhN8HIocIKz25YcASOTwzPSh15UFcbdqOsxB9QqYWS$> -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net<mailto:OpenXPKI-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
