mac openstf and ldap auth fail (Authentication Failure for "test account")
QA-Jihyun opened this issue · comments
I'm trying to use stf on mac.
I am using the following firmware for "stf-ldap" connection
rethinkdb --bind all
sudo /usr/libexec/slapd -h ldap://111.222.333.444 -d 50
sudo stf local --port 8100 --public-ip 111.222.333.444 --auth-type ldap --auth-options '["--ldap-url","ldap://111.222.333.444","--ldap-search-dn","dc=test,dc=com","--ldap-bind-dn","cn=admin,dc=test,dc=com","--ldap-bind-credentials","!@test34","--ldap-search-field","email","--ldap-username-field","email"]'
Afterwards, connect to stf in the browser. (111.222.333.444/auth/ldap)
username field = ldap email
password = password of ldap user
ldap log
658b6e5f odusers_copy_krbrealm: No entry associated with KerberosKDC cn=kerberoskdc,cn=config,dc=test,dc=com
658b6e5f odusers_krb_auth: could not retrieve krb realm while authing younjihyun+email=test@test.co+sn=jihyun
0000: 30 0c 02 01 03 61 07 0a 01 32 04 00 04 00 0....a...2....
ldap_write: want=14, written=14
0000: 30 0c 02 01 03 61 07 0a 01 32 04 00 04 00 0....a...2....
ldap_read: want=8, got=7
0000: 30 05 02 01 04 42 00 0....B.
ber_dump: buf=0x600002124a40 ptr=0x600002124a40 end=0x600002124a45 len=5
0000: 02 01 04 42 00 ...B.
ldap_read: want=8 error=Resource temporarily unavailable
stf log
WRN/auth-ldap 26828 [::1] Authentication failure for "test@test.com"
apache Directory Studio is
I am connecting to DIT with bind DN >> cn=admin,dc=test,dc=scom and bindpassword, and DIT settings seem to be set up well.
Does anyone know why ldap login keeps failing?
- You have to know that STF is not fully supported on Mac OS environment, you should prefer Linux one
- I don't know if you LDAP installation is correct, did you test it outside STF usage ?
- Try to remove
--ldap-username-field
option, putuid
value in--ldap-search-field
option, and grant your LDAP database schema, for information here is a template I use to add user in my LDAP database:
dn: cn=_USER_,dc=_XXX_,dc=_YYY_
uid: _USER_
sn: _USER_
mail: _EMAIL_
objectClass: inetOrgPerson
objectClass: top
userPassword: _PASSWORD_
You have to know that STF is not fully supported on Mac OS environment, you should prefer Linux one
I don't know if you LDAP installation is correct, did you test it outside STF usage ?
Try to remove
--ldap-username-field
option, putuid
value in--ldap-search-field
option, and grant your LDAP database schema, for information here is a template I use to add user in my LDAP database:dn: cn=_USER_,dc=_XXX_,dc=_YYY_ uid: _USER_ sn: _USER_ mail: _EMAIL_ objectClass: inetOrgPerson objectClass: top userPassword: _PASSWORD_
I tried connecting to stf from outside. And even if you remove --ldap-username-field, the same error occurs. And the same error is occurring on the PC running stf.
I tried connecting to stf from outside
My question was: did you test your ldap database alone, without STF ?
Did you well replace email
value by uid
value in --ldap-search-field
option ?
Did you well change your ldap database schema as specified (i.e. in particular objectClass: inetOrgPerson
) ?
I tried connecting to stf from outside
My question was: did you test your ldap database alone, without STF ?
Did you well replace
uid
value in--ldap-search-field
option ?Did you well change your ldap database schema as specified (i.e. in particular
objectClass: inetOrgPerson
) ?
Searching ldap's DIT with ldapsearch succeeds.
I also changed --ldap-search-field to uid, but stf login fails. Login fails even if you specify the ou=test group in the --ldap-search-dn option in the stf run options.
I'm wondering if I need to set up the Kerberos realm on Mac, but I'm having trouble setting up Kerberos because I'm not familiar with the Mac environment.
If you ask chat gpt or google bard, they will tell you to set none in stf auth type, but there doesn't seem to be a none option.
Thank you for your interest in my question.
@QA-Jihyun , so what you can do if it works well with ldapsearch
command is to take the provided filter and put it as value in the --ldap-search-filter
option, here is an example: --ldap-search-filter "(&(objectClass=inetOrgPerson)(uid=*)(memberOf=cn=stf-users,ou=groups,dc=test,dc=org))"
(e.g. filtering on a LDAP group)