LDAP Configuration : USER_NOT_FOUND

[javier-torres]

Hi,

We have chosen your application to maintain our MSK on AWS. We have managed to set up basic authentication but with LDAP we are having problems. We have checked that there is connectivity with LDAP. Attached is the configuration:

micronaut:
  security:
    enabled: true
    token:
      jwt:
        signatures:
          secret:
            generator:
              secret: dgTXXXXXXXXXXXXXXXXXXXdg3$GHgfj
    ldap:
      default:
        enabled: true
        context:
          server: 'ldap://ibr-dev-mad.ibr.local:389'
          managerDn: 'CN=akhq,OU=AKHQ,OU=Applications,OU=XXX Data,OU=IBR_USER_REPO,DC=IBR,DC=LOCAL'
          managerPassword: 'password'
        search:
          base: "OU=AKHQ,OU=Applications,OU=XXX Data,OU=IBR_USER_REPO,DC=IBR,DC=LOCAL"
        groups:
          enabled: true
          base: "OU=AKHQ,OU=Applications,OU=XXX Data,OU=IBR_USER_REPO,DC=IBR,DC=LOCAL"

akhq:
  security:
    default-group: no-roles
    basic-auth:
      - username: admin
        password: a56ad3f2440820608303a0d4a84b1f1858660ead830b8e7df8e8d0b5a7eed13a
        groups:
          - admin
    groups:
      topic-reader:
        name: topic-reader # Group name
        roles: # roles for the group
          - topic/read
        attributes:
          # List of Regexp to filter topic available for group
          # Single line String also allowed
          # topics-filter-regexp: "^(projectA_topic|projectB_.*)$"
          topics-filter-regexp:
            - "^projectA_topic$" # Individual topic
            - "^projectB_.*$" # Topic group
          connects-filter-regexp:
            - "^test.*$"
          consumer-groups-filter-regexp:
            - "consumer.*"
      topic-writer:
        name: topic-writer # Group name
        roles:
          - topic/read
          - topic/insert
          - topic/delete
          - topic/config/update
        attributes:
          topics-filter-regexp:
            - "test.*"
          connects-filter-regexp:
            - "^test.*$"
          consumer-groups-filter-regexp:
            - "consumer.*"
      ldap:
        groups:
          - name: AWS-MSK
            groups:
              - topic-reader
              - topic-writer
        users:
          - username: akhq
            groups:
              - topic-reader
              - topic-writer

  connections:
    Sandbox:
      properties:
        bootstrap.servers: ${BOOTSTRAP_SERVERS}
        security.protocol: SASL_SSL
        sasl.mechanism: SCRAM-SHA-512
        sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required username=${SASL_JAAS_CONFIG_USERNAME} password=${SASL_JAAS_CONFIG_PASSWORD};`

We have tested the same configuration with an LDAP client and it works perfectly. However when we go to log into the application we get the following WATN in the log:

WARN r-thread-1 u.LoginFailedEventListener Login failed reason USER_NOT_FOUND, username unknown, message User Not Found

This is a screenshot of the same configuration for LDAP testing:

Could you please help us?

Thank you,
Javier Torres

[tchiotludo]

I'm not a pro on ldap authentification since I don't have any LDAP server on my side.
But relevant configuration can be here or here

[javier-torres]

Hello,

You have an application developed in which you offer LDAP authentication, following your official documentation it should work and it does not. Nobody says that you are a LDAP professional, but if you have a documentation for your application and it doesn't work, the most correct thing would be that you help to make it work, because following the steps you explain it doesn't work. We want to use AKHQ, but if the LDAP documentation you provide doesn't work... we won't be able to use it, that's why we ask for your help since you are the developer of AKHQ.

We are waiting for some convincing answer.

Best regards, thank you very much

[FrankMormino]

@javier-torres - This is an open source project. With a little troubleshooting and research you could possibly help out here and create a solution that works and then create a PR here and help the next individual who has the same issues as yourself.

[tchiotludo]

Thanks @FrankMormino for your reply, really appreciate to remind that's an open source project !

@javier-torres : your angry response is clearly inappropriate in the context of an open source application, if you want to a full support, go for a commercial application where you pay the support you want!

LDAP is working and there is example on the documentation here. There is unit test also that prove that's working and a lot of people is using it.

Just all LDAP tree is different and I don't (and I won't) know yours.

[javier-torres]

Hello,

I am sorry my words have been misinterpreted, in that case I apologize and I totally agree that it is an open source project and I appreciate the work you do and I think it is a great tool. I will try to find a solution to connect to my LDAP.

I just wanted to show my code and see if we all saw something wrong that made it not work for me, but anyway I will continue investigating on my own.

Thank you very much

[hervekhg]

@javier-torres have you found the solution ? I face exactly the same issue :(

[javier-torres]

Yes, I have found solution with this example:

ldap:
      default:
        enabled: true
        context:
          server: ${MICRONAUT_SECURITY_LDAP_CONTEXT_SERVER}
          managerDn: ${MICRONAUT_SECURITY_LDAP_CONTEXT_MANAGER_DN}
          managerPassword: ${MICRONAUT_SECURITY_LDAP_CONTEXT_MANAGER_PASSWORD}
        search:
          enabled: true
          filter: 'mail={0}'
          base: ${MICRONAUT_SECURITY_LDAP_SEARCH_BASE}
        groups:
          enabled: true
          subtree: true
          filter: 'member={0}'
          base: ${MICRONAUT_SECURITY_LDAP_GROUPS_BASE}

[hervekhg]

@javier-torres please could you show me the config where you map AKHQ Groups to LDAP Groups ?

I'm able to connect with my LDAP account (thanks to your configuration), but I did not have the rights of the admin group as I expected. I'm logged with the default right instead of admin.

Below my Setup

  connections:
    int:
      properties:
        bootstrap.servers: "xxxxxxxx"
      schema-registry:
        url: "xxxxxx"
      connect:
        - name: integration
          url:  "xxxxx"
  security:
    default-group: no-connect
    groups:
      users:
        name: users
        roles:
          - topic/read
          - node/read
          - topic/data/read
          - group/read
          - group/delete
          - group/offsets/update         
          - registry/read
          - acls/read
          - connect/read
          - connect/update
          - connect/state/update
          - connect/delete
          - connect/insert
          - registry/update
      no-connect:
        name: no-connect
        roles:
          - topic/read
          - node/read
          - topic/data/read
          - group/read
          - registry/read
          - acls/read

    ldap:
      default-group: no-connect
      groups:
        - name: AKHQ_USERS
          groups: 
            - admin
        - name: AKHQ_ADMINISTRATORS
          groups:
            - admin```

[alexvaque]

Thanks Javier ! Finally my LDAP integration works fine with your last shared solution .
#889 (reply in thread)