Content
You are here:
Active Directory / LDAP Integration
Added by Martin Böhm about 10 years ago
I want to authenticate users over Active Directory, so I configured LDAP on the administration page of our openproject instance. After configuring I created a new user account with LDAP/AD-Authentication Mode. The users login name I have choosen is the same as the sAMAccountName in Active Directory. Moreover I granted Administrator priviledges.
But if I try to login with this name, the login is permitted. I always get an error: “Invalid user or password or the account is blocked due to multiple failed login attempts. If so, it will be unblocked automatically in a short time.”
What do I wrong here?
Replies (46)
I have the same issue and am at a loss as to how to fix it.
I’ve setup LDAP authentication mode and when clicking on “Test” it says “Successful Connection”.
- Open Project installed on CentOS 6.5
- Active Directory running on Server 2008 R2.
I have the same issue and am at a loss as to how to fix it.
I’ve setup LDAP authentication mode and when clicking on “Test” it says “Successful Connection”.
- Open Project installed on Ubuntu 12.04
- Active Directory running on Windows Server 2008 R2.
I’ve realised LDAP authentication with AD on Windows Server 2003 with these settings
Hi Nicola,
what have put into the fields “Konto” or “Account Field” respectively; the fullqualified Name or only the user-id?
this: mmustermann
or that: CN=mmustermann,CN=Users,DC=subdomin,DC=domaincomp,DC=com
Thanks for your help.
Hello Martin
Only the Username, e.g. “openproject”
We have OTRS in action and I use the user from the OTRS LDAP access.
Nicola
Hi Nicola,
it doesn’t work. I have put the following fields:
Name: Active Directory Central Europe
Host: <ip of the server, confirmed by IT head office>
Port: <port of AD, confirmed by IT head office>
Account: ad_admin_ro
Password:
Base DN: OU=Users,OU=TDDD,DC=ci,DC=rgt,DC=local
Login: sAMAccountName
FirstName: cn
LastName:
Email: mail
If I test the connection I always get “Successful connection”. But if I try to logon with an user, I get the error message “Invalid user or password or the account is blocked due to multiple failed login attempts. If so, it will be unblocked automatically in a short time.”
Where do I find an integral description to configure LDAP authentication mode?
I am having the same issue — “Successful connection” but “Invalid User”
Tested the LDAP Auth login with a 3rd party tool and using the BaseDN it correctly lists all users.
I have the server backend console running and can give context to what’s generated when attempting to log in as well as clicking “Test”
Name should be your domain I think (but maybe you are right and it’s only a title):
rgt
Base DN only should be:
DC=rgt,DC=local
Port:
389
I’ve tried your suggestion but it doesn’t work.
Unlike your suggestion I don’t understand, why I should use the BaseDN without subtree. Moreover we use an other port. Test is always successfull but the login always fails.
So I suppose that there is something wrong with the authentication configuration in connection with the user configuration. Where do I find a detailed description?
The sAMAccountName of our test user is mmustermann. In the user configuration we configured a user with loginname “mmustermann” and authentication mode “LDAP”. Is there anything I can further do?
Does the Account “ad_admin_ro” have the correct rights?
“Konten-Operatoren”, “Domänen-Benutzer” and “Windows-Autorisierungszugriffsgruppe”
?
Martin Böhm wrote:
Install Wireshark an read the communication …
All roles are assigned to account. But doesn’t work.
Thank you Nicola, Wireshark did the trick!
Martin,
Wireshark is what helped me — I was in the same spot as you, getting a successful test but no luck when trying to log in.
I started with just the domain ( DC=mydomain,DC=local ) and was able to filter by LDAP traffic and quickly identified a more detailed error message upon clicking Test. After correcting the issue and testing a successful login / user creation, I filtered it into OU=Users,OU=MyCompany,DC=mydomain,DC=local and performed another test with a different user all the while monitoring Wireshark.
Additionally, I then wanted to utilize LDAPS, so I ticked the box, changed the port to 636, and pressed save. I think I had to leave the page and return to re-enter a password, but it worked! To watch this traffic, I filtered Wireshark with an expression: tcp.port == 636
Hope this helps you to troubleshoot!
another hint:
i had a similar problem: testing all parameters with ldapsearch worked fine, but openproject didn’t allow LDAP users to login. we also restarted the server several times but that did not change anything.
as we didn’t find any logging for the ldap module and out of desperation, we tried to insert logging code there. having no idea of ruby we just inserted this into app/models/ldap_auth_source.rb: (I guess i should warn anyone to try this unless you absolutely know what you are doing: you may make things worse!)
and guess what: it magically did work and continued to work when we removed the line again.
i am not familiar with ruby, but i think there was some bad code cached somewhere??
i would anyway propose to have some more (optional??) logging for the authentication modules or - if that is already there - have better documentation how to debug this stuff. took three people about two hours to get around this.
Cheers
jonas
hi:
Ubuntu 14.04
AD 2008 R2
I have got the same problem.
Name: xxxx
Host: 172.6.1.x
Port: 389
Account: mto
Password:
Base DN: DC=xxxx,DC=local —>Tested
Base DN: OU=“my ou where mto user is there”,DC=xxxx,DC=local —->Tested
Login: sAMAccountName
FirstName: cn
LastName: sn
Email: mail.
Both tests get “Successful connection” but when I try to log with the user “mto”, “Invalid user or password or the account is blocked due to multiple failed login attempts. If so, it will be unblocked automatically in a short time.”
Also I have tried the Jonas’s solution without any sucess.
Greetings
Joseba
Hi!
Test gets successful connection, but I can’t log in with an user on it.
Any suggestion¿?
Thanks!
Have you tried using Wireshark as suggested towards the top? That’s really what solved it for me.
Hi, hi have the same problem, someone solved the problem?
Thank you
Ghido
same problems, but resolved:
Debian 7.7
AD 2008 R2
Name: mydomain
Host: netbiosnameofdc
Port: 636
LDAPS: YES
Account: username_with_only_group_DomainUsers
Password:
Base DN: DC=mydomain,DC=local
On-the-fly user creation: YES (!!!!!!!!)
Login: sAMAccountName
FirstName: givenname
LastName: sn
Email: mail
With this parameters AD login work fine.
FUI: “Test” button corrupted =)
Martin Böhm wrote:
I had the same problem, no suggestion here was working. I finally got it running:
Packaged installation: OP 4.0.4
CentOS 6.6
AD 2012
Name: something_descriptive
Host: fqdn of your dc
Port: 389
LDAPS: -
Account: username_with_only_group_DomainUsers: ATTENTION: in the notification: user@domain.local
Password:
Base DN: DC=mydomain,DC=local
On-the-fly user creation: yes
Login: sAMAccountName
FirstName: givenName
LastName: sn
Email: mail
Hope this helps.
Cheers
Oliver
I followed the thread, but could not get it to work.
OP 4.0.8
ubuntu 64bit 14.04
Name * LDAP
Host * 10.10.10.15
Port * 389
LDAPS
Account [tried many things, e.g. administrator, domain\administrator, administrator@domain, CN=administrator,CN=Users,DC=foo,DC=lan; none worked]
Password [password]
Base DN CN=Users,DC=foo,DC=lan
On-the-fly user creation
Attributes
Login * sAMAccountName
First name givenName
Last name sN
Email mail
never able to get any users on AD to log in OP.
Hi,
i´ve had similiar problems. “Successfull Connection” on network layer, but “Invalid user or password or the account is blocked due……” after login attempt.
It then worked for me with following syntax in the account field: cn=ourusername,ou=passwd,dc=oursubdomain,dc=ourdomain,dc=ourcountrycode
And don´t forget to reenter the password after every change in the passwordfield.
Cheers,
Frank
Hi,
Could a OP speciallist or a team developer help us in this forum to resolve this particular ISSUE?
Really want to implement this tool in our company, really need to use this feature, it’s mandatory for us, we spend an entire day 3 resources trying to find out a solution. There’s no serious documentation in the user guide, so a step by step (detailed guide with comment/e.g.) will be appreciated from you.
RHEL 6, OP 4.1.1, Mysql2
Hi,
Could a OP speciallist or a team developer help us in this forum to resolve this particular ISSUE?
Really want to implement this tool in our company, really need to use this feature, it’s mandatory for us, we spend an entire day 3 resources trying to find out a solution. There’s no serious documentation in the user guide, so a step by step (detailed guide with comment/e.g.) will be appreciated from you.
RHEL 6, OP 4.1.1, Mysql2
I had the same issue. I knew that the parameters were all correct, because they work on my redmine installation. After some investigation in app/models/user.rb, I determined that it wasn’t working because the “type” field in the auth_sources table in the database was not filled in. After setting to the correct value of ‘LdapAuthSource’, everything worked.
Or if you have more than one, specify which
Hope that helps.
I also had the same issue and had been looking for a solution for days. Doug Perham’s solution worked for me. Many thanks for posting it.
I think I figured it out. There appeared to be a bug where anytime you changed the LDAP settings, the password was removed. Perhaps it’s a mass assignment/strong parameter thing; I didn’t go deep enough into that. To get around that, you need to explicitly (only) set the password (again) after you set all other LDAP parameters.
The hard way to do that is to “rails db” and “update auth_sources set password=‘xxx’;” after you create the LDAP authentication source.
Let’s know if that solves your problem. It worked for me…I did it both ways.
Hi all,
I couldn’t reproduce the error from Doug but the one from Ho-Ki. Thus, I created a bug ticket for this: .
I hope we can fix this soon. Until then it is a possible workaround to explicitly set the password again, like Ho-Ki said.
Best,
Jonas
Thanks Doug,
The type field was blank, we applied the script update auth_sources set type = ’LdapAuthSource’; and everything worked! Now we know we have a bug on creating a “New Authentication Mode”.
This worked for me:
Name: Whatever you wanto for your name.
Host: IP/host name of your LDAP Service
Port: Port listening LDAP Service
LDAPS: Blank, at least you need it for secure authentication
Account: Enough with your username, no need to use username@mydomain or username\mydomain formats.
Password: Your pass
Base DN: Depends of your domain, e.g.: DC=domain_name,DC=top_level_domain,DC=country_level_domain. DC=mycompany,DC=org,DC=de
On-the-fly user creation= yes
Login = sAMAccountName
Firstname = givenName
Lastname = sN
Email = mail
Hi everyone,
I have gone through all steps that everyone has posted, and am still getting a ‘Invalid user or password’ error. Anyone have any ideas as to what to take a look at next?
auth_sources
is set to ‘LdapAuthSource’ldapsearch
command/var/log/openproject-ce/production.log
when attempting to login with an account that has LDAP Authentication set:Started POST "/login" for 127.0.0.1 at 2015-06-23 12:05:34 -0500 Processing by AccountController#login as HTML Parameters: {"utf8"=>"✓", "authenticity_token"=>"O3ch3WHpb/5afZirOJm3mdM2Chqy/sUm+PCBNwWsrKI=", "back_url"=>"http%3A%2F%2Fopenproject.example.org%2Flogin", "username"=>"khoyt", "password"=>"[FILTERED]", "login"=>"Sign in"} OpenProject User: Anonymous Failed login for 'khoyt' from 127.0.0.1 at 2015-06-23 17:05:39 UTC Rendered account/_password_login_form.html.erb (3.4ms) Rendered hooks/login/_auth_provider.html.erb (0.0ms) Rendered account/_auth_providers.html.erb (0.3ms) Rendered account/login.html.erb within layouts/base (4.3ms) Rendered search/_mini_form.html.erb (0.5ms) Rendered hooks/login/_auth_provider.html.erb (0.1ms) Rendered account/_auth_providers.html.erb (0.3ms) Rendered account/_login.html.erb (3.1ms) Rendered layouts/_action_menu.html.erb (0.0ms) Completed 200 OK in 5054.0ms (Views: 20.5ms | ActiveRecord: 7.3ms)
Thanks everyone,
Ken
This may seem stupid, but try replacing
with
where is the actual ip address of dc.company.example.org
That was a problem that I ran into, but never resolved the “why” satisfactorily.
Hi Doug,
Thanks for the response! I tried using the IP Address of the DC, but unfortunately the issue persists.
Couple other things I tried were opening the firewall on the server, as well as disabling SELinux. Still no luck.
I guess I should have added that our business is running Microsoft Active Directory for LDAP Authentication, not sure if that makes any difference or not. I’m honestly thinking about setting up my own LDAP & OP sandbox at home and seeing if it will work. I will update when I have more information.
Thanks,
Ken
Everything looks good to me. I’m grasping at straws, here but …
Doug Perham wrote:
Hi Doug,
I finally figured out my issue, hooray!
First, I followed you directions in packet capturing, and here is something I noticed:
Lightweight Directory Access Protocol
Basically this is telling me the Admin Bind response is returned with invalid credentials. What’s weird is these same creds work successfully with other products. Then I remembered back to my
ldapsearch
command, specifically what I used for the bind DN. Turns out the service account cn is “LDAP Service Name”, and the sAMAccountName is “ldapservicename”. After switching to the cn for the Account field in OpenProject, things starting working. Odd that it doesn’t work with the sAMAccountName, but I don’t think this would be considered a bug?Thanks for your help Doug!
Ken
Hi,
I have a new OpenProject Installation via packager.io onto a Debian 8.0 64bit box. Installation worked without issues.
I have set up a LDAP Account to our MS-AD (Server 2012R2). Within wireshark I see that the LDAP Bind with the Specified User works, but the SearchRequest fails with:
I have built a test-ruby script which works on the Debian box with Debian Packaged net-ldap package:
That script works, but OpenProject fails. Has anyone any idea, what went wrong?
thanks
Philipp
Philipp Kolmann wrote:
If you use 2012R2 AD you should use LDAPS and port 636
Account in format: DOMAIN\User
Hi,
Has someone got the final concrete resolution? I have tried every possible troubleshooting described here, but no luck. I have also updated the DB as - “auth_sources set type = ’LdapAuthSource”, that also is of no use.
It gives the same error - “Invalid user or password or the account is blocked due to multiple failed login attempts. If so, it will be unblocked automatically in a short time.”
Any other ideas as to what needs to be looked at in order to resolve the issue? Any help would be much appreciated.
Thanks,
Amit
Amit Sharma wrote:
Hi Amit,
Could you share details about your environment with us? Some good things to know would be:
-Ken
Hi Ken,
OpenProject version - OpenProject 6.0.3 (MySql2)
Operating System - RHEL 7.2
Database software - MySql
Your current LDAP settings (be sure to obfuscate things like username, password, etc.) - !!
After entering these settings, if I test the connection, it says connection successful, but user wont authenticate. The logs’ file /opt/openproject/log/production.log also doesn’t list any thing. Is there any other parameter to enable logs debug for ldap ? Or any other file, in which we can pass these settings manually ?
Thanks in advance for your help.
-Amit
Hi Amit,
your screenshot got the answer already.
The “Attributes ” section needs to have valid LDAP/AD-attributes.
Simply entering your binding account name will not make the connection possible.
You will have to enter the attributes by which users of your domain will be referenced.
This could be “samAccountName” on a Windows-AD for example.
The rest (like Email, which is “mail” on LDAP) is optional.
Best regards,
Oliver
Hi Oliver,
We have tried entering - ‘samAccountName’ as well over there but no luck so far.
Is there any config file in the server that I can view these settings directly in?
Thanks,
Amit
Good day,
It seems that the password entering issue is not resolved yet.
For those on OP version 6.1.5, you still need to ensure that you enter the password when any changes are made to LDAP Authentication Settings.
Regards,
After having same trouble with new user accounts authenticating against AD i found this simple solution:
you don’t need to enable ‘on-the-fly user accounts’!
Create a new openproject user
membername = samaccountname = ‘windows username’
givenname, surename doesn’t matter
a valid email address
If you want to login with this new user now, you’ll get the well known error…
This is because the account has the status ‘invited’, not active!
You need to activate the new account. Therefore you need the valid email address above.
Go to the activation email, click the activation link, login with domain credentials and… Voila!, you are logged in.
From now, you can directly got to your openproject site an login with your domain creds.
cu
kk
Here is my working settings for a Zimbra LDAP integration:
Host: [zimbra intranet IP]
Port: 389
Account: uid=zimbra,cn=admins,cn=zimbra
Password: [ZImbra Root Password]
Attributes
Login: mail
The Login attribute is the one to build the query. Since I want user to login via email, I put the
mail
attribute here.I went through a ton of posts with everyone asking and running into the same error over and over. Everyone that posted solutions said it was working and recommended attribute names, but no one correctly outlined the procedure to getting it to work correctly with LDAP/AD.
I'd figure I emphasize this as it took me a bit to figure out and the answer was right there in front of my screen the entire time. Thanks kuno kette.
If anyone has their LDAP/AD connection set and it's successfully tested - make sure you invite your user and then have them click on the activation link from the email invitation. Then have them log in from that link. If you invite and the user goes to the main page to login - it won't work per the reason below that kuno kette had stated and it will produce the generic error.
kuno kette wrote:
We use OpenProject 10.1.0 (PostgreSQL) on Ubuntu 18.04.3 LTS.
The following settings worked for us:
Name: AD
Host: [domain].local
Port: 389
Connection Encryption: none
Account: [domain]\LDAP-Read
Base DN: DC=[domain],DC=local
On-the-fly user creation: Yes
Username: sAMAccountName
First name: givenName
Last name: sn
Email: mail