Content
OpenProject LDAP Connector Test Succeeds, Active Directory User Login Fails
Added by [ jakimfett ] over 9 years ago
I’ve been trying to get the OpenProject LDAP connector set up so that our Active Directory users don’t have to create local accounts. So far, I’ve been unable to get it working.
I’ve read several other threads on LDAP problems, as well as the OpenProject, ChiliProject, and RedMine pages on configuring LDAP authentication.
When I set up the LDAP connector via the administration page (at SITENAME/admin/ldap_auth_sources) and save it, I get a “Successful connection.” confirmation when I test it via the admin page with the following values:
-
name: Descriptive Name
-
host: IP address of Active Directory server
-
port: 3268 or 389 both work
-
ldaps: disabled
-
account: adlookup@mydomain.com
-
password: adlookup account password
-
base dn: cn=users,dc=mydomain,dc=com
Attributes: -
login: sAMAccountName
-
first name: givenName
-
last name: sN
-
email: mail
When I save and click “test”, the production.log file contains the following entry:
I, [2015-10-23T11:12:08.476360 #1022] INFO -- : Started GET "/admin/ldap_auth_sources/1/test_connection" for <MY IP ADDRESS> at 2015-10-23 11:12:08 -0700
I, [2015-10-23T11:12:08.479295 #1022] INFO -- : Processing by LdapAuthSourcesController#test_connection as HTML
I, [2015-10-23T11:12:08.479458 #1022] INFO -- : Parameters: {"id"=>"1"}
I, [2015-10-23T11:12:08.505374 #1022] INFO -- : Redirected to https://mysitedomain.com/admin/ldap_auth_sources
I, [2015-10-23T11:12:08.505780 #1022] INFO -- : Completed 302 Found in 26ms (ActiveRecord: 1.6ms)
I, [2015-10-23T11:12:08.534766 #1022] INFO -- : Started GET "/admin/ldap_auth_sources" for <MY IP ADDRESS> at 2015-10-23 11:12:08 -0700
I, [2015-10-23T11:12:08.537009 #1022] INFO -- : Processing by LdapAuthSourcesController#index as HTML
I, [2015-10-23T11:12:08.585174 #1022] INFO -- : Rendered auth_sources/index.html.erb within layouts/admin (26.4ms)
I, [2015-10-23T11:12:08.599813 #1022] INFO -- : Rendered admin/_menu.html.erb (13.2ms)
I, [2015-10-23T11:12:08.606578 #1022] INFO -- : Rendered common/_favicons.html.erb (1.7ms)
I, [2015-10-23T11:12:08.617295 #1022] INFO -- : Rendered search/_mini_form.html.erb (1.1ms)
I, [2015-10-23T11:12:08.624186 #1022] INFO -- : Rendered layouts/_action_menu.html.erb (0.1ms)
I, [2015-10-23T11:12:08.625888 #1022] INFO -- : Rendered layouts/base.html.erb (25.5ms)
I, [2015-10-23T11:12:08.626617 #1022] INFO -- : Completed 200 OK in 89ms (Views: 66.3ms | ActiveRecord: 3.3ms)
Which, to me, looks correct. However, when I attempt to log in as an Active Directory user, I get an error saying “Invalid user or password or the account is blocked due to multiple failed login attempts. If so, it will be unblocked automatically in a short time.” in my browser, and the production.log file contains this entry:
I, [2015-10-23T11:16:07.162221 #1022] INFO -- : Started POST "/login" for <MY IP ADDRESS> at 2015-10-23 11:16:07 -0700
I, [2015-10-23T11:16:07.164636 #1022] INFO -- : Processing by AccountController#login as HTML
I, [2015-10-23T11:16:07.164812 #1022] INFO -- : Parameters: {"utf8"=>"✓", "authenticity_token"=>"7EVbsMLuPlqlVG8vT4eQOwwfWfnw7oRjId4n7mKpmE60fweF8CilweCRuZDck0tUKFISUXcIPPnG5UsPa1D9iw==", "back_url"=>"https%3A%2F%2Fmysitedomain.com%2F", "username"=>"aduser@mydomain.com", "password"=>"[FILTERED]", "login"=>"Sign in"}
W, [2015-10-23T11:16:07.275409 #1022] WARN -- : Failed login for 'aduser@mydomain.com' from <MY IP ADDRESS> at 2015-10-23 18:16:07 UTC
I, [2015-10-23T11:16:07.288396 #1022] INFO -- : Rendered account/_password_login_form.html.erb (8.9ms)
I, [2015-10-23T11:16:07.289731 #1022] INFO -- : Rendered hooks/login/_auth_provider.html.erb (0.4ms)
I, [2015-10-23T11:16:07.290053 #1022] INFO -- : Rendered account/_auth_providers.html.erb (1.1ms)
I, [2015-10-23T11:16:07.290350 #1022] INFO -- : Rendered account/login.html.erb within layouts/base (11.8ms)
I, [2015-10-23T11:16:07.301389 #1022] INFO -- : Rendered common/_favicons.html.erb (2.6ms)
I, [2015-10-23T11:16:07.309451 #1022] INFO -- : Rendered search/_mini_form.html.erb (1.2ms)
I, [2015-10-23T11:16:07.318853 #1022] INFO -- : Rendered hooks/login/_auth_provider.html.erb (0.1ms)
I, [2015-10-23T11:16:07.319178 #1022] INFO -- : Rendered account/_auth_providers.html.erb (1.0ms)
I, [2015-10-23T11:16:07.319994 #1022] INFO -- : Rendered account/_login.html.erb (8.6ms)
I, [2015-10-23T11:16:07.322490 #1022] INFO -- : Rendered layouts/_action_menu.html.erb (0.2ms)
I, [2015-10-23T11:16:07.325117 #1022] INFO -- : Completed 200 OK in 160ms (Views: 47.1ms | ActiveRecord: 12.0ms)
A couple of things I noticed. The first (successful?) test is hitting the LdapAuthSourcesController, but the second one isn’t (it’s hitting the AccountController). When I looked at the log files for the LDAP server, the adlookup@mydomain.com login shows up, but no attempt is shown from the user actually trying to log in.
I’ve tried creating the user account locally, and then manually setting the user’s “Authentication mode” to the LDAP connector. I’ve tried using the “Login” parameter in the LDAP connector configuration to “company\$login”, which definitely didn’t work. Using ldapsearch from the server OpenProject is hosted on works just fine. I also tried disabling the automated user blocking in SITENAME/settings?tab=authentication, but all that seemed to do is change the browser error message to “Invalid user or password.”
This is on CentOS 7, manual installation, with MySQL. Everything else appears to be working properly, as far as I can tell.
I’m at a loss as to why this doesn’t work, and would really appreciate it if I could get some help. My organization is trying to switch our development team away from Sharepoint, and LDAP authentication is the last piece before we can start using OpenProject.
Replies (6)
did you try setting the auth_sources.type to ‘LdapAuthSource’ in the database as suggested in https://community.openproject.org/topics/1719?page=2&r=4757#message-4757
Thanks for the response Doug, I’ve tried that fix. When I checked initially, the “type” field was properly filled, but I cleared and re-set the value just to be sure. See attached PNG for my full configuration.
As a sidenote, I updated OpenProject to 251e0a01d23a44b6c2bf3b488b4d469e2e3f9ef2 (Update stable/5 to v5.0.6, from Wed Dec 9 09:40:17 2015 +0100) and am still experiencing this bug.
I’m facing same issue too.
just as a point of reference, this is what my configuration looks like. Roughly the same. Maybe broaden your scope and get rid of the “cn=users”
beyond that, I would consider using wireshark or tcpdump to see what’s happening, ala, https://community.openproject.org/topics/1719?page=2&r=4812#message-4812
@doug - that was the solution!
Removing the “cn=users” made it possible to log in using AD credentials (obviously I had to set it as the authentication method first).
Note that I haven’t been able to get ParamAuth working yet…will post an update if/when I do.
Thank you so much!