LDAP Authentication failure

Bibo's Avatar

Bibo

02 Oct, 2013 01:27 PM

Hi all,

I'm trying to setup Rhoecode following the istructions provided by this link

http://mbrownnyc.wordpress.com/technology-solutions/rhodecode-and-redmine/part-7-setup-ldap-authentication/

but on OS Centos 6.4 and RhodeCode 2.0.2Enterprise I got this error:

[Wed Oct 02 15:00:41 2013] [error] 2013-10-02 15:00:41.922 INFO [rhodecode.lib.base] IP: 10.15.64.60 User: <AuthUser('id:1[default] ip:10.15.64.60 auth:True')> accessed /_admin/login
[Wed Oct 02 15:00:41 2013] [error] 2013-10-02 15:00:41.968 INFO [rhodecode.lib.auth_modules] Authenticating user using rhodecode.lib.auth_modules.auth_rhodecode plugin
[Wed Oct 02 15:00:41 2013] [error] 2013-10-02 15:00:41.968 WARNI [rhodecode.lib.auth_modules] User failed to authenticate against rhodecode.lib.auth_modules.auth_rhodecode
[Wed Oct 02 15:00:41 2013] [error] 2013-10-02 15:00:41.998 INFO [rhodecode.lib.auth_modules] Authenticating user using rhodecode.lib.auth_modules.auth_ldap plugin
[Wed Oct 02 15:00:42 2013] [error] 2013-10-02 15:00:42.000 ERROR [rhodecode.lib.auth_modules.auth_ldap] Traceback (most recent call last):
[Wed Oct 02 15:00:42 2013] [error] File "/var/www/repo/rhodecode-venv/lib/python2.6/site-packages/rhodecode/lib/auth_modules/auth_ldap.py", line 325, in auth
[Wed Oct 02 15:00:42 2013] [error] (user_dn, ldap_attrs) = aldap.authenticate_ldap(username, password)
[Wed Oct 02 15:00:42 2013] [error] File "/var/www/repo/rhodecode-venv/lib/python2.6/site-packages/rhodecode/lib/auth_modules/auth_ldap.py", line 104, in authenticate_ldap
[Wed Oct 02 15:00:42 2013] [error] raise LdapPasswordError()
[Wed Oct 02 15:00:42 2013] [error] LdapPasswordError
[Wed Oct 02 15:00:42 2013] [error]
[Wed Oct 02 15:00:42 2013] [error] 2013-10-02 15:00:42.000 WARNI [rhodecode.lib.auth_modules] User failed to authenticate against rhodecode.lib.auth_modules.auth_ldap
[Wed Oct 02 15:00:42 2013] [error] 2013-10-02 15:00:42.007 INFO [rhodecode.lib.auth_modules] Authenticating user using rhodecode.lib.auth_modules.auth_container plugin
[Wed Oct 02 15:00:42 2013] [error] 2013-10-02 15:00:42.007 WARNI [rhodecode.lib.auth_modules] User failed to authenticate against rhodecode.lib.auth_modules.auth_container
[Wed Oct 02 15:00:42 2013] [error] 2013-10-02 15:00:42.015 INFO [rhodecode.RequestWrapper] IP: 10.15.64.60 Request to /_admin/login time: 0.253s

The passwords of every user account are correct.

My ldap configs are:

rhodecode.lib.auth_modules.auth_rhodecode "enabled"
rhodecode.lib.auth_modules.auth_container "enabled"
rhodecode.lib.auth_modules.auth_ldap "enabled"
rhodecode.lib.auth_modules.auth_crowd "disabled"

LDAP Host: dsrmalpha.cse.pos
Port: 389
Account: ccestaff\ldapquerier
Password: <double checked!>
Connection Security: PLAIN
Certificate Checks: NEVER
Base DN: DC=cse,DC=pos
LDAP Search Filter: OU=Sistemi

Login Attribute: sAMAccountName
First Name Attribute: givenName
Last Name Attribute: sn
Email Attribute: mail

Last name = sn

Can you help me to config Rhoecode with active directory authentication?

Best regards.

Bibo

  1. Support Staff 1 Posted by Marcin Kuzminsk... on 02 Oct, 2013 01:42 PM

    Marcin Kuzminski's Avatar

    Did you try to enable debug log-level to see in details why ldap authentication fails ?
    See here for how to do it: https://rhodecode.com/docs/usage/debugging.html#enable-detailed-debug

    WIth this you can in details check each step in ldap authentication.

  2. 2 Posted by bibo on 02 Oct, 2013 02:12 PM

    bibo's Avatar

    Hi Marcin,

    Yes! I did it.

    the following logs show the same error using the setting

    [DEFAULT]
    debug = true
    ......

    and running rhodecode in virtualenv using the command line

     paster serve production.ini

    2013-10-02 16:05:00.519 INFO [rhodecode.lib.base] IP: 10.15.64.60 User: <AuthUser('id:1[default] ip:10.15.64.60 auth:True')> accessed /_admin/register
    2013-10-02 16:05:01.197 INFO [rhodecode.lib.celerylib] running task 5a035d38-78f6-4ba4-b08c-d6fb6e0315b1:<@task: rhodecode.lib.celerylib.tasks.send_email>
    2013-10-02 16:05:01.226 INFO [rhodecode.RequestWrapper] IP: 10.15.64.60 Request to /_admin/register time: 0.782s
    2013-10-02 16:05:01.367 INFO [rhodecode.lib.base] IP: 10.15.64.60 User: <AuthUser('id:1[default] ip:10.15.64.60 auth:True')> accessed /_admin/login
    2013-10-02 16:05:01.422 INFO [rhodecode.lib.auth_modules] Authenticating user using rhodecode.lib.auth_modules.auth_rhodecode plugin
    2013-10-02 16:05:01.422 WARNI [rhodecode.lib.auth_modules] User failed to authenticate against rhodecode.lib.auth_modules.auth_rhodecode
    2013-10-02 16:05:01.442 INFO [rhodecode.lib.auth_modules] Authenticating user using rhodecode.lib.auth_modules.auth_ldap plugin
    2013-10-02 16:05:01.443 ERROR [rhodecode.lib.auth_modules.auth_ldap] Traceback (most recent call last):
      File "/var/www/repo/rhodecode-venv/lib/python2.6/site-packages/rhodecode/lib/auth_modules/auth_ldap.py", line 325, in auth
        (user_dn, ldap_attrs) = aldap.authenticate_ldap(username, password)
      File "/var/www/repo/rhodecode-venv/lib/python2.6/site-packages/rhodecode/lib/auth_modules/auth_ldap.py", line 104, in authenticate_ldap
        raise LdapPasswordError()
    LdapPasswordError

    2013-10-02 16:05:01.443 WARNI [rhodecode.lib.auth_modules] User failed to authenticate against rhodecode.lib.auth_modules.auth_ldap
    2013-10-02 16:05:01.449 INFO [rhodecode.lib.auth_modules] Authenticating user using rhodecode.lib.auth_modules.auth_container plugin
    2013-10-02 16:05:01.449 WARNI [rhodecode.lib.auth_modules] User failed to authenticate against rhodecode.lib.auth_modules.auth_container
    2013-10-02 16:05:01.455 INFO [rhodecode.RequestWrapper] IP: 10.15.64.60 Request to /_admin/login time: 0.219s

    Best regards.

    Bibo

  3. Support Staff 3 Posted by Marcin Kuzminsk... on 02 Oct, 2013 02:14 PM

    Marcin Kuzminski's Avatar

    It's not this, you need to change the log-levels to level = DEBUG in the .ini logging configuration.

  4. Support Staff 4 Posted by Marcin Kuzminsk... on 02 Oct, 2013 02:15 PM

    Marcin Kuzminski's Avatar

    More specific here

    [handler_console]
    class = StreamHandler  
    args = (sys.stderr,)  
    level = DEBUG
    
  5. 5 Posted by bibo on 02 Oct, 2013 02:32 PM

    bibo's Avatar

    Hi Marcin,

    I'm sorry my wrong now I attached the debug session taken in a virtual env using paster.

    Best regards.

    Bibo

  6. 6 Posted by bibo on 03 Oct, 2013 09:18 AM

    bibo's Avatar

    Hi All,

    Yesterday I have attached a log file to the post number 6 after the second attempt to overcome the "spam filter" (caused by a typing error).

    Unfortunately I do not see it listed anywhere.

    Now I can not figure out if the attachment has been properly inserted.

    I would like to know whether the file has been deleted during the first wrong attempt and if I have to send it again.

    Best regards.

    Bibo

  7. Support Staff 7 Posted by Marcin Kuzminsk... on 03 Oct, 2013 12:46 PM

    Marcin Kuzminski's Avatar

    The file is missing, we didn't remove it. Can you try to re-upload ?

  8. 8 Posted by bibo on 03 Oct, 2013 01:24 PM

    bibo's Avatar

    Hi Marcin,

    I try again.

    Many Thanks

    Bibo

  9. Support Staff 9 Posted by Marcin Kuzminsk... on 04 Oct, 2013 12:06 PM

    Marcin Kuzminski's Avatar

    I looked at the logs, nothing odd there, it simply looks like ldap is rejecting password sent. Are you allowed to do the simple bind with ldap ? Doesn't it require additional authentication ?

    After that double check your LDAP config, for typos etc.

    Another check i would do is on the LDAP server side, maybe there's a more detailed info about rejected authentication.

  10. 10 Posted by bibo on 07 Oct, 2013 12:24 PM

    bibo's Avatar

    Hi all,

    I followed the directions by Marcin and I made ​​a script to test the bind
    with ldap server launched in the rhodecode virtual environment .

    No problem, for completeness I am attaching both the test script that the debugging session.

    the admin user was created as shown in the link at the top of the page while the user to record a simple domain user contained in the OU "Sistemi".

    Please have you any other suggestions for me?

    Best regards.

    Bibo

    ##script python start##

    import sys
    import ldap

    #Server = "ldap://dsrmalpha.cse.post"
    #DN = "ccestaff\ldapquerier"
    #Secret = "password"
    #un = "ldapquerier"

    Server = "ldap://172.16.20.235"
    DN = "ccestaff\qwerty"
    Secret = "password"
    un = "qwerty"

    Base = "OU=Sistemi,DC=cse,DC=pos"
    Scope = ldap.SCOPE_SUBTREE
    Filter = "(&(objectClass=user)(sAMAccountName="+un+"))"
    Attrs = ["displayName"]

    l = ldap.initialize(Server)
    l.protocol_version = 3
    r = l.search(Base, Scope, Filter, Attrs)
    Type,user = l.result(r,60)
    Name,Attrs = user[0]
    for i in ['displayName']:
        if hasattr(Attrs, 'has_key') and Attrs.has_key(i):
          displayName = Attrs[i][0]
          print displayName

    sys.exit()
    ## script python stop ##

    ## running the script
    (rhodecode-venv)[repo@aprepo rhodecode]$ python ad_check_bind.py
    (97, [], 1, [])
    qwerty

  11. 11 Posted by bibo on 10 Oct, 2013 01:36 PM

    bibo's Avatar

    Hi All,

    I upgrated to RhodeCode 2.1.0 and I disabled celery in production.ini file (use_celery = false).

    After that I followed the official doc at the link:
     
    https://rhodecode.com/help/kb/general-use/using-ldap-active-directory-authentication

    Now new error pops up:

    2013-10-10 15:17:11.440 DEBUG [pylons.controllers.core] 'register' method raised HTTPException: HTTPFound (code: 302)
    Traceback (most recent call last):
      File "/var/www/repo/rhodecode-venv/lib/python2.6/site-packages/pylons/controllers/core.py", line 105, in _inspect_call
        result = self._perform_call(func, args)
      File "/var/www/repo/rhodecode-venv/lib/python2.6/site-packages/pylons/controllers/core.py", line 57, in _perform_call
        return func(**args)
      File "<string>", line 2, in register
      File "/var/www/repo/rhodecode-venv/lib/python2.6/site-packages/rhodecode/lib/auth.py", line 820, in __wrapper
        return func(*fargs, **fkwargs)
      File "/var/www/repo/rhodecode-venv/lib/python2.6/site-packages/rhodecode/controllers/login.py", line 192, in register
        return redirect(url('login_home'))
      File "/var/www/repo/rhodecode-venv/lib/python2.6/site-packages/pylons/controllers/util.py", line 208, in redirect
        raise exc(location=url).exception
    HTTPFound: The resource was found at
    2013-10-10 15:17:11.442 DEBUG [pylons.controllers.core] Controller returned a Response object, merging it with pylons.response

    All debug session attacched below.
    I would like to continue my problem debug but I need some direction.

    Many thanks

    Bibo

  12. Support Staff 12 Posted by Marcin Kuzminsk... on 10 Oct, 2013 02:44 PM

    Marcin Kuzminski's Avatar

    It's ok this is how debug works on redirects, it's an special exception HTTPFound()

  13. 13 Posted by bibo on 11 Oct, 2013 11:05 AM

    bibo's Avatar

    Hi Marcin,

    I thank you very much for your patience and for your help.
    Now It seems that I have no bugs in rhodecode configurations and the user "ldapquerier" is a domain administrator with all possible grants.

    The user created is every time a local rhodecode user and not a domain user.

    If I can not use this configuration, there is another way to use domain credentials with rhodecode?

    Rhodecode in the final configuration will be configured with apache.

    The user created rhodecode is a local user and not a domain user.
     
    There is another way to use domain credentials?
    In the configuration fine rhodecode will be configured with apache.

    Best regards.

    Bibo

  14. Support Staff 14 Posted by Marcin Kuzminsk... on 11 Oct, 2013 11:10 AM

    Marcin Kuzminski's Avatar

    NOt sure if i understand this, can you explain more what's the local user and what is domain user ?

  15. 15 Posted by bibo on 14 Oct, 2013 08:48 AM

    bibo's Avatar

    Hello Marcin ,

    Probably the best way to explain what I mean is to list the basic steps that I followed .

    - At the beginning I ran the command " paster setup- rhodecode production.ini " in this step I have created the user "admin " with password " password" . I means this user " local user rhodecode " written into the rhodecode databases.

    after That

    - On the Active Directory domain controller I have created a user called
    " ldapquerier ."
    ldapquerier was created at the root of the LDAP tree and as domain administrator with all possible grants .
    I know that the reading grants are sufficient but I need a working configuration then I wil improve it.

    - Again on the domain controller , into OU " Sistemi " I have created the test user "qwerty " with password " password" . qwerty is a normal user with no special grants .

    - Now back on rhodecode and configure LDAP as suggested by the official documentation.

    https://rhodecode.com/help/kb/general-use/using-ldap-active-directory-authentication

    In particular, I put in the configurations:

    Enabled = v
    LDAP Host = ldap :/ / 172.16.30.225
    ...
    Account = ldapquerier
    ...
    Base DN = OU = Sistemi , DC = ces , DC = post
    LDAP Search Filter = <blank>
    Search Scope = LDAP SUBTREE

    Now I try to login in rhodecode using the domain user qwerty.

    Rhodecode complains that the user does not exist then I use the admin user to add the user qwerty to rhodecode accounts list.

    To the path rhodecode -> Admin -> Users click on "add User"

    I fill the form and I submit it. Now I can use the user qwerty in rhodecode but its Auth type is "rhodecode" and not "LDAP".

    So the LDAP login do not work for my config and I can not understand why.

    Sorry for the very log post.

    Best regards.

    Bibo

  16. Support Staff 16 Posted by Marcin Kuzminsk... on 15 Oct, 2013 09:49 AM

    Marcin Kuzminski's Avatar

    Sorry for late response, external account users are created automatically on the first login. SO in order to create an ldap account you should simply login and the special RhodeCode account should be created binded to ldap authentication.

    We don't yet offer importing users from the web interface. There are some import scripts created by others (using our API) but i haven't tested them really.

  17. 17 Posted by bibo on 15 Oct, 2013 01:07 PM

    bibo's Avatar

    Hi Marcin,

    I know than rhodecode can't import user from LDAP then after I have created the user "qwerty" I have tried to login using tha user but, as I written ,"Rhodecode complains that the user does not exist".

    I have tried to add the user "qwerty" using the web admin user interface because the automatic external user creation do not work in my system.

    Now I will reset everything and I will try again, I hope I made a mistake because
    now the settings seem all ok.

    Thanks a lot

    bibo

  18. 18 Posted by bibo on 16 Oct, 2013 10:31 AM

    bibo's Avatar

    Hi Marcin,

    Thanks a lot, I found the mistakes that I made.

    The bigger error was
    "LDAP Host = ldap :/ / 172.16.30.225"
     rather then
     "LDAP Host = 172.16.30.225"
    into the ldap authentication form.

    After that into the file "production.ini" I set
    beaker.session.secure = true

    I do not know why but using secure cookies I get only login failure
    I can reproduce it.

    So again thank you very much, this problem can be closed.

    Best regards.

    Bibo

  19. Support Staff 19 Posted by Marcin Kuzminsk... on 16 Oct, 2013 10:34 AM

    Marcin Kuzminski's Avatar

    Ahh i missed that one also !

    Good that it's now solved !

    Not sure about the secure cookies stuff, if you wish you can open another ticket. I'm closing this one

  20. Marcin Kuzminski closed this discussion on 16 Oct, 2013 10:34 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac