LDAP configuration stopped working

[devasmith]

Hi. Since upgrading to 5.0.0-beta.101 it seems like the LDAP authentication stopped working.

I have validated that all the LDAP files within /run/config/netbox and /run/secrets/netbox/ldap_bind_password are identical to previous version 5.0.0-beta.82.

Unfortunately logging seem to be silent and is not outputting anything related to the failed LDAP login attempts.

Ref: #340

[LeoColomb]

Thanks for opening this issue @devasmith.
Let's investigate more this time.

• What do you mean exactly by "stopped working"?
• When was the last version your configuration worked?
• Can you provide your remote auth values?
• Do you have access to your LDAP server's log?

[devasmith]

Thanks for opening this issue @devasmith. Let's investigate more this time.

• What do you mean exactly by "stopped working"?

When authenticating I am prompted for my credentials but when I try to login with correct credentials I receive Please enter a correct username and password. Note that both fields may be case-sensitive..

• When was the last version your configuration worked?

netbox-5.0.0-beta.82

• Can you provide your remote auth values?

/run/config/netbox/ldap.yml

AUTH_LDAP_SERVER_URI: "ldap://ipa.example.com"
AUTH_LDAP_BIND_DN: "uid=ldap_search,cn=users,cn=accounts,dc=example,dc=com"
AUTH_LDAP_START_TLS: true
LDAP_IGNORE_CERT_ERRORS: false
LDAP_CA_CERT_FILE: /etc/netbox/config/ldap/ldap_ca.crt
AUTH_LDAP_USER_DN_TEMPLATE: uid=%(user)s,cn=users,cn=accounts,dc=example,dc=com
AUTH_LDAP_USER_SEARCH_BASEDN: "cn=users,cn=accounts,dc=example,dc=com"
AUTH_LDAP_USER_SEARCH_ATTR: "sAMAccountName"
AUTH_LDAP_GROUP_SEARCH_BASEDN: "cn=groups,cn=accounts,dc=example,dc=com"
AUTH_LDAP_GROUP_SEARCH_CLASS: "groupOfNames"
AUTH_LDAP_GROUP_TYPE: "GroupOfNamesType"
AUTH_LDAP_REQUIRE_GROUP: "cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com"
AUTH_LDAP_FIND_GROUP_PERMS: true
AUTH_LDAP_MIRROR_GROUPS: true
AUTH_LDAP_MIRROR_GROUPS_EXCEPT: null
AUTH_LDAP_CACHE_TIMEOUT: 3600

• Do you have access to your LDAP server's log?

In the logs I see error message that the operation failed due to failed credentials in the slapd access log. (err 49). Unfortunately it doesn't say much more than this.

[23/Sep/2024:08:47:12.406269472 +0200] conn=922230 TLS1.3 128-bit AES-GCM
[23/Sep/2024:08:47:12.406539315 +0200] conn=922230 op=1 BIND dn="uid=foobar,cn=users,cn=accounts,dc=example,dc=com" method=128 version=3
[23/Sep/2024:08:47:12.407446043 +0200] conn=922230 op=1 RESULT err=49 tag=97 nentries=0 wtime=0.005224359 optime=0.000915039 etime=0.006136950
[23/Sep/2024:08:47:12.408967481 +0200] conn=922230 op=2 UNBIND
[23/Sep/2024:08:47:12.408998648 +0200] conn=922230 op=2 fd=388 closed error - U1

[LeoColomb]

Thanks for your detailed answer.

I see your LDAP values are using the former AUTH_LDAP_REQUIRE_GROUP instead of AUTH_LDAP_REQUIRE_GROUP_LIST.
I'm going to ensure this former value can still be used in a PR to come.

Meanwhile, can you try adding the following var to your /run/config/netbox/ldap.yml?

# Same value as AUTH_LDAP_REQUIRE_GROUP, but inside an array.
AUTH_LDAP_REQUIRE_GROUP_LIST: [ "cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com" ]

[devasmith]

Thanks for your detailed answer.

I see your LDAP values are using the former AUTH_LDAP_REQUIRE_GROUP instead of AUTH_LDAP_REQUIRE_GROUP_LIST. I'm going to ensure this former value can still be used in a PR to come.

Meanwhile, can you try adding the following var to your /run/config/netbox/ldap.yml?

# Same value as AUTH_LDAP_REQUIRE_GROUP, but inside an array.
AUTH_LDAP_REQUIRE_GROUP_LIST: [ "cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com" ]

Hi sorry, I haven't had time to look into this yet. I don't know if I can test this easily as I would need to modify the contents inside the container.

[LeoColomb]

No worries @devasmith.
If it's easier, you can also try the change in #351 as an alternative.