Cannot query LDAP to autenticate user

[Johan Martinsson]

Hello,

I'm unable to configure LDAP properly.

I'm able to query my LDAP from the commandline:

ldapsearch -v -LLL -h degaine.cro.enalean.com -b 'ou=people,dc=cro,dc=enalean,dc=com' -D "cn=Nicolas Terray,ou=People,dc=cro,dc=enalean,dc=com" -w XXXXXX uid=nterray

But when I try to connect through Gerrit I get "LDAP authentication unavailable". And the log: 

[2012-10-30 12:03:26,461] ERROR com.google.gerrit.server.auth.ldap.LdapRealm : Cannot query LDAP to autenticate user

javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'OU=groups,DC=cro,DC=enalean,DC=com'

        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3112)

        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033)

        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2840)

        at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1849)

        at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)

        at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1789)

        at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:412)

        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:394)

        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:376)

        at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286)

        at com.google.gerrit.server.auth.ldap.LdapQuery.query(LdapQuery.java:70)

        at com.google.gerrit.server.auth.ldap.Helper.queryForGroups(Helper.java:212)

        at com.google.gerrit.server.auth.ldap.LdapRealm.authenticate(LdapRealm.java:232)

        at com.google.gerrit.server.account.AccountManager.authenticate(AccountManager.java:113)

        at com.google.gerrit.httpd.auth.ldap.UserPassAuthServiceImpl.authenticate(UserPassAuthServiceImpl.java:70)

 

As a side-information when I try a bad password I get "Incorrect username or password"

My config: 

[auth]

        type = LDAP

[ldap]

        server = ldap://degaine.cro.enalean.com

        accountBase = ou=people,DC=cro,DC=enalean,DC=com

        referral = follow

        groupBase = OU=groups,DC=cro,DC=enalean,DC=com

        accountFullName = cn

        accountEmailAddress = mail

[Luthander, Fredrik]

Hi Johan!

 

Under the [ldap] section, please try to set the username and password fields for the account/credentials with which you want to use for LDAP queries as well. That should authenticate you successfully to be able to perform queries.

 

--

Best regards,

    Fredrik Luthander

Sony Mobile Communications AB

--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

[Johan Martinsson]

Hi Frederik

Thank you for you answer, however I'm not sure I understand why you suggest that I provide a username/password. My LDAP is configured for anonymous bind. In any case I did try what you suggested (username = cn=Nicolas Terray,ou=People,dc=cro,dc=enalean,dc=com) + password and got the exact same error.

Best regards

Johan

[Luthander, Fredrik]

Hej Johan!

 

I'm sorry, I really must've misread your error message. (When I read it now, it doesn't say what I thought it said last time, haha. Very confusing.)

 

I'm unfortunately a little bit out of ideas as to what you can do. Instinctively, I'd double check the casing on the OU value, what if the LDAP server is case sensitive.. OTOH, you've already made it work with the regular ldapsearch comannd with the exact same casing.

 

Sorry I can't be of any more help than this.. I don't have as much experience of LDAP as I wish I had. :)

[Lundh, Gustaf]

It seems your groupBase is a bit off since the user was found (if I read your stacktrace right). Try using the same parameters in ldapsearch, but query for memberOf instead:

 

ldapsearch "(memberOf=<a group cn you know exists>)" -b "<your groupBase>"

 

/G

 

From: repo-d...@googlegroups.com [mailto:repo-d...@googlegroups.com] On Behalf Of Johan Martinsson

Sent: den 30 oktober 2012 16:57
To: repo-d...@googlegroups.com
Cc: 'Johan Martinsson'

[Johan Martinsson]

It turns out I had just mispelled "groups" instead of 

groupBase = OU=groups,DC=cro,DC=enalean,DC=com

it should be

groupBase = OU=group,DC=cro,DC=enalean,DC=com

[Mohan .S]

Hi Team,

 

I am trying to configure LDAP with gerrit Version – 2.10.2, But getting below errors, Kindly help me on this,

My gerrit.config settings are follows,

[auth]

        type = LDAP

[ldap]

  server = ldap://master.sisldomain.com

  accountBase = ou=people,dc=sisldomain,dc=com

  accountPattern = (&(objectClass=person)(uid=${username}))

  accountFullName = displayName

  accountEmailAddress = mail

  groupBase = ou=gerrit,dc=sisldomain,dc=com

  groupMemberPattern = (&(objectClass=group)(member=${dn}))

Only highlighted part I have modified. But My Gerrit web shows à Authentication unavailable at this time. Error.

Gerrit error.log as follows,

[2015-04-07 16:06:38,385] ERROR com.google.gerrit.server.auth.ldap.LdapRealm : Cannot query LDAP to authenticate user

javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C090728, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580]; remaining name 'ou=people,dc=sisldomain,dc=com'

Thanks,

Mohan

[David Pursehouse]

Have you verified that the LDAP server is actually reachable?

Also, please note that it is not necessary to post the same question to
every LDAP related thread. Once is enough.

On 04/07/2015 07:53 PM, Mohan .S wrote:
>
> Hi Team,
>
> I am trying to configure LDAP with gerrit Version – 2.10.2, But getting
> below errors, Kindly help me on this,
>

> _My gerrit.config settings are follows,_

>
>
>
> [auth]
>
> type = LDAP
>
> [ldap]
>
> server = ldap://

> <ldap://master.sisldomain.com><ldap://master.sisldomain.com><ldap://master.sisldomain.com><ldap://master.sisldomain.com>master.sisldomain.com

> <ldap://master.sisldomain.com>
> accountBase = ou=people,dc=sisldomain,dc=com
>
> accountPattern = (&(objectClass=person)(uid=${username}))
>
> accountFullName = displayName
>
> accountEmailAddress = mail
>
> groupBase = ou=gerrit,dc=sisldomain,dc=com
> groupMemberPattern = (&(objectClass=group)(member=${dn}))
>
>
>
> Only highlighted part I have modified. But My Gerrit web shows

> à*Authentication unavailable at this time. *Error*.*
>
> _
> _
> _Gerrit error.log as follows,_

>
>
> [2015-04-07 16:06:38,385] ERROR
> com.google.gerrit.server.auth.ldap.LdapRealm : Cannot query LDAP to
> authenticate user
>
> javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr:
> DSID-0C090728, comment: In order to perform this operation a successful
> bind must be completed on the connection., data 0, v2580]; remaining
> name 'ou=people,dc=sisldomain,dc=com'
>
>
> Thanks,
>
> Mohan
>
> On Monday, November 5, 2012 at 2:18:56 PM UTC+5:30, Johan Martinsson wrote:
>
>
> It turns out I had just mispelled "groups" instead of

> groupBase = OU=group*s*,DC=cro,DC=enalean,DC=com

> it should be
> groupBase = OU=group,DC=cro,DC=enalean,DC=com
>
>
> On Wednesday, October 31, 2012 11:15:04 AM UTC+1, Gustaf Lundh wrote:
>
> It seems your groupBase is a bit off since the user was found
> (if I read your stacktrace right). Try using the same parameters
> in ldapsearch, but query for memberOf instead:
>
> ldapsearch "(memberOf=<a group cn you know exists>)" -b "<your
> groupBase>"
>
> /G
>

> *From:*repo-d...@googlegroups.com
> [mailto:repo-d...@googlegroups.com] *On Behalf Of *Johan Martinsson
> *Sent:* den 30 oktober 2012 16:57
> *To:* repo-d...@googlegroups.com
> *Cc:* 'Johan Martinsson'
> *Subject:* Re: Cannot query LDAP to autenticate user

>
> Hi Frederik
>
> Thank you for you answer, however I'm not sure I understand why
> you suggest that I provide a username/password. My LDAP is
> configured for anonymous bind. In any case I did try what you
> suggested (username = cn=Nicolas
> Terray,ou=People,dc=cro,dc=enalean,dc=com) + password and got
> the exact same error.
>
> Best regards
>
> Johan
>
> On Tuesday, October 30, 2012 2:50:14 PM UTC+1, Fredrik Luthander
> wrote:
>
> Hi Johan!
>
> Under the [ldap] section, please try to set the username and
> password fields for the account/credentials with which you want
> to use for LDAP queries as well. That should authenticate you
> successfully to be able to perform queries.
>
> --
>
> Best regards,
>
> Fredrik Luthander
>
> Sony Mobile Communications AB
>

> *From:*repo-d...@googlegroups.com
> [mailto:repo-d...@googlegroups.com] *On Behalf Of *Johan Martinsson
> *Sent:* tisdag den 30 oktober 2012 14:43
> *To:* repo-d...@googlegroups.com
> *Subject:* Cannot query LDAP to autenticate user

>
> Hello,
>
> I'm unable to configure LDAP properly.
>
> I'm able to query my LDAP from the commandline:
>
> ldapsearch -v -LLL -h degaine.cro.enalean.com

> <http://degaine.cro.enalean.com> -b

> <http://degaine.cro.enalean.com>

>
> accountBase = ou=people,DC=cro,DC=enalean,DC=com
>
> referral = follow
>
> groupBase = OU=groups,DC=cro,DC=enalean,DC=com
>
> accountFullName = cn
>
> accountEmailAddress = mail
>
> --
> To unsubscribe, email repo-discuss...@googlegroups.com
> More info at http://groups.google.com/group/repo-discuss?hl=en
> <http://groups.google.com/group/repo-discuss?hl=en>
>
> --
> To unsubscribe, email repo-discuss...@googlegroups.com
> More info at http://groups.google.com/group/repo-discuss?hl=en

> <http://groups.google.com/group/repo-discuss?hl=en>
>
> --

> --
> To unsubscribe, email repo-discuss...@googlegroups.com
> More info at http://groups.google.com/group/repo-discuss?hl=en
>

> ---
> You received this message because you are subscribed to the Google
> Groups "Repo and Gerrit Discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to repo-discuss...@googlegroups.com
> <mailto:repo-discuss...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.

[Mohan .S]

Hi David,

Yes LDAP server is pining. No problem with LDAP Server access.

Do I need to update in MYSQL database for LDAP Authentication?

-Mohan

> <mailto:repo-discuss+unsub...@googlegroups.com>.

[Mohan .S]

Hi David,

Yes LDAP server is pining. No problem with LDAP Server access.

Do I need to update in MYSQL database for LDAP Authentication? Bcoz earlier my gerrit setting was pointing to http.

  [auth]
    type = HTTP
    gitBasicAuth = true 

[Mohan]

HI Jacek,

Update your gerrit.config file like below and try,

[auth]
  type = LDAP
  gitBasicAuth = true
[ldap]
    server = ldap://YOURLDAPSERVER.com
    username = mo...@YOURDOMAIN.com
    password = mohan@123
    accountBase = ou=Users,dc=YOURDOMAIN,dc=com
    groupBase = ou=Users,dc=YOURDOMAIN,dc=com
    accountPattern = (&(objectClass=person)(sAMAccountName=${username}))

    accountFullName = displayName
    accountEmailAddress = mail

    accountSshUserName = sAMAccountName
    groupMemberPattern = (sAMAccountName=${username})
    localUsernameToLowerCase = true

Note: Update your domain & user credentials.

Thanks,

Mohan

On Tue, Aug 16, 2016 at 1:29 PM, Jacek Ziora <jacek.ad...@gmail.com> wrote:

Hello,

I didn't want to create new thread because my problem is similar to this topic.
So my gerrit just stopped work and error I get now is:

[HTTP-48] ERROR com.google.gerrit.server.auth.ldap.LdapRealm : Cannot query LDAP to authenticate user
javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]

During to my knowledge, nothing changes on ldap side, because other services works. So what could change on gerrit side and cause this problem?

Best regards,
Jacek Ziora

[Jacek Ziora]

Hi Mohan,

Thanks for the answer, but the problem was easy and ridiculous. Somebody changed password for my user (it is common user) and didn't tell me.

Best regards,
Jacek