Unable to Login Using LDAP Credentials

[Kuldeep singh]

Hi,
I have configured LDAP information on Admin UI as:

Authentication Method: LDAP
LDAP Server:ldap://xxxxxx:389
Username Attribute:ou=XX,dc=XX,dc=co,dc=in

But when I tried to login with valid credentials it says Please enter a correct username and password. Note that both fields may be case-sensitive. and error log says

[Mon Jun 23 11:39:29 2014] [error] WARNING:root:LDAP error: {'info': '000004DC: LdapErr: DSID-0C090724, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v23f0', 'desc': 'Operations error'}

Please help.

Thanks

Kuldeep Singh

[Stephen Gallagher]

On 06/23/2014 08:25 AM, Kuldeep singh wrote:
> Hi,
> I have configured LDAP information on Admin UI as:
>
> Authentication Method: LDAP
> LDAP Server:ldap://xxxxxx:389
> Username Attribute:ou=XX,dc=XX,dc=co,dc=in
>
> But when I tried to login with valid credentials it says Please enter a
> correct username and password. Note that both fields may be

> case-sensitive.and error log says

>
> [Mon Jun 23 11:39:29 2014] [error] WARNING:root:LDAP error: {'info':
> '000004DC: LdapErr: DSID-0C090724, comment: In order to perform this
> operation a successful bind must be completed on the connection., data
> 0, v23f0', 'desc': 'Operations error'}
>

This error means that your LDAP server doesn't allow Review Board to
perform an anonymous search against it. Review Board needs to be able to
do this in order to properly look up the user account before it can
authenticate.

What you need to do is provide a username and password that Review Board
can bind as.

If you're using Review Board 1.x, this will be the "Anonymous" bind
account and password. In Review Board 2, we labeled this more correctly
as "Review Board LDAP Bind Account".

[Kuldeep singh]

Hi Stephen,

Thank you for your reply.
Is there any way to disable anonymous search?

Kuldeep

[Stephen Gallagher]

On 06/23/2014 09:37 AM, Kuldeep singh wrote:
> Hi Stephen,
>
> Thank you for your reply.
> Is there any way to disable anonymous search?
>

No, it's necessary[1] for proper lookup of a user. The 1.x format of
using user DN masks is completely broken and doesn't work in most
environments. The only correct way to translate a username into a proper
DN is to do a search on that username and use the resulting DN.

[1] It's not actually an anonymous search, which is why I changed the
name in 2.0. It's a bound search with a special user for the Review
Board. So it's auditable and trackable.

[Kuldeep singh]

Hi Stephen,

I provided Bind User credentials but now error log displaying different
[Tue Jun 24 07:26:53 2014] [error] WARNING:root:LDAP error: {'info': '00002028: LdapErr: DSID-0C090203, comment: The server requires binds to turn on integrity checking if SSL\\\\TLS are not already active on the connection, data 0, v23f0', 'desc': 'Strong(er) authentication required'}

Please let me know if any server certificate required for authentication.

[Stephen Gallagher]

On 06/24/2014 03:38 AM, Kuldeep singh wrote:
> Hi Stephen,
>

> I provided Bind User credentials but now error log displaying different

> *[Tue Jun 24 07:26:53 2014] [error] WARNING:root:LDAP error: {'info':

> '00002028: LdapErr: DSID-0C090203, comment: The server requires binds to
> turn on integrity checking if SSL\\\\TLS are not already active on the
> connection, data 0, v23f0', 'desc': 'Strong(er) authentication required'}

> *

> Please let me know if any server certificate required for authentication.
>

Yes, what your server is doing is telling you that it won't allow you to
bind over an unencrypted connection. This means that you need to set
Review Board up to use either an ldaps:// (SSL) connection or use TLS.
This will also mean setting up your Review Board server to be capable of
trusting the CA certificate that was used to sign the LDAP server
certificate (this has to be left as an exercise to the reader, as it's
different on different systems, even different Linux systems. Contact
your system administrator for help)

[Kuldeep singh]

Hi Stephen Gallagher,
I have changed ldap:// to ldaps:// and http:// to https://. But its still not working saying "WARNING -  - LDAP error: {'info': 'A TLS packet with unexpected length was received.', 'desc': "Can't contact LDAP server"}"

I don't know why its happening, I received certificate from System Admin and placed it in /etc/ssl/certs/ and set path to "TLS_CACERT    /etc/ssl/certs/dc4.cer" in ldap.conf.

Please help

Kuldeep

[Stephen Gallagher]

On 06/30/2014 01:05 AM, Kuldeep singh wrote:
> Hi Stephen Gallagher,
> I have changed ldap:// to ldaps:// and http:// to https://. But its

> still not working saying *"WARNING - - LDAP error: {'info': 'A TLS

> packet with unexpected length was received.', 'desc': "Can't contact

> LDAP server"}"*
>

HTTPS is irrelevant. If you're getting 'A TLS packet with unexpected
length was received.' then you're trying to use LDAPS against a
non-LDAPS port. Make sure your LDAP server supports LDAPS on the port
you connect to (or change the port to one that does)

> --
> Get the Review Board Power Pack at http://www.reviewboard.org/powerpack/
> ---
> Sign up for Review Board hosting at RBCommons: https://rbcommons.com/
> ---
> Happy user? Let us know at http://www.reviewboard.org/users/
> ---
> You received this message because you are subscribed to the Google
> Groups "reviewboard" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to reviewboard...@googlegroups.com
> <mailto:reviewboard...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.