semaphoreui
Second login doesn't work. LDAP
Hello, I'm running the version v2.8.53. With LDAP active I have the same behavior described. In my opinion, it's because the LDAP user doesn't have username value inserted in the user table. So, the first-time login is OK because it creates the record and continues. But the second time the key in 'username' doesn't want an empty value and that stops the login process. Did you notice this behavior? It block my adoption using LDAP unfortunately
Originally posted by @lucmot in https://github.com/ansible-semaphore/semaphore/issues/808#issuecomment-1181710421
We had the same issue with Bolt. Switched using MariaDB and it got fixed. Relates to https://github.com/ansible-semaphore/semaphore/blob/develop/api/login.go#L165 and implementation of https://github.com/ansible-semaphore/semaphore/blob/develop/api/login.go#L170. It seems LDAP user get added into the database after first login as 'external' user (i.e. not using username/password stored in the database). It ends up https://github.com/ansible-semaphore/semaphore/blob/develop/api/login.go#L184 probably because https://github.com/ansible-semaphore/semaphore/blob/develop/api/login.go#L165 doesn't works correctly for external user that don't have their password store in the database...
I tried to use MariaDB instead of Mysql but the issue is the same. This happen only for one user and I'm not able to identify what is different from the others
@ccuz do you have any suggestion on how to work around that? I created the user in advance also with the same LDAP password, but I have still access denied at login. The stranger part is other users work fine, so I'm not able to recognize what is different. AD user seems equal to the other ones
Log into Semaphore as Admin and delete any existing 'local' user with the same username/userid as you would expect from LDAP, as the code doesn't work with both a local and a external user with the same userid. Also take care to have a correct mapping between LDAP uid and userid, such that external user (i.e. LDAP) can be created automatically
"ldap_searchfilter": "(&(uid=%s)(objectclass=organizationalPerson))",
"ldap_mappings": {
"dn": "dn",
"mail": "mail",
"uid": "uid",
"cn": "cn"
},
The ldap mappings is identical. I just used "(&(objectCategory=Person)(sAMAccountName=%s))" as ldap_searchfilter.
@ccuz do you have any suggestion on how to work around that? I created the user in advance also with the same LDAP password, but I have still access denied at login. The stranger part is other users work fine, so I'm not able to recognize what is different. AD user seems equal to the other ones
This sounds like PR #1027 could help you. I guess the second bind call works for some users because they have a special privilege to bind&search ldap. The PR #1027 is using only a ldap whoami operation for the user authenitcation check which does not require bind&search privilege. After successfull operation the original read-only ldap user uses bind again and searches for the ldap user.
Hi @lucmot , I merged PR of @flybyray which should solve your issue. Could you check it?