LDAP authentication problem. It finds the user, but does not connect.

[DavidRisen]

Hello,

I have configured the LDAP settings as shown below. The issue is that even with a valid login and password, an error occurs.
It finds the user, but cannot retrieve their identifier for some reason. In my Active Directory there is no 'userId' field.
In my case, the user's identifier is stored in sAMAccountName. Perhaps it cannot resolve symbols like CN=Теляков К.Н.?
But I haven't encountered this problem with any other service. I have already set up more than 10 LDAP services and there were no issues.

For example, let's take Portainer which does not cause any issues and might help to understand the core of the problem:
LDAP Server: personal.aurus.dom:389
Reader DN: CN=Иванов И. И.,OU=otdel10,OU=korpus 24,DC=personal,DC=aurus,DC=dom
Password: **************
Base DN: OU=otdel10,OU=korpus 24,DC=personal,DC=aurus,DC=dom
Username attribute: sAMAccountName
Filter: (objectСlass=user)

The ldap settings in cloudbeaver.conf (version 24.3.3):

authConfigurations: [
{
"id": "ldap",
"provider": "ldap",
"displayName": "LDAP",
"disabled": false,
"iconURL": "",
"description": "",
"parameters": {
"ldap-host": "personal.aurus.dom",
"ldap-port": "389",
"ldap-login": "sAMAccountName",
"ldap-dn": "OU=otdel10,OU=korpus 24,DC=personal,DC=aurus,DC=dom",
"ldap-identifier-attr": "sAMAccountName",
"ldap-bind-user": "CN=Иванов И. И.,OU=otdel10,OU=korpus 24,DC=personal,DC=aurus,DC=dom",
"ldap-bind-user-pwd": "************",
"ldap-filter": "(objectClass=user)"
}
}
]

Error:
User authentication failed:
LDAP authentication failed: LDAP authentication failed: Failed to determine userId from user DN: CN=Теляков К. Н.,OU=otdel10,OU=korpus 24,DC=personal,DC=aurus,DC=dom
org.jkiss.dbeaver.DBException: Failed to determine userId from user DN: CN=Теляков К. Н.,OU=otdel10,OU=korpus 24,DC=personal,DC=aurus,DC=dom
at io.cloudbeaver.service.ldap.auth.LdapAuthProvider.findUserNameFromDN(LdapAuthProvider.java:217)
at io.cloudbeaver.service.ldap.auth.LdapAuthProvider.authenticateLdap(LdapAuthProvider.java:334)
at io.cloudbeaver.service.ldap.auth.LdapAuthProvider.validateAndLoginUserAccessByUsername(LdapAuthProvider.java:113)
at io.cloudbeaver.service.ldap.auth.LdapAuthProvider.authExternalUser(LdapAuthProvider.java:78)
at io.cloudbeaver.service.security.CBEmbeddedSecurityController.authenticate(CBEmbeddedSecurityController.java:1570)
at io.cloudbeaver.service.auth.impl.WebServiceAuthImpl.authLogin(WebServiceAuthImpl.java:92)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:569)

[EvgeniaBzzz]

Hi @DavidRisen
Thank you for the report. We need some more time to investigate your issue.

[EvgeniaBzzz]

At the moment I can only say that the problem is not in cyrillic (in both cn parts). I tried to set up the same configuration and everything worked.

[DavidRisen]

Hi @EvgeniaBzzz
Thank you for your reply. Then tell me your guesses why it might not work? I have configured many services with ldap authentication and only claudebeaver has problems. Maybe you need some information? Which will help you more quickly in finding the problems

[hardened-user]

Same problem

            "authConfigurations": [
                {
                    "id": "ldap",
                    "provider": "ldap",
                    "displayName": "LDAP",
                    "disabled": false,
                    "iconURL": "",
                    "description": "",
                    "parameters": {
                        "ldap-host": "10.10.27.10",
                        "ldap-port": "389", 
                        "ldap-bind-user": "CN=cloud_beaver,OU=ServiceAccounts,OU=Users,OU=GRP,DC=dom,DC=corp",
                        "ldap-bind-user-pwd": "${LDAP_PASS}",
                        "ldap-dn": "OU=Users,OU=GRP,DC=dom,DC=corp",
                        "ldap-login": "sAMAccountName",
                        "ldap-identifier-attr": "sAMAccountName",
                        "ldap-filter": "(&(objectCategory=Person)(sAMAccountName=*))"
                    }
                }
            ],

CE v24.2.5

User authentication failed:
LDAP user access validation by filter failed: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100288, problem 2001 (NO_OBJECT), data 0, best match of:
        'OU=Users,OU=GRP,DC=dom,DC=corp'
]
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100288, problem 2001 (NO_OBJECT), data 0, best match of:
        'OU=Users,OU=GRP,DC=dom,DC=corp'
]; remaining name 'cn=cloud_beaver,OU=Users,OU=GRP,DC=dom,DC=corp'
        at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3285)
        at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3206)
        at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2997)
        at java.naming/com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1875)
        at java.naming/com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1798)
        at java.naming/com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
        at java.naming/com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
        at java.naming/com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341)
        at java.naming/javax.naming.directory.InitialDirContext.search(InitialDirContext.java:296)
        at io.cloudbeaver.service.ldap.auth.LdapAuthProvider.validateUserAccess(LdapAuthProvider.java:127)
        at io.cloudbeaver.service.ldap.auth.LdapAuthProvider.authExternalUser(LdapAuthProvider.java:84)
        at io.cloudbeaver.service.security.CBEmbeddedSecurityController.authenticate(CBEmbeddedSecurityController.java:1557)
        at io.cloudbeaver.service.auth.impl.WebServiceAuthImpl.authLogin(WebServiceAuthImpl.java:92)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:569)

CE v24.3.4

User authentication failed:
LDAP authentication failed: LDAP authentication failed: Failed to determine userId from user DN: CN=cloud_beaver,OU=ServiceAccounts,OU=Users,OU=GRP,DC=dom,DC=corp
org.jkiss.dbeaver.DBException: Failed to determine userId from user DN: CN=cloud_beaver,OU=ServiceAccounts,OU=Users,OU=GRP,DC=dom,DC=corp
        at io.cloudbeaver.service.ldap.auth.LdapAuthProvider.findUserNameFromDN(LdapAuthProvider.java:217)
        at io.cloudbeaver.service.ldap.auth.LdapAuthProvider.authenticateLdap(LdapAuthProvider.java:334)
        at io.cloudbeaver.service.ldap.auth.LdapAuthProvider.validateAndLoginUserAccessByUsername(LdapAuthProvider.java:113)
        at io.cloudbeaver.service.ldap.auth.LdapAuthProvider.authExternalUser(LdapAuthProvider.java:78)
        at io.cloudbeaver.service.security.CBEmbeddedSecurityController.authenticate(CBEmbeddedSecurityController.java:1570)
        at io.cloudbeaver.service.auth.impl.WebServiceAuthImpl.authLogin(WebServiceAuthImpl.java:92)
        at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)

[EvgeniaBzzz]

There was a filter issue which could be the reason of your errors. Fix is in devel branch, will be available in 24.3.5 (on 17th of Feb).

Now you can try to set the same identifier and filter:
"ldap-identifier-attr": "sAMAccountName"
"ldap-filter": "(sAMAccountName=*)"

If it works - just wait for the release

[hardened-user]

@EvgeniaBzzz Unfortunately, such settings did not give an effect

[DavidRisen]

@EvgeniaBzzz Didn't help either, although ldapsearch works fine.

Example:
ldapsearch -h personal.aurus.dom -p 389 -D "CN=Иванов И. И.,OU=otdel10,OU=korpus 24,DC=personal,DC=aurus,DC=dom" -w ************* "-b OU=otdel10,OU=korpus 24,DC=personal,DC=aurus,DC=dom" "(sAMAccountName=*)"
extended LDIF

LDAPv3
base < OU=otdel10,OU=korpus 24,DC=personal,DC=aurus,DC=dom> with scope subtree
filter: (sAMAccountName=*)
requesting: ALL

otdel10-2, otdel10, korpus 24, personal.aurus.dom
dn: CN=otdel10-2,OU=otdel10,OU=korpus 24,DC=personal,DC=aurus,DC=dom
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: otdel10-2
distinguishedName: CN=otdel10-2,OU=otdel10,OU=korpus 24,DC=personal,DC=aurus,DC
=dom
instanceType: 4
whenCreated: 20240215065613.0Z
whenChanged: 20250131055825.0Z
displayName: otdel10-2$
uSNCreated: 601163734
uSNChanged: 1506923124
name: otdel10-2
objectGUID:: su7s+8KihkSzKmXcZ/rBHg==
userAccountControl: 4096
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 133832947236953578
localPolicyFlags: 0
pwdLastSet: 133808754132469816
primaryGroupID: 515
objectSid:: AQUAAAAAAAUVAAAAep1gNka7jbGBTEO/yFQAAA==
accountExpires: 9223372036854775807
logonCount: 470
sAMAccountName: otdel10-2$
sAMAccountType: 805306369
operatingSystem: Windows 10 Pro
operatingSystemVersion: 10.0 (19044)
dNSHostName: otdel10-2.personal.aurus.dom
servicePrincipalName: TERMSRV/otdel10-2
servicePrincipalName: TERMSRV/otdel10-2.personal.aurus.dom
servicePrincipalName: WSMAN/otdel10-2.personal.aurus.dom
servicePrincipalName: RestrictedKrbHost/otdel10-2.personal.aurus.dom
servicePrincipalName: HOST/otdel10-2.personal.aurus.dom
servicePrincipalName: WSMAN/otdel10-2
servicePrincipalName: RestrictedKrbHost/otdel10-2
servicePrincipalName: HOST/otdel10-2
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=aurus,DC=dom
isCriticalSystemObject: FALSE
dSCorePropagationData: 20240215075512.0Z
dSCorePropagationData: 16010101000001.0Z
lastLogonTimestamp: 133827766924310811
msDS-SupportedEncryptionTypes: 30

\D0\9E\D1\80\D0\BB\D0\BE\D0\B2 \D0\A0. \D0\A1., 25, otdel10, korpus 24, perso
nal.aurus.dom
dn:: Q0490J7RgNC70L7QsiDQoC4g0KEuLE9VPTI1LE9VPW90ZDEyMDEsT1U9a29ycHVzIDI0LERDP
XBlcnNvbmFsLERDPW5wb21hc2gsREM9ZG9t
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn:: 0J7RgNC70L7QsiDQoC4g0KEu
sn:: 0J7RgNC70L7Qsg==
c: RU
title:: 0L3QsNGH0LDQu9GM0L3QuNC6INC+0YLQtNC10LvQsA==
description:: 0JjQt9C80LXQvdC10L3QsCDQtNC+0LvQttC90L7RgdGC0Yw6INCy0LXQtNGD0YnQ
uNC5INC40L3QttC10L3QtdGAIC0+INC90LDRh9Cw0LvRjNC90LjQuiDQvtGC0LTQtdC70LA=
businessCategory: 16-61
businessCategory: otdel10
physicalDeliveryOfficeName:: 0LrQvtGA0L/Rg9GBIDI0ICDRjdGC0LDQtiAyICDQutC+0LzQv
dCw0YLQsCAyNA==
telephoneNumber: 52-16
givenName:: 0KDQsNC00LjQvtC9
initials:: 0KAuINChLg==
distinguishedName:: Q0490J7RgNC70L7QsiDQoC4g0KEuLE9VPTI1LE9VPW90ZDEyMDEsT1U9a2
9ycHVzIDI0LERDPXBlcnNvbmFsLERDPW5wb21hc2gsREM9ZG9t
instanceType: 4
whenCreated: 20160905051655.0Z
whenChanged: 20250203055434.0Z
displayName:: 0J7RgNC70L7QsiDQoNCw0LTQuNC+0L0g0KHQtdGA0LPQtdC10LLQuNGH
otherTelephone: 777-87-48
uSNCreated: 60031
memberOf: CN=otdel10,OU=25,OU=otdel10,OU=korpus 24,DC=personal,DC=aurus,DC=d
om
uSNChanged: 1512008342
department:: 0J/RgNC+0LXQutGC0LjRgNC+0LLQsNC90LjQtSDRgdC40YHRgtC10Lwg0Lgg0LrQv
tC80L/Qu9C10LrRgdC+0LIg0JLQktCiINC40JrQoSDQptC10L3RgtGA0LAg0YHQuNGC0YPQsNGG0L
jQvtC90L3QvtCz0L4g
streetAddress:: MjQg0LrQvtGA0L/Rg9GBLCAyINGN0YLQsNC2LCDQui4gMjU=
employeeType: 503
name:: 0J7RgNC70L7QsiDQoC4g0KEu
objectGUID:: 8v6PhtKy7k6i3k+gy1MwXQ==
userAccountControl: 544
badPwdCount: 0
codePage: 0
countryCode: 1049
employeeID: 23456
badPasswordTime: 133825126187076223
lastLogoff: 0
lastLogon: 133834815719691138
localeID: 203
pwdLastSet: 133830356667820175
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAep1gNka7jbGBTEO/PzMAAA==
accountExpires: 9223372036854775807
logonCount: 1564
sAMAccountName: 23456
sAMAccountType: 805306368
userPrincipalName: [email protected]
lockoutTime: 0
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=aurus,DC=dom
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 133827756974893283
mail: [email protected]
departmentNumber: otdel10
middleName:: 0KHQtdGA0LPQtdC10LLQuNGH

[hardened-user]

dbeaver/cloudbeaver:24.3.5

User authentication failed:
LDAP authentication failed: LDAP authentication failed: Failed to determine userId from user DN: CN=cloud_beaver,OU=ServiceAccounts,OU=Users,OU=GRP,DC=dom,DC=corp
org.jkiss.dbeaver.DBException: Failed to determine userId from user DN: CN=cloud_beaver,OU=ServiceAccounts,OU=Users,OU=GRP,DC=dom,DC=corp
    at io.cloudbeaver.service.ldap.auth.LdapAuthProvider.findUserNameFromDN(LdapAuthProvider.java:231)
    at io.cloudbeaver.service.ldap.auth.LdapAuthProvider.authenticateLdap(LdapAuthProvider.java:361)
    at io.cloudbeaver.service.ldap.auth.LdapAuthProvider.validateAndLoginUserAccessByUsername(LdapAuthProvider.java:118)
    at io.cloudbeaver.service.ldap.auth.LdapAuthProvider.authExternalUser(LdapAuthProvider.java:81)
    at io.cloudbeaver.service.security.CBEmbeddedSecurityController.authenticate(CBEmbeddedSecurityController.java:1571)
    at io.cloudbeaver.service.auth.impl.WebServiceAuthImpl.authLogin(WebServiceAuthImpl.java:92)
    at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
    at java.base/java.lang.reflect.Method.invoke(Method.java:580)

[HocKu7]

@DavidRisen Hi. You need to change
"ldap-identifier-attr": "sAMAccountName" to "ldap-identifier-attr": "cn" and let me know if it helps

[hardened-user]

@HocKu7 Hi, it's working for me, but only in uppercase, thx