Trying to set up authentication with active directory

[rbnor]

Please replace every line in curly brackets { like this } with an appropriate answer, and remove this line.

Description

Environment

1. OS ubuntu 18.04
2. OpenCTI version: latest
3. OpenCTI client: frontend
4. Other environment details:

Reproducible Steps

Steps to create the smallest reproducible scenario:
clone docker repo
add example ldap config, change values.

Expected Output

expect it to start properly

Actual Output

failed to create service opencti_opencti: Error response from daemon: rpc error: code = InvalidArgument desc = expanding env failed: expanding env "PROVIDERS__LDAP__CONFIG__SEARCH_FILTER=(sAMAccountName={{user
name}})": template: expansion:1: function "username" not defined

Additional information

{ Any additional information, including logs or screenshots if you have any. }

[rbnor]

This is only if using stack deploy. Using composer up, i dont get the error. However im still not able to log in using AD, but that could very well be on my config.

Whats the best way to debug this issue?

[rbnor]

After changing around a bit on my config i now get, with composer up:

Using wrong password:

Works as expected.

Using the right password, it just greys out the login button and hangs.

What could be the source of this? And what log files should i provide to help solve this?

[SamuelHassine]

@richard-julien any idea?

[richard-julien]

Difficult to say. Any error on the client side? Can you check with chrome dev tools the result of the http query?

[rbnor]

I will get back to you as soon as i have had the chance to check this out, thanks for looking into it!

[rbnor]

It just hangs, no response. Could be an issue with what the email field is called? If its not called the same in AD, and it cant find it and there is no handling of such errors(didnt check if thats the case). Because why else would it hang only on correct password? I checked the response both for correct and wrong password.

[rbnor]

Any ideas here? Ensured the email field is the correct one and it still hangs on correct password.

[richard-julien]

Hi @rbnor , can you check with last release if you have a log in the opencti container? Thanks

[rbnor]

"net::ERR_EMPTY_RESPONSE" is the error i get with the correct password now,on the request in the console.

[rbnor]

Hi @rbnor , can you check with last release if you have a log in the opencti container? Thanks

Sure, ill check that out asap

[rbnor]

Wrong password gives:
{"level":"error","message":"[AUTH ERROR] > ldapauth "}
In the error and regular logs.

Right password yields nothing in neither of the logs..

[rbnor]

Could it be that it authenticates but does not proceed to create a user the proper way hence no response? Just thinking out loud. Clearly the authentication works but no response to the request at all.

No user is created thats for sure, could it be that it its not intended to? imo it kind of has to create a user even tho its SSO, to have something in its own context to refer to?

[richard-julien]

With the help of Filip, i reproduce the problem.
Looks like a config problem but the platform really behave incorrectly when the configuration is not accurate.
Will be fix in the next release.

• Add better error handling to prevent creating random user.
• Better logging to help solving the config problem

[rbnor]

Thanks for looking into it, and nice work reproducing it, sorry for the lack of information and config from my end there if that was an issue. Looking forward to the next release,if i can improve the config in the meantime please let me know.