New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to authenticate users via Google Secure LDAP #3399
Comments
I can perform a successful bind when I set the attribute
If the method https://github.com/goauthentik/authentik/blob/main/authentik/sources/ldap/auth.py#L54 only checks the password at login time, I think that Additional info The library ldap3 performs a search without base when
Emulating the same query with ldapsearch produces the same result:
When setting the appropiate base parameter, the is no problem:
The library ldap3 do not set the base parameter and Google rejects the query. In fact, it is a cloud service which handles a lot of domains and You have to specify which one you belong to. |
I have made these small changes to the code: $ git diff authentik/sources/ldap/models.py
diff --git a/authentik/sources/ldap/models.py b/authentik/sources/ldap/models.py
index a6cb1a283..c1caa6026 100644
--- a/authentik/sources/ldap/models.py
+++ b/authentik/sources/ldap/models.py
@@ -3,7 +3,7 @@ from ssl import CERT_REQUIRED
from django.db import models
from django.utils.translation import gettext_lazy as _
-from ldap3 import ALL, RANDOM, Connection, Server, ServerPool, Tls
+from ldap3 import NONE, RANDOM, Connection, Server, ServerPool, Tls
from rest_framework.serializers import Serializer
from authentik.core.models import Group, PropertyMapping, Source
@@ -117,7 +117,7 @@ class LDAPSource(Source):
if ciphers := CONFIG.y("ldap.tls.ciphers", None):
tls_kwargs["ciphers"] = ciphers.strip()
kwargs = {
- "get_info": ALL,
+ "get_info": NONE,
"connect_timeout": LDAP_TIMEOUT,
"tls": Tls(**tls_kwargs),
} The images are generated fine and I have tested both the synchronization of users and groups, as well as the login of users from LDAP, and everything works correctly. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Describe the bug
Once Google Secure LDAP is configured as the source and users and groups have been synced, they cannot login in.
The problem seems to be caused by a search against Google Secure LDAP with the filter "(objectClass=*)", which is not allowed for the bound specific user who is trying to log in.
Google shows the following messages:
Successfully bind LDAP with uid=plsan*****,ou=Users,dc=******,dc=com.
LDAP search with (objectClass=*) failed for the following reason: INSUFFICIENT_ACCESS_RIGHTS.
The "INSUFFICIENT_ACCESS_RIGHTS" can be also be seen in server logs (below).
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Correct login flow as the user is synced and the password is right.
Logs
Version and Deployment (please complete the following information):
Additional context
Tell me if additional info, logs or whatever is needed.
The text was updated successfully, but these errors were encountered: