LDAP logon fails because of "ldapwhoami" request. #1683
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Hi guys,
we have a running SAMBA-AD which is running perfectly fine. Unfortunately we are not able to connect sempahore to this system because SAMBA-AD is not supporting the "ldapwhoami" request and we think it never will (i think this is the same case with Microsoft AD).
The error is:
Semaphore v2.9.37 Server is running WARN[1174] LDAP Result Code 2 "Protocol Error": Extended Operation(1.3.6.1.4.1.4203.1.11.3) not supportedSee here: https://pkg.go.dev/github.com/go-ldap/ldap/v3#LDAPResultProtocolError
LDAP config:
"ldap_enable": true, "ldap_needtls": false, "ldap_binddn": "CN=binduser techuser,CN=Users,DC=example,DC=com", "ldap_bindpassword": "long-bindpassword", "ldap_server": "samba-ad:389", "ldap_searchfilter": "(&(sAMAccountName=%s))", "ldap_searchdn": "CN=Users,DC=example,DC=com", "ldap_mappings": { "dn": "distinguishedName", "mail": "userPrincipalName", "uid": "sAMAccountName", "cn": "cn" }RFC docs @ https://datatracker.ietf.org/doc/html/rfc4532 say:
`2. The "Who am I?" Operation
The "Who am I?" operation is defined as an LDAP Extended Operation
[RFC4511] identified by the whoamiOID Object Identifier (OID). This
section details the syntax of the operation's whoami request and
response messages.
And the samba guys ( https://lists.samba.org/archive/samba/2012-January/165816.html ) say:
`Andrew Bartlett abartlet at samba.org
Thu Jan 19 22:03:08 MST 2012
[...]
We support SASL/GSSAPI. We do not (patches very welcome) currently
support the extended operation ldapwhoami uses.
Andrew Bartlett`
I repeat: " We do not [...]support the extended operation ldapwhoami uses."
This was in 2012(!). So i have no hope they will implement this in 2023 or anytime later.
Could you please remove the "ldapwhoami" request from semaphore?
best regards,
Michael H.G. Schmidt
The text was updated successfully, but these errors were encountered: