How to set LDAP auth


I want to setup LDAP auth. My command to start web node is:

$ concourse web --add-local-user evan:123456 --main-team-local-user evan --session-signing-key session_signing_key --tsa-host-key tsa_host_key --tsa-authorized-keys authorized_worker_keys --postgres-user=concourse --postgres-password=123456 --external-url= --ldap-user-search-base-dn='dc=mycompany,dc=com' --ldap-group-search-filter='(objectclass=posixGroup)' --ldap-group-search-base-dn='ou=group'

And I have setup team:

$ fly -t first teams -d
name  users       groups
main  ldap:chaol  ldap:devtools-group

But I cannot login with my LDAP account:

$ fly -t first login -u chaol -p 'my-ldap-password' -n main
logging in to team 'main'

error: oauth2: cannot fetch token: 401 Unauthorized
Response: {"error":"access_denied","error_description":"Invalid username or password"}

From TAS log:

{"timestamp":"1542017803.135399818","source":"atc","message":"","log_level":2,"data":{"error":"oauth2: cannot fetch token: 401 Unauthorized\nResponse: {\"error\":\"access_denied\",\"error_description\":\"Invalid username or password\"}","session":"4.33"}}

Looks TAS tried to auth with OAuth2, but I just configured LDAP. What is wrong with my configuration?


The username and password command options are for basic auth only, not LDAP. Try just this and see if it works:

$ fly -t first login -n main
$ fly login --help
[login command options]
      -u, --username=        Username for basic auth
      -p, --password=        Password for basic auth


I just tried:

$ fly -t first login -n main
logging in to team 'main'

navigate to the following URL in your browser:

or enter token manually:

Then I opened the URL in a browser, and typed in my LDAP username and password, it still didn’t work.


What do you mean by “it still didn’t work”? What happened when you typed in your LDAP username and password?


“it still didn’t work” means I still couldn’t login with my LDAP credential. When I typed in my LDAP username and password, the prompt error of invalid username/password.


When start the web node, I have added --ldap-display-name=LDAP option, so I suppose the login page should have a “LDAP” option, but I don’t see that.


Finally, I made LDAP work. Below are all options I used:


It seems that --ldap-bind-dn and --ldap-bind-pw are mandatory, without these two options, ATC will just ignore other LDAP options without any log message. That’s reason why LDAP initially not working for me but I couldn’t find any error from ATC log.

--ldap-insecure-skip-verify and --ldap-insecure-no-ssl are also mandatory in my case due to configuration of my company’s LDAP server.

--ldap-user-search-email-attr, --ldap-user-search-name-attr and --ldap-user-search-id-attr are also mandatory, which is undocumented, too bad. Without them, LDAP search will fail, GUI will show “internal server error”, and ATC log shows something like “missing configuration”.


To add on to the last message, this is what I had to do to get bound to Active Directory or LDAP Authentication


hopefully this helps more people with both of our answers. I think this also depends on how your LDAP/AD is setup.