How to set LDAP auth


#1

I want to setup LDAP auth. My command to start web node is:

$ concourse web --add-local-user evan:123456 --main-team-local-user evan --session-signing-key session_signing_key --tsa-host-key tsa_host_key --tsa-authorized-keys authorized_worker_keys --postgres-user=concourse --postgres-password=123456 --external-url=http://10.160.39.203:8080 --ldap-host=ldaps.eng.mycompany.com --ldap-user-search-base-dn='dc=mycompany,dc=com' --ldap-group-search-filter='(objectclass=posixGroup)' --ldap-group-search-base-dn='ou=group'

And I have setup team:

$ fly -t first teams -d
name  users       groups
main  ldap:chaol  ldap:devtools-group

But I cannot login with my LDAP account:

$ fly -t first login -u chaol -p 'my-ldap-password' -n main
logging in to team 'main'

error: oauth2: cannot fetch token: 401 Unauthorized
Response: {"error":"access_denied","error_description":"Invalid username or password"}

From TAS log:

{"timestamp":"1542017803.135399818","source":"atc","message":"atc.sky.token.failed-to-fetch-dex-token","log_level":2,"data":{"error":"oauth2: cannot fetch token: 401 Unauthorized\nResponse: {\"error\":\"access_denied\",\"error_description\":\"Invalid username or password\"}","session":"4.33"}}

Looks TAS tried to auth with OAuth2, but I just configured LDAP. What is wrong with my configuration?


#2

The username and password command options are for basic auth only, not LDAP. Try just this and see if it works:

$ fly -t first login -n main
$ fly login --help
...
[login command options]
...
      -u, --username=        Username for basic auth
      -p, --password=        Password for basic auth
...

#3

I just tried:

$ fly -t first login -n main
logging in to team 'main'

navigate to the following URL in your browser:

  http://10.160.39.203:8080/sky/login?redirect_uri=http://127.0.0.1:56398/auth/callback

or enter token manually:

Then I opened the URL in a browser, and typed in my LDAP username and password, it still didn’t work.


#4

What do you mean by “it still didn’t work”? What happened when you typed in your LDAP username and password?


#5

“it still didn’t work” means I still couldn’t login with my LDAP credential. When I typed in my LDAP username and password, the prompt error of invalid username/password.


#6

When start the web node, I have added --ldap-display-name=LDAP option, so I suppose the login page should have a “LDAP” option, but I don’t see that.


#7

Finally, I made LDAP work. Below are all options I used:

--ldap-display-name=LDAP 
--ldap-host=ldap.mycompany.com
--ldap-bind-dn='my_bind_dn' 
--ldap-bind-pw='my_bind_pass' 
--ldap-user-search-base-dn='dc=mycompany,dc=com' 
--ldap-group-search-filter='(objectclass=posixGroup)' 
--ldap-group-search-base-dn='OU=Groups,OU=Corp,OU=Common,DC=mycompany,DC=com' 
--ldap-user-search-username=sAMAccountName 
--ldap-insecure-skip-verify 
--ldap-insecure-no-ssl 
--ldap-user-search-filter='(objectCategory=Person)' 
--ldap-user-search-email-attr=mail 
--ldap-user-search-name-attr='displayName' 
--ldap-user-search-id-attr=sAMAccountName 
--ldap-group-search-user-attr=sAMAccountName

It seems that --ldap-bind-dn and --ldap-bind-pw are mandatory, without these two options, ATC will just ignore other LDAP options without any log message. That’s reason why LDAP initially not working for me but I couldn’t find any error from ATC log.

--ldap-insecure-skip-verify and --ldap-insecure-no-ssl are also mandatory in my case due to configuration of my company’s LDAP server.

--ldap-user-search-email-attr, --ldap-user-search-name-attr and --ldap-user-search-id-attr are also mandatory, which is undocumented, too bad. Without them, LDAP search will fail, GUI will show “internal server error”, and ATC log shows something like “missing configuration”.