Ldap fails, console prints "missing following required attribute"

I’ve got an LDAP server and I know it works because I have a small python test script which gives me true or false if I present a valid username/pass or not.

I am running concourse master at the command line.

To test a bad username/password, when I try and login to the web interface, the web browser shows “invalid username and password” and the console logs this:
{“timestamp”:“2019-12-19T11:10:10.941760474Z”,“level”:“error”,“source”:“atc”,“message”:“atc.dex.event”,“data”:{“fields”:{},“message”:“ldap: no results returned for filter: “(uid=asdassa)””,“session”:“7”}}

Which is what I’d expect.

If I login with a valid user/pass, the browser shows " Internal Server Error … Login error" and the console shows the messages below:

{“timestamp”:“2019-12-19T11:04:31.836112215Z”,“level”:“info”,“source”:“atc”,“message”:“atc.dex.event”,“data”:{“fields”:{},“message”:“performing ldap search ou=People,dc=example,dc=com sub (uid=paulm)”,“session”:“7”}}

{“timestamp”:“2019-12-19T11:04:31.836946888Z”,“level”:“info”,“source”:“atc”,“message”:“atc.dex.event”,“data”:{“fields”:{},“message”:“username “paulm” mapped to entry uid=paulm,ou=People,dc=example,dc=com”,“session”:“7”}}

{“timestamp”:“2019-12-19T11:04:31.837397205Z”,“level”:“error”,“source”:“atc”,“message”:“atc.dex.event”,“data”:{“fields”:{},“message”:“Failed to login user: ldap: entry “uid=paulm,ou=People,dc=example,dc=com” missing following required attribute(s): [”" “uid” “”]",“session”:“7”}}

These are the params in the startup script:

export CONCOURSE_EXTERNAL_URL=http://concoursemaster.example.com:8080
export CONCOURSE_MAIN_TEAM_LOCAL_USER=paulm
export CONCOURSE_SESSION_SIGNING_KEY=/var/concourse/session_signing_key
export CONCOURSE_TSA_HOST_KEY=/var/concourse/tsa_host_key
export CONCOURSE_TSA_AUTHORIZED_KEYS=/var/concourse/tsa_authorized_keys
export CONCOURSE_POSTGRES_HOST=127.0.0.1
export CONCOURSE_POSTGRES_PORT=5432
export CONCOURSE_POSTGRES_DATABASE=concourse
export CONCOURSE_POSTGRES_USER=concourse
export CONCOURSE_POSTGRES_PASSWORD=pgpassword
export CONTAINER_PLACEMENT_STRATEGY=fewest-build-containers
export CONCOURSE_LDAP_DISPLAY_NAME=Acme
export CONCOURSE_LDAP_HOST=ldap3.example.com
export CONCOURSE_LDAP_BIND_DN=‘cn=ldapadm,dc=example,dc=com’
export CONCOURSE_LDAP_BIND_PW=‘somepassword’
export CONCOURSE_LDAP_USER_SEARCH_BASE_DN=‘ou=People,dc=example,dc=com’
export CONCOURSE_LDAP_USER_SEARCH_USERNAME=uid

Try adding:

export CONCOURSE_LDAP_USER_SEARCH_ID_ATTR= uid
export CONCOURSE_LDAP_USER_SEARCH_NAME_ATTR=name
export CONCOURSE_LDAP_USER_SEARCH_MAIL_ATTR=mail

thanks, i-m-wisch, I got it working now. I don’t have an email/mail attribute so I used a different field… this is what I have in my concourse startup script:

export CONCOURSE_LDAP_DISPLAY_NAME=‘My Business Name LDAP’
export CONCOURSE_LDAP_HOST=ldap.example.com # port defaults to 389 or 636
export CONCOURSE_LDAP_BIND_DN=‘cn=ldapadm,dc=aws,dc=example,dc=com’
export CONCOURSE_LDAP_BIND_PW=‘myldapadmpass’
export CONCOURSE_LDAP_USER_SEARCH_BASE_DN=‘ou=People,dc=aws,dc=example,dc=com’
export CONCOURSE_LDAP_USER_SEARCH_USERNAME=uid

export CONCOURSE_LDAP_USER_SEARCH_ID_ATTR=uid
export CONCOURSE_LDAP_USER_SEARCH_NAME_ATTR=cn
export CONCOURSE_LDAP_USER_SEARCH_EMAIL_ATTR=cn

so this works great, I can access the web portal and it authenticates with my ldap server just fine.

so then I went to test it and now I find that I can’t login with “fly”…

$ /usr/local/bin/fly -t aa login -c https://concourse -k -u paulm -p 'mypassword'

logging in to team 'main'

error: oauth2: cannot fetch token: 401 Unauthorized
Response:

I tried adding this to the concourse environmentfile

CONCOURSE_MAIN_TEAM_LDAP_USER=paulm

looking at the concourse log, I see

Jan  3 15:38:25 concoursemaster: {"timestamp":"2020-01-03T15:38:25.559912084Z","level":"error","source":"atc","message":"atc.sky.token.failed-to-fetch-dex-token","data":{"error":"oauth2: cannot fetch token: 400 Bad Request\nResponse: {\"error\":\"invalid_request\",\"error_description\":\"Requested connector does not exist.\"}","session":"6.172"}}'

Jan  3 15:38:25 concoursemaster: {"timestamp":"2020-01-03T15:38:25.561254885Z","level":"error","source":"atc","message":"atc.sky.token.invalid-basic-auth","data":{"session":"6.173"}}

and I don’t see anything about an attempt to do an ldap auth.