We are developing an application which will have two primary classes of users, those that are internal to our organization and those are external clients. For the external clients, we are using an Auth0 user database and for the internal users we’d like to utilize our FreeIPA server for authentication.
We have installed and configured the LDAP connector and have enabled the connection for our application and we are able to successfully authenticate when using a username but for that to work the enterprise connection can be the only connection enabled, obviously not what we want. FreeIPA supports authenticating using email addresses and I have verified that in our local environment.
So, I enabled both the enterprise LDAP connection and the database connection and modified the enterprise settings, adding our domain the idP domains but we are unable to authenticate no matter what we try, the connector always logs the error: “Authentication attempt failed. Reason: wrong username”
This is what we have currently set for the user lookup in the config.json: "LDAP_USER_BY_NAME": "(|(sAMAccountName={0})(uid={0})(krbPrincipalName={0}))" uid is the primary username attribute and that setting works when authenticating with just a username
krbPrincipalName is the attribute name for the email, as far as I can tell anyway… I’ve also tried krbCanonicalName and mail but nothing seems to work.
Cause
It was determined that the email authentication may be failing due to the fact that the connector defaults to anonymous search if that is enabled on the server even if bind credentials are specified. This is likely due to the limited amount of user data provided by the server under anonymous search. The customer did some testing and found that if the bind credentials were used instead of anonymous search then the email authentication would succeed.
Solution
In this case, they were unable to disable anonymous search at this time on their FreeIPA server due to several factors, so they needed a different solution.
They created a pull request which adds a setting to the config.json named LDAP_PREFER_BIND_CREDENTIALS. When set to true, and with just a few lines of code changed, the communication with the ldap server is done via the specified LDAP_BIND_USER and LDAP_BIND_PASSWORD rather than the anonymous search.