AD/LDAP Connector - Error: Unable to find users. Verify the permissions for

I am evaluating to use Auth0 for our customers who will access our Apps via modern SPA, web and mobile apps. My company is using Jumpcloud as a Directory as a Service to host LDAP. for internal users on our network so that they can all have a central login. Thus I want to connect Auth0 and JumpCloud via the AD/LDAP Connector via a Debian Unix host running on GCP.

The issue: I am getting a permissions issue when running the AD/LDAP Connector.

I can connect successfully via another LDAP client and have checked that the user has “Enable as LDAP Bind DN” checked on their privileges.

I am now at a point where I have tried a number of combinations of DN’s and usernames and have followed your Trouble shooting guide but I still can not get it to work and am close to giving up.

I’d be grateful if anyone has some ideas to help?

I have attached my config.json (without password) and all the other info I could gather.
Note: I do not have a /var/log/auth0-adldap.log

config.json - note I had to remove “://” from url’s in this issue in order to be able to post it through the community GUI

{
  "LDAP_BASE": "ou=Users,o=588888eb13d4361f4b00a97e,dc=jumpcloud,dc=com",
  "LDAP_URL": "ldaps ldap.jumpcloud.com:636",
  "ANONYMOUS_SEARCH_ENABLED": false,
  "AD_HUB": "https_auth0-idp.eu.auth0.com/lo/hub",
  "PROVISIONING_TICKET": "https_auth0-idp.eu.auth0.com/p/ad/WIHZRT31",
  "WSFED_ISSUER": "MASKEDXXYYZZ.net",
  "CONNECTION": "JumpCloudLDAP",
  "CLIENT_CERT_AUTH": false,
  "KERBEROS_AUTH": false,
  "FIREWALL_RULE_CREATED": false,
  "REALM": "urn:auth0:auth0-idp",
  "SITE_NAME": "JumpCloudLDAP",
  "urn:auth0:auth0-idp": "https auth0-idp.eu.auth0.com/login/callback",
  "LDAP_BIND_USER": "uid=ldapadmin,ou=Users,o=58de3aeb13d4361f4b00a97e,dc=jumpcloud,dc=com",
  "SERVER_URL": "http address:4000",
  "LAST_SENT_THUMBPRINT": "61888e72dc5a4eab99809eaac0981d6f51d88b95",
  "TENANT_SIGNING_KEY": "-----BEGIN CERTIFICATE-----\r\nMIIDBzCCAe+gAwIBAgIJRidevOsTxfNZMA0GCSqGSIb3DQEBCwUAMCExHzAdBgNV\r\nBAMTFmF1dGgwLWlkcC5ldS5hdXRoMC5jb20wHhcNMTgwNzI3MDQ0OTEzWhcNMzIw\r\nNDA0MDQ0OTEzWjAhMR8wHQYDVQQDExZhdXRoMC1pZHAuZXUuYXV0aDAuY29tMIIB\r\nIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA246HHdWFmaN08dhuDqc4NjzD\r\nPWZax4mhKs33shImZjWUhshS7N8T+gWmRCH7A8sMUm66Cf01dD2nmS9VpCA3zGxe\r\n7l3GiyfMVVfDy22I7GhNNIhvHOjOrT1OnUior837EC0Rj9B1TgZflaC1V+Z+VPa1\r\neMKiH5UIkSfA0yr5A2J8GIBs4asSF2yj/skSHxAIaCMdLkE0q9PqR90RhKhmYXZD\r\n9BlezRFJg2jidc7x81Ruv3eDR3TeAY3L6CrInKlynI/6qKzwK+LLWd+eLaS3OGdK\r\nzAA2da+hhzsEmqLwDaEKncKwM0XYLl609YEV3jiFA3YviuH77pQVvJ7eD4uScQID\r\nAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSAdtEJ4DMaIjxOiuLJ\r\nKXbItF0kTjAOBgNVHQ8BAf8EBAMCAoQwDQYJKoZIhvcNAQELBQADggEBANIhVyXt\r\nDsxzIfGgPb6Hn7dQEVUEHqRbiLSBPujyBCQrHR3qI0jqHtytU8KV9egYBzvxs+UC\r\njqd0SpGzMkbPhty6aP07ezEDqPYbtJQ+nxxS40H31MRHlNWW56TQsUhOkP3pwOnC\r\nrmI7+QwlxcU7KUusEWqkhoKvqWPWD09V+SZIdDDNlRycLRTMDTN9hGWK2mgpNNd0\r\nHLzOYCUrzlJ880HFoSsEAd019VD191Dfz3fVi/SmlUfuaZ8lIMMBGI3o/yCXL58I\r\nR/eWd/yURjLhN2HPrWamXiLjevDultVrKgY4SJhM7zC8C8uK4un3++wSbZ4nHqY1\r\nmAJTAcHS5Lhmx2I=\r\n-----END CERTIFICATE-----\r\n",
  "LDAP_BIND_CREDENTIALS": "MASKEDXXYYZZ"
}

When running the troubleshoot.js

/opt/auth0-adldap# node troubleshoot.js
Troubleshooting AD LDAP connector
Reading CA certificates from OPENSSLDIR
Reading CA certificates from /usr/lib/ssl/certs
Adding 152 certificates
06:24:06 - info: No proxy server configured.
06:24:06 - info: ✭ Testing connectivity to Auth0…
06:24:06 - info: > Test endpoint: https auth0-idp.eu.auth0.com/test
06:24:06 - info: :heavy_check_mark: Connection to test endpoint succeeded.
06:24:06 - info: ✭ Testing hub connectivity (WS).
06:24:06 - info: :heavy_check_mark: Connection to hub succeeded.
06:24:06 - info: ✭ Testing clock skew…
06:24:07 - info: :heavy_check_mark: Everything OK. No clock skew detected.
06:24:07 - info: ✭ Testing certificates…
06:24:07 - info: > Local thumbprint: 61847e72dc5a4eab99809eaac0981d6f51d88b95
06:24:07 - info: > Server thumbprint: 61847e72dc5a4eab99809eaac0981d6f51d88b95
06:24:07 - info: :heavy_check_mark: Local and server certificates match.
06:24:07 - info: ✭ Running NLTEST…
06:24:07 - warn: > NLTEST can only run on Windows.
06:24:07 - info: ✭ Testing LDAP connectivity.
06:24:07 - info: > LDAP BASE: ou=Users,o=58de3aeb13d4361f4b00a97e,dc=jumpcloud,dc=com
end
06:24:07 - error: > Error: Unable to find users. Verify the permissions for the current user.
06:24:07 - info: Done!

When running the server.js

root@auth0-jumpcloud-ldap-bridge:/opt/auth0-adldap# node server.js
[2018-07-31 06:35:37] Reading CA certificates from OPENSSLDIR
[2018-07-31 06:35:38] Reading CA certificates from /usr/lib/ssl/certs
[2018-07-31 06:35:38] Adding 152 certificates
[2018-07-31 06:35:38] Loading settings from ticket: https auth0-idp.eu.auth0.com/p/ad/WIHZRT31/info
[2018-07-31 06:35:38] Local settings updated.
[2018-07-31 06:35:38] Certificates already exist, skipping certificate generation.
[2018-07-31 06:35:38] Configuring connection JumpCloudLDAP.
[2018-07-31 06:35:38] > Posting certificates and signInEndpoint: http auth0-jumpcloud-ldap-bridge:4000/wsfed
[2018-07-31 06:35:38] Connection JumpCloudLDAP configured.
[2018-07-31 06:35:38] Connector setup complete.
[2018-07-31 06:35:38] Cache enabled
[2018-07-31 06:35:38] Connecting to wss auth0-idp.eu.auth0.com/lo/hub.
[2018-07-31 06:35:38] jsonwebtoken: expiresInMinutes and expiresInSeconds is deprecated. (/opt/auth0-adldap/ws_vali
dator.js:300:19)
Use “expiresIn” expressed in seconds.
[2018-07-31 06:35:38] auth0: Agent accepted.
[2018-07-31 06:35:39] latency test took avg: 81.6 ms, max: 122.04 ms, min: 70.05 ms

I was facing the same issue. It turned out that the default troubleshooting.js script doesn’t fit my LDAP structure. The nconf.get(‘LDAP_SEARCH_ALL_QUERY’) returns (objectCategory=person), which is something not existing in my LDAP object. I redefined the LDAP_SEARCH_ALL_QUERY in config.json and reran the troubleshooting script, then I got a list of users.

Hey @devops3!

Thanks a lot for sharing that. If you had a chance @marcus.davies please test this one as it may solve your case, otherwise we’ll be digging further!