User keeps failing authentication with a connected LDAP

Hi Auth0 community,

I’m new to using Auth0 and this might be a super simple problem but I can’t quite figure out what’s wrong here.

Configured an LDAP connector successfully with I think minor issue:
Troubleshooting AD LDAP connector

Reading CA certificates from Windows Store
Adding 32 certificates
15:11:53 - info: No proxy server configured.
15:11:53 - info: * Testing connectivity to Auth0…
15:11:53 - info: > Test endpoint:
15:11:53 - info: √ Connection to test endpoint succeeded.
15:11:53 - info: * Testing hub connectivity (WS).
15:11:53 - info: √ Connection to hub succeeded.
15:11:53 - info: * Testing clock skew…
15:11:54 - info: √ Everything OK. No clock skew detected.
15:11:54 - info: * Testing certificates…
15:11:54 - info: > Local thumbprint: 3ae89dc0eb7dc5309a28b4c1dad659b176abba9e
15:11:54 - info: > Server thumbprint: 3ae89dc0eb7dc5309a28b4c1dad659b176abba9e
15:11:54 - info: √ Local and server certificates match.
15:11:54 - info: * Running NLTEST…
15:11:54 - error: > Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
15:11:54 - info: * Testing SSL connectivity to LDAP.
15:11:54 - info: * Testing LDAP connectivity.
15:11:54 - info: > LDAP BASE: o=demo
15:11:54 - info: > Found user: test.user1@mailinator.com
15:11:54 - info: > Found user: undefined

So all good I think, I referenced the default app to this connection and tested out by entering the test user above, I failed authentication:

auth0: Agent accepted.
user test.user1@mailinator.com: Starting authentication attempt.
user test.user1@mailinator.com: Authentication attempt failed. Reason: wrong username

What username is it expecting? I mapped either “uid” or “mail” from my ldap to the profile.username:
var profile = {
id: raw_data.uid || raw_data.mail,
username: raw_data.uid || raw_data.mail,
displayName: raw_data.displayName,
name: {
familyName: raw_data.sn,
givenName: raw_data.givenName
},
//nickname: raw_data[‘sAMAccountName’] || raw_data[‘cn’] || raw_data[‘commonName’],
groups: raw_data[‘groups’],
emails: (raw_data.mail ? [{value: raw_data.mail }] : undefined)
};

Please shed me some light here, thanks!

-k

Hey @karmen.lei , Welcome to the Auth0 community!

Just to confirm what the dc value you have configured on your config.json file?
There is a parameter by name : “LDAP_BASE”: “dc=yyy,dc=zzz”

You can also check on the LDAP settings of the connector:

Regards,
Sidharth

1 Like

Hi @sidharth.chaudhary ,

Thanks for replying, here’s my config.json:
“_csrf”: “”,
“PROVISIONING_TICKET”: “”,
“AD_HUB”: “https:///lo/hub”,
“LDAP_URL”: “ldap://localhost:389”,
“LDAP_BASE”: “ou=people,o=demo”,
“LDAP_BIND_USER”: “cn=admin,o=demo”,
“LDAP_SEARCH_QUERY”: “(&(objectClass=inetorgperson)(cn={0}))”,
“LDAP_SEARCH_ALL_QUERY”: “(objectclass=inetorgperson)”,
“LDAP_USER_BY_NAME”: “(cn={0})”,
“ENABLE_WRITE_BACK”: true,
“ENABLE_ACTIVE_DIRECTORY_UNICODE_PASSWORD”: false,
“PORT”: 49762,
“ANONYMOUS_SEARCH_ENABLED”: true,
“WSFED_ISSUER”: “urn:”,
“CONNECTION”: “eDirectory”,
“CLIENT_CERT_AUTH”: false,
“KERBEROS_AUTH”: false,
“FIREWALL_RULE_CREATED”: false,
“REALM”: “urn:auth0:”,
“SITE_NAME”: “eDirectory”,
“urn:auth0:”: “https:///login/callback”,
“LDAP_BIND_CREDENTIALS”: “$2$.71a4ec89e96c10a54f94f3d2007e755b.5872ad1bcc619c3347029be4c9ac070e.03d264d01a2175f9917a5a755b87c85e”,
“SERVER_URL”: “http://:49762”,
“LAST_SENT_THUMBPRINT”: “3ae89dc0eb7dc5309a28b4c1dad659b176abba9e”,
“TENANT_SIGNING_KEY”:

Using the AD/LDAP Connector admin tool, in Troubleshooting, the troubleshooter failed the NLTEST, does it matter? I’m not connecting to AD. It did return my test user from my config. But in Search, both “Find user by login” and “Search users” failed to return my test user:

I’m running out of ideas here, please help.

Thanks,
Karmen

Hey @karmen.lei ,

One thing worth checking is the LDAP_USER_BY_NAME parameter in your
config.json file.
Currently looking at your config file, it looks like it only searches via the username.
So when you try to authenticate the user, it will only search on the username field.
So if you give an email it will fail authentication.

Can you try with this search query in the config.json file:
“LDAP_USER_BY_NAME”: “(|(cn={0})(mail={0}))”
Please restart your connector before testing and changes take place.

More information here:

Regards,
Sid

1 Like

One More thing worth highlighting is the:
“LDAP_BASE”: “ou=people,o=demo”,

Does it reflect your domains correctly?

1 Like

Hi Sidharth,

Greatly appreciate your continuous help here. Just to have the entire config in one message here. I installed and configured the AD/LDAP connector without much problems, my config didn’t complain, i.e, the connector was able to connect to my LDAP (eDirectory). The Troubleshooter also was able to find the one test user:

Again, NLTEST failed but I wasn’t connecting to AD here, so I ignored this error. I did update the config.json to provide both “cn” and “mail” as possible login option:

Restarting the connector, I still failed the Search:

Regarding your LDAP_BASE question, yes, I have the domain correct, here’s the LDAP entry that I use to test this (cn=user1), you can see that the hierarchy is cn=user1,ou=people,o=demo:

I even looked into the connector code myself: ad-ldap-connector/users.js at 2f323447f5c5ecc010a98a468eb07475e9604558 · auth0/ad-ldap-connector · GitHub and I don’t see the issue with replacing “username” with what I put in, the “cn” attribute value:

Users.prototype.getByUserName = function (userName, callback) {
var self = this;

var opts = {
scope: ‘sub’,
filter: nconf.get(‘LDAP_USER_BY_NAME’).replace(/{0}/g, userName)
};

FYI, I have no issue integrating this LDAP with another vendor’s agent, so I know the LDAP itself is valid.

The question is why is it working fine in Troubleshooter but not Search? If I can get Search to work, then I know it’ll work with the default app. Any ideas are much appreciated.

Thanks,
Karmen

One thing I can also try is change the LDAP_SEARCH_BY_QUERY to include mail attribute as well. But I somewhat expect it to fail as well… -k

Hey @karmen.lei

Also In your LDAP_BASE, I see you don’t have the Domain component(DC) defined, and NLTEST seems to be complaining about DC only.
Can you try and add it as well?

1 Like

Hi Sidarth,

I don’t understand here, I’m not connecting to AD. Also, what would my DC be? You can see from my sample entry that my root suffix (in this case my DC) is o=demo.

Karmen