AD LDAP authentication failure

[SergeyTrue]

Issue submitter TODO list

• I've looked up my issue in FAQ
• I've searched for an already existing issues here
• I've tried running main-labeled docker image and the issue still persists there
• I'm running a supported version of the application which is listed here

Describe the bug (actual behavior)

I have configured kafka-ui to authenticate via LDAP. I get error
o.s.s.l.a.a.ActiveDirectoryLdapAuthenticationProvider: Active Directory authentication failed: Supplied password was invalid
whenever i try to login. I'm sure I've ented correct credentials (both in UI the ldap config). I tried credentials of different users, but result is the same.

Expected behavior

I would expect that I would be able to login using my AD password.

Your installation details

/etc/kafkaui/roles.yml

auth:
  type: LDAP
spring:
  ldap:
    urls: ldap://t-global.company:389
    base: "CN={0},OU=NoAdmins,OU=MSK,OU=Users,DC=T-Global,DC=company"
    admin-user: "CN=Doe John,OU=NoAdmins,OU=MSK,OU=Users,DC=T-Global,DC=company" 
    admin-password: "pass"
    user-filter-search-base: "DC=t-Global,DC=company"
    user-filter-search-filter: "(&(sAMAccountName={0})(objectClass=user))"
    group-filter-search-base: "OU=Groups,OU=company,DC=T-Global,DC=company"
oauth2:
  ldap:
    activeDirectory: true
    activeDirectory:
      domain: t-global.company

ldapsearch output, for the role i'm trying to authenticate both in IU and specified in the config:

ldapsearch -H ldap://t-global.company:389 -D "CN=Doe John,OU=NoAdmins,OU=CITY,OU=Users,OU=company,DC=T-Global,DC=company" -w "pass" -b "DC=T-Global,DC=company" "(sAMAccountName=DoeJ)"
# Doe John, NoAdmins, CITY, Users, company, T-Global.company
dn: CN=Doe John,OU=NoAdmins,OU=CITY,OU=Users,OU=company,DC=T-Global,DC=company
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Doe John

distinguishedName: CN=Doe John,OU=NoAdmins,OU=CITY,OU=Users,OU=company,DC=T-
 Global,DC=company
memberOf: CN=MNG_SRV_S-NSK90-APP0276_Admins,OU=S-NSK90-APP0276,OU=NSK,OU=Serve
 rs,OU=Manage,OU=Groups,OU=company,DC=T-Global,DC=company
name: Doe John
sAMAccountName: DoeJ
userPrincipalName: DoeJ@t-global.company
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=T-Global,DC=company

Steps to reproduce

Kafka is runnigng in docker swarm:
docker stack deploy -c docker-compose.yml kafka_cluster

Screenshots

No response

Logs

Here are the logs from kafka-ui service.

33mo.s.s.l.a.a.ActiveDirectoryLdapAuthenticationProvider�[0;39m: Active Directory authentication failed: Supplied password was invalid

Additional context

No response

[github-actions]

Hi SergeyTrue! 👋

Welcome, and thank you for opening your first issue in the repo!

Please wait for triaging by our maintainers.

As development is carried out in our spare time, you can support us by sponsoring our activities or even funding the development of specific issues.
Sponsorship link

If you plan to raise a PR for this issue, please take a look at our contributing guide.

[SergeyTrue]

Addidilal info:

1. Here is how the error in UI looks like
   

2. Uploaded my docker-compose.yml
   docker-compose (1).txt

3. Full log from kafka-ui service.

kafka_ui.log

The last line of the logs is the error I get whenever I try to login. The error messages before are not direclty related to the login event, but maybe they can help to find out what's going wrong.
4) The image in my docker-compose is tagged
artifactory.gitlab.company.ru/docker/kafbat/kafka-ui:latest
It's our company's registry which mirrors docker-hub.

[Haarolean]

Hi, we have the following resources related to LDAP/AD:

• a docker compose example with rroemhild/test-openldap ldap server, this works fine
• AD auth test, which also runs on main fine

The issue most likely is with your config, usually, it's about filters.

Try adding the following config properties:

logging:
  level:
    org.springframework.security.ldap: TRACE

Restart, re-authenticate, check logs, especially for SpringSecurityLdapTemplate, this will give you some insight on what's happening with these filters.

[kapybro]

Further user feedback is requested. Please reply within 7 days or we might close the issue.

[SergeyTrue]

Hi @Haarolean
Thanks for your prompt reply! I'll try it out and let you know.

[kapybro]

Thanks for the additional feedback! We'll get back to your issue soon.