Wiki JS error Authentication LDAP

[Yuri-Zizeko]

Linux - Debian (linux) 10.2 x64
Node.js 10.15.2
PostgreSQL 12.1

Config:
LDAP URL: ldap://10.1.1.2:389
Admin Bind DN: cn=test,OU=MAN,OU=OLD,OU=Company,dc=test,dc=com
Admin Bind Credentials: P@$$w0rd!
Search Base: OU=MAN,OU=OLD,OU=Company,dc=test,dc=com
Search Filter: searchFilter: '(sAMAccountName={{username}})'

Error:
Invalid email / username or password.

Port 389 is open
Checked by telnet

The domain controller responds

[Yuri-Zizeko]

Perhaps you need to install additional software?

[NGPixel]

In the admin area > Dev > Flags. Enable the LDAP Debug flag. Then look at the logs during a login attempt. You should see any error returned by the server.

[abnerrizzi]

I did that and nothing has changed in logs at leat in my docker container

[jko-nic]

It did not changed nothing even in case of Linux installation with SystemD service.

[Yuri-Zizeko]

2019-11-21T08:07:57.170Z [MASTER] warn: LDAP LOGIN ERROR (c1): Invalid email / username or password.

[Yuri-Zizeko]

This configuration works successfully on v1.0.117

[NGPixel]

Can you screenshot the Search Filter field in the admin area > Auth > LDAP?

[Yuri-Zizeko]

[Yuri-Zizeko]

Does anyone work with Ldap authentication?

[kingfisher77]

Yes, we got it to work with ldaps.

[Yuri-Zizeko]

Да, мы получили его для работы с ldaps.

Help with authentication settings please

[pirvana]

Help with the authentication settings, please, I need you to authenticate without having to modify the "mail" field, in the ldap

[inginheiiro]

I've the same problem.... i believe there is a bug in file server/core/auth.js
in the authenticate function "you" do not validate the defined authentication strategy, in this case LDAP... you are assuming jwt auth...

[NGPixel]

@inginheiiro No, you're confusing the authorization strategy (always JWT) and the authentication strategy (LDAP, local, google, etc.). They are completely unrelated.

[kingfisher77]

Help with the authentication settings, please, I need you to authenticate without having to modify the "mail" field, in the ldap

You could try this:
(|(uid=%uid)(mail=%uid))
Here LDAP attributes uid or mail can be used for wiki field uid.

[hbokh]

Had the same issue here. Using the exact same OpenLDAP credentails from wiki 1.0 in 2.0.

This helped: enable self-registration in the LDAP module - source: #1232 (comment)
At first I got redirected to the login-page. As administrator (using the local login) added the new user to the right group and things worked as expected.

[pirvana]

@kingfisher77 Good friend, this is what appeared to me when placing what you requested, one more thing, it only worked without the symbol "|" (tube), any other option that could help me?

[juliendms]

I would guess that for now the mail field is required when creating a user, therefore if this field is empty the creation of the user fails. It is I guess because this field is the username when creating a new user locally.
You might be able to do a kind of script that will fill the mail with the username from the LDAP and append a @company.com, that's something worth checking. Sorry I cannot help much more.

[andresmorago]

this would be very interesting to try as some of the AD users dont have the "mail" field populated

[ethanmdavidson]

@pirvana it looks like you need to change the search filter to use the attribute that is actually holding the username. For example, my company uses Active Directory and I had to use the search filter (sAMAccountName={{username}}) because the username is stored in the sAMAccountName attribute.
Try using an LDAP browser to look at all the attributes on your user object, find the one that contains the username, and change the filter to use that attribute.

[vtjc2002]

Here is what worked for me and this works with "Allow self-registration" as well

[pirvana]

Thanks to all, really, I tried each one of the solutions that they wrote to me but still it doesn't let me just talk to the user, without having the "mail" field, configured in the LDAP, it would be great if this did not request :(, but Thank you all, I will continue looking for some way to solve this

[Yuri-Zizeko]

000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839

[dieterv]

I've been hitting the exact same "warn: LDAP LOGIN ERROR (c1): Invalid email / username or password." error for a couple of days now.

Finally solved it after:

• resetting the password
• setting the "user cannot change password" property
• setting the "password never expires" property

of the Active Directory "Admin Bind DN" account.
I'm sure the exact same password was used when creating the "Admin Bind DN" account so I have no idea why this worked...

[fordanic]

Using the same setup as for my 1.0 installation but this fails for my 2.0 installation with the following error:
warn: LDAP LOGIN ERROR (c1): Invalid email / username or password.
Used credentials are good as they work for other services using a similar LDAP connection.

Running a docker setup of wikijs. What can I do to improve logging?

[fordanic]

To me, I in the end solved it by removing all "" that were used for bindings and similar.

[julianoduarte1983]

Hello guys,

I was with the same problem.

So, I solved it enabling auto self-registration on LDAP authentication.

Thanks @hbokh ;)

[SirGibihm]

Keep in mind that the same error message (see below) comes up when your Bind Credentials AND/OR your Login Credentials are wrong. The logging from my docker container (wikijs version 2.2.51, LDAP Logging enabled through the debug flag at Administration>Developer Tools>Flags) show for both invalid login credentials the following error:

warn: LDAP LOGIN ERROR (c1): Invalid email / username or password.

In other news: My LDAPS example config that works perfectly for Wikijs 2 looks like this, I had to redact passwords etc. but I hope it helps you with syntax; everything blurred out is a normal string:

[denisbonate]

Help me please.

[ramonjoaquim]

Try
(sAMAccountName={{username}}*)
and verify if your AD have the mail mapped field for e-mail, in my case I discovered the mail field are userPrincipalName, then my search filter looks like that
Solution
(|(sAMAccountName={{username}}*) (userPrincipalName={{username}}*))

[abnerrizzi]

this solved all my issues

an other option it is check self-registration.

[flagal]

LDAP works for me. The problem was Search Filter field. I put in (mail={{username}}). In Unique ID Field Mapping, I put sAMAccoutName.

[Solotovski]

LDAP works for me. You should set a email address on LDAP server.

[dkyrgia]

Hi Solotovski, If I am not asking much, can you please post a screenshot of your settings for the ldap connection? I am trying for two days now and I cannot figure what's wrong

[abnerrizzi]

[slicedmass]

For those still having issues, since the error messages are pretty unhelpful. Make sure when you are specifying the Admin Bind DN/Search Base that you add quotes around entries with spaces. For example:

OU=contoso users,OU=contoso company,DC=contoso,DC=com

would become

OU="contoso users",OU="contoso company",DC=contoso,DC=com