Starts in:
1 DAY
14 HRS
53 MIN
18 SEC
Starts in:
1 D
14 H
53 M
18 S
Open Closed

LDAP Authentication is not working #906


User avatar
0
aeffegroup created
  • ABP Framework version: v4.1.0
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): no

We spent a lot of time trying to authenticate users to our LDAP directory service without success. Here is the LDAP account configuration:

(the IP is not the real one)

Here is the error we always see in the application log:

2021-02-11 15:18:31.109 +01:00 [INF] Request starting HTTP/2 POST https://localhost:44360/Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fresponse_type%3Dcode%26client_id%3DDocumentale_App%26state%3DMmRDYlpUS1QuYktKMGFUVWlLUzhqVGRQSEltRHNlbUFoN3ZreTdodG9ZNDRu%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A4200%26scope%3Dopenid%2520offline_access%2520Documentale%26code_challenge%3DRBNiqmFE9lUmfdrpkaeZsYHd0-pZv4KRxR_9Uq-KTfk%26code_challenge_method%3DS256%26nonce%3DMmRDYlpUS1QuYktKMGFUVWlLUzhqVGRQSEltRHNlbUFoN3ZreTdodG9ZNDRu application/x-www-form-urlencoded 756
2021-02-11 15:18:31.109 +01:00 [INF] CORS policy execution failed.
2021-02-11 15:18:31.109 +01:00 [INF] Request origin https://localhost:44360 does not have permission to access the resource.
2021-02-11 15:18:31.116 +01:00 [INF] No CORS policy found for the specified request.
2021-02-11 15:18:31.117 +01:00 [INF] Executing endpoint '/Account/Login'
2021-02-11 15:18:31.117 +01:00 [INF] Route matched with {page = "/Account/Login", action = "", controller = "", area = ""}. Executing page /Account/Login
2021-02-11 15:18:31.117 +01:00 [INF] Skipping the execution of current filter as its not the most effective filter implementing the policy Microsoft.AspNetCore.Mvc.ViewFeatures.IAntiforgeryPolicy
2021-02-11 15:18:31.138 +01:00 [INF] Executing handler method Volo.Abp.Account.Public.Web.Pages.Account.LoginModel.OnPostAsync - ModelState is "Valid"
2021-02-11 15:18:31.203 +01:00 [ERR] Credenziali non valide. Credenziali non valide. Result: 49. Method: ldap_parse_result. Details: errorMessage: 80090308: LdapErr: DSID-0C0903D3, comment: AcceptSecurityContext error, data 52e, v3839
matchedMessage: 
LdapForNet.LdapInvalidCredentialsException: Credenziali non valide. Credenziali non valide. Result: 49. Method: ldap_parse_result. Details: errorMessage: 80090308: LdapErr: DSID-0C0903D3, comment: AcceptSecurityContext error, data 52e, v3839
matchedMessage: 
   at LdapForNet.Native.LdapNative.ThrowIfError(SafeHandle ld, Int32 res, String method, IDictionary`2 details)
   at LdapForNet.LdapConnection.ThrowIfParseResultError(IntPtr msg)
   at LdapForNet.LdapConnection.BindAsync(LdapAuthType authType, LdapCredential ldapCredential)
   at Volo.Abp.Ldap.LdapManager.AuthenticateLdapConnectionAsync(ILdapConnection connection, String username, String password)
   at Volo.Abp.Ldap.LdapManager.AuthenticateAsync(String username, String password)

("credenziali non valide" means "invalid credentials").

We checked our LDAP server and tried to connect it with the "Active Directory Explorer" utility with the same parameters and it is working fine.

We have tried to write a simple consolle application using the LdapForNet library and it worked using the same connection parameters; we managed to query the users on our LDAP. Here is the code of this simple app:

using LdapForNet;
using System;
using static LdapForNet.Native.Native;

namespace ConsoleApp2
{
    class Program
    {
        static void Main(string[] args)
        {
            using (var cn = new LdapConnection())
            {
                try
                {
                    cn.Connect("ldap://221.222.223.224:389");
                    // bind using userdn and password
                    cn.Bind(LdapAuthMechanism.SIMPLE, "aeffegroup\\arcadocint", "passwordgoeshere");
                    var entries = cn.Search("OU=Software,OU=Aeffegroup,DC=aeffegroup,DC=local", "(objectClass=*)");
                } catch (Exception exception)
                {
                    bool stopHere = true;
                }
            }
        }
    }
}

We have tried every possible combination of user name in the ABP.IO login page but we always get the same ldap error in the log; we tried authenticating in the following ways:

  • username
  • username@aeffegroup.local
  • username@aeffegroup.biz

(even if we try with non existing usernames and/or wrong passwords we always receive the same error code Result: 49. Method: ldap_parse_result. Details: errorMessage: 80090308: LdapErr: DSID-0C0903D3 from the backend.

Please help us. Thanks, Regards, David Bandinelli Aeffegroup


2 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You can check this document https://github.com/abpio/abp-commercial-docs/blob/dev/en/modules/account/ldap.md

    We also have a console app to test configuration of LADP.

  • User Avatar
    0
    ServiceBot created
    Support Team Automatic process manager

    This question has been automatically marked as stale because it has not had recent activity.

Made with ❤️ on ABP v9.1.0-preview. Updated on November 20, 2024, 13:06