After filling in the Atlas sign in form and hitting submit the logs for the LDAP server and WebAPI show that the initial BIND
is called with the user from the form (fbaggins
in this case) instead of the admin
:
ohdsi-openldap | 6421f660 conn=1014 fd=16 ACCEPT from IP=192.168.112.6:40914 (IP=0.0.0.0:389)
ohdsi-openldap | 6421f660 conn=1014 op=0 BIND dn="cn=fbaggins,ou=Hobbits,dc=example,dc=org" method=128
ohdsi-openldap | 6421f660 conn=1014 op=0 RESULT tag=97 err=49 text=
ohdsi-openldap | 6421f660 conn=1014 fd=16 closed (connection lost)
ohdsi-webapi | 2023-03-27 20:02:40.632 INFO http-nio-8080-exec-9 com.odysseusinc.logging.LoggingService - [] - Log in failed for user login = fbaggins
ohdsi-webapi | 2023-03-27 20:02:40.632 INFO http-nio-8080-exec-9 org.ohdsi.webapi.audittrail.AuditTrailServiceImpl - [] - <110>1 2023-03-27T20:02:40.632Z 2762d6ad2884 Atlas - - - User login failed: fbaggins, remote-host = 192.168.112.2
Independently performing the search with the admin user yields the expected result:
# ldapsearch -h 192.168.0.50 -p 1389 -x -D "cn=admin,dc=example,dc=org" -b "dc=example,dc=org" -w admin "(&(objectClass=posixAccount)(cn=fbaggins))"
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=org> with scope subtree
# filter: (&(objectClass=posixAccount)(cn=fbaggins))
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
The environment variable configurations are:
ATLAS_USER_AUTH_ENABLED="true"
ATLAS_PLP_RESULTS_ENABLED="true"
ATLAS_SECURITY_PROVIDER_TYPE="ldap"
ATLAS_SECURITY_USE_FORM="true"
ATLAS_SECURITY_USE_AJAX="true
WEBAPI_SECURITY_PROVIDER="AtlasRegularSecurity"
SECURITY_AUTH_LDAP_ENABLED="true"
SECURITY_LDAP_DN="cn={0},ou=Hobbits,dc=example,dc=org"
SECURITY_LDAP_URL="ldap://openldap:389"
SECURITY_LDAP_BASEDN="ou=Hobbits,dc=example,dc=org"
SECURITY_LDAP_SYSTEM_USERNAME="admin"
SECURITY_LDAP_SYSTEM_PASSWORD="admin"
SECURITY_LDAP_SEARCHSTRING="(&(objectClass=posixAccount)(cn={0}))"
SECURITY_LDAP_USERMAPPING_DISPLAYNAMEATTR="displayname"
SECURITY_LDAP_USERMAPPING_FIRSTNAMEATTR="givenName"
SECURITY_LDAP_USERMAPPING_MIDDLENAMEATTR="initials"
SECURITY_LDAP_USERMAPPING_LASTNAMEATTR="sn"
SECURITY_LDAP_USERMAPPING_USERNAMEATTR="cn"
SECURITY_LDAP_USERIMPORT_USERNAMEATTR="cn"
SECURITY_LDAP_USERIMPORT_LOGINATTR="uid"
SECURITY_LDAP_SEARCHBASE="ou=Hobbits,dc=example,dc=org"
The interesting thing is, if change these two values:
SECURITY_LDAP_DN="cn={0},dc=example,dc=org"
SECURITY_LDAP_BASEDN="dc=example,dc=org"
and then try to login as admin
in the Atlas form, it performs the BIND
correctly but predictably fails to find a qualifying user:
ohdsi- openldap | 6421fabf conn=1003 fd=16 ACCEPT from IP=192.168.128.3:44116 (IP=0.0.0.0:389)
ohdsi-openldap | 6421fabf conn=1003 op=0 BIND dn="cn=admin,dc=example,dc=org" method=128
ohdsi-openldap | 6421fabf conn=1003 op=0 BIND dn="cn=admin,dc=example,dc=org" mech=SIMPLE ssf=0
ohdsi-openldap | 6421fabf conn=1003 op=0 RESULT tag=97 err=0 text=
ohdsi-openldap | 6421fabf conn=1003 op=1 SRCH base="ou=Hobbits,dc=example,dc=org" scope=2 deref=3 filter="(&(objectClass=*)(cn=admin))"
ohdsi-openldap | 6421fabf conn=1003 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
ohdsi-openldap | 6421fabf conn=1003 op=2 UNBIND
ohdsi-openldap | 6421fabf conn=1003 fd=16 closed
ohdsi-webapi | 2023-03-27 20:21:19.177 INFO http-nio-8080-exec-5 com.odysseusinc.logging.LoggingService - [] - Log in failed for user login = admin
What am I doing wrong here? Anything I could try to fix this issue?