[Archivesspace_Users_Group] authentication_sources -- LDAP/Active Directory (failure log)

Fri Sep 2 12:37:12 EDT 2016

We use LDAP/Active Directory for user information but not for user authentication. 
With ArchivesSpace LDAP Authentication configured, the initial (anonymous) bind to get user information works, but it fails on the 2nd authentication binding. The first request is either doing anonymous binding, or else username+password need to be in the AppConfig[:authentication_sources] in your config file. But after getting user info from LDAP on the first request, it will attempt to bind to that user (with supplied user password) and connect again. 

I don’t know if you have a similar set up at your site, but, as well as my memory works, that looks like a familiar error message.  And perhaps the other applications that work are not trying to do the 2nd binding. (?)

I have pulled some of the LDAP code from ArchivesSpace into a script to get user info and write it out the JSONModel, so that I can batch create users from LDAP info using backend API. Users have to authenticate separately thru Shibboleth or pub-cookie to get to the ArchivesSpace server, and then authenticate again to ArchivesSpace. I’ld like to figure out how to skip that 2nd authentication, but backend and frontend servers need to exchange and agree on user credentials. 

— Steve Majewski / UVA Alderman Library

> On Sep 2, 2016, at 11:38 AM, Kathleen Krause-Thompson <kkthompson at tsl.texas.gov> wrote:
> 
> <image001.gif>
> Hello -- I’m attempting to configure an LDAP/Active Directory auth source and am getting the error messages below (details removed), from the main log. Is there an alternate log where I might look for more details? Any other ideas about next steps? Credentials and connectivity should be fine as other applications on the same server are making the link.
>  
> Parameters: {"utf8"=>"✓", "authenticity_token"=>"02knGWUiVGv0C+pe06yYOyO9bWB4ZnfG8dnd+tJF+HY=", "username"=>"k", "password"=>"[FILTERED]", "commit"=>"Sign In"}
> D, [2016-09-01T15:24:58.330000 #26461] DEBUG -- : Thread-4210: POST /users/k/login [session: nil]
> D, [2016-09-01T15:24:58.335000 #26461] DEBUG -- : Thread-4210: Post-processed params: {:username=>"k", :password=>"[FILTERED]", :expiring=>true}
> E, [2016-09-01T15:24:58.401000 #26461] ERROR -- : Thread-4210: Error communicating with authentication source #<LDAPAuth:0x76063956 @encryption=nil, @extra_filter=nil, @attribute_map={:cn=>:name}, @bind_password="FILTERED", @port="389", @bind_dn="uid=removed,ou=", @username_attribute="uid", @hostname="tsl.state.tx.us", @base_dn="dc=tsl,dc=state,dc=tx,dc=us">: Failed when binding to LDAP directory: #<LDAPAuth:0x76063956 @encryption=nil, @extra_filter=nil, @attribute_map={:cn=>:name> Error: Invalid Credentials (code = 49)
>  
>  
>  
> Kathleen Krause-Thompson
> Texas State Library and Archives
> Lead Developer Analyst
>  
> <image002.png>
>  
> _______________________________________________
> Archivesspace_Users_Group mailing list
> Archivesspace_Users_Group at lyralists.lyrasis.org
> http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group