Snipe-it: Not able to use LDAP/AD login, There was an error authenticating the LDAP user: Could not find user in LDAP directory

All users are imported on LDAP sync although ending up not being able to login.
Ive checked the ldap filer many times.

Any luck in finding a cause for our issue ?

Hello @madslorenzen!

It sounds like your authentication query is off:

Are you connecting to active directory? I've seen case-sensitivity issues with this field in particular.
https://snipe-it.readme.io/docs/ldap-sync-login

If you have exhausted all possibilities, and it continues to be an issue - please let me know! 👍

Hi HinchK, Thank you for your reply.
We have tried many different settings for the LDAP AD Authentication Query - it has been tried with both uid=, samaccountname= and sAMAccountName= . The setting is now set as sAMAccountName= and import of users from AD is successful. But is is not possible to log in with a user from the AD, error message is shown as Error: The username or password is incorrect, and written in the log as RROR: There was an error authenticating the LDAP user: Could not find user in LDAP directory.

So I have to say that the issues persists, please help.
Brgds Mads

Mads! Have you tried: uid=samaccountname?

I have now tried uid=samaccountname. After the configuration change, I did a LDAP Sync of the user accounts with success, but still are not able to login with AD accounts. Error messages are the same.

Ok @madslorenzen - lets address two things from here:

Please check that the user accounts you are trying to log in with are "activated" in the system -

ll Snipe-IT versions >4.4 require PHP 7.1.3 or higher. Please update your instance's PHP to at leasst 7.1.3, and restart your web server.

All AD users are activated.

Our PHP version is 7.0.32 - I will try to upgrade it to 7.1.3 now.

With PHP version 7.2.10 the error continues. Still unable to log in with AD synced users.

@HinchK Do you have any further suggestions on what we can do ?

When using wireshark on the domain controller, I only see the Bind users password sent., never the user I try to authenticate. I only see a ldap success to find the login user, but I do not see a password beeing sent, or checked.

After the LDAP bind SerachRequest that gives success in finding the login user, I only see these three entryes, before the LDAP unbind. All three reqests from SnipeIT server towards DC

@HinchK Do you have any further suggestions ?

I Try it !
sucess

https://snipe-it.readme.io/docs/ldap-sync-login

Hi - This setting has been set and tested several times without success. It it now the setting also:

Tested LDAP sync with success, LDAP login with error:

This is the issue we have been seeing all along.

check your php version

snipe-it version 4.66 also sucess

Stated the versions earlier in the ticket :

try copy it

Tried to insert &(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2)) to LDAP Filter, No luck. Same result. Able to Test LDAP Sync - able to to LDAP sync under People, but not able to login - or test LDAP login - fails with not able to bind.

@madslorenzen after doing some research, I regret to say that without our insight into active directory, we are just trying to hit a moving target.

What we are doing here is matching usernames for usernames, from snipe-it to active directory. This is pretty much whatever your domain's uid/username field LABEL is, mapped to one we pulled into Snipe-IT from the Sync. Rather than get inside your domain - I did a little research and was able to compile a a sample list of common Snipe-IT LDAP Authentication Settings that I have had to implement over the years.

In some of these cases, we have had to use a setting like uid=mail, because the domain login enforced full email-usernames and thats how we were able to map it.....

This is by far the most common:

More LDAP Authentication Queries:

userprincipalname=

cn=                   (I don't think this was AD)

samaccountname=

uid=givenname

uid=

uid=mail

mail=

@madslorenzen It's a question of LDAP Authentication Queries.

Hello, You closed my ticket over Christmas ☹
I would like it reopened.
You write it is an AD auth question, but AD imports correctly, but we are not able to get it to authenticate.

From: snipe notifications@github.com
Sent: 4. januar 2019 08:45
To: snipe/snipe-it snipe-it@noreply.github.com
Cc: Mads Askov Lorenzen Mads.Lorenzen@kraftvaerk.com; Mention mention@noreply.github.com
Subject: Re: [snipe/snipe-it] Not able to use LDAP/AD login, There was an error authenticating the LDAP user: Could not find user in LDAP directory (#6509)

Closed #6509https://github.com/snipe/snipe-it/issues/6509.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/snipe/snipe-it/issues/6509#event-2053948117, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AWR0uPlYHb-PLoiNQBBRA6DMkf7VSLyhks5u_wZjgaJpZM4ZTaiL.

For futher insight to AD, we are able to assist ? We also started this support by asking for paid support – before we got forwarded to here.

Also – when testing ldap, i get success, but when testing ldap authentication using the same credentials as the ad connect account, ldap auth still fails.
I REALLY NEED HELP WITH THIS !

From: Mads Askov Lorenzen
Sent: 7. januar 2019 11:59
To: 'snipe/snipe-it' reply@reply.github.com
Subject: RE: [snipe/snipe-it] Not able to use LDAP/AD login, There was an error authenticating the LDAP user: Could not find user in LDAP directory (#6509)

For futher insight to AD, we are able to assist ? We also started this support by asking for paid support – before we got forwarded to here.

Did you get this figured out? I just got mine working after struggling with it for some time. Might be able to help you if you still need.

Hi @pvnick , I'm having trouble myself. Can you share your settings ?

@dieorod - I had this same exact problem. It turned out to be my Base Bind DN. The problem showed up after I upgraded to v4.6.15. Plus it isn't helpful that the error doesn't indicate any errors for the actual problem. This took me days to figure out!!!

Below is an example of my base bind dn.

Base Bind DN My example: OU=Sync,DC=your,DC=domain,DC=com

I hope this is helpful.

Having a similar issue in docker on AD.

My issue was a dumb one - I didn't check the box "This is an Active Directory server" because I thought it was referring to the server that snipeit was hosted on. After checking that box everything worked fine.

I was able to test auth with credentials, but i'm getting a bind error now
on trying to do an ldap sync.

On Fri, Jun 21, 2019 at 7:35 AM diegorod notifications@github.com wrote:

My issue was a dumb one - I didn't check the box "This is an Active
Directory server" because I thought it was referring to the server that
snipeit was hosted on. After checking that box everything worked fine.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/snipe/snipe-it/issues/6509?email_source=notifications&email_token=AHL3FUYDROXNPMYKQB3YXQTP3S4IHA5CNFSM4GKNVCF2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYIHEIQ#issuecomment-504394274,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AHL3FUZCYTJQB4R4WAM25K3P3S4IHANCNFSM4GKNVCFQ
.

@diegorod this actually got mine working. I assumed it meant is the server I'm hosting the website on an AD server so I never checked it.

My issue was a dumb one - I didn't check the box "This is an Active Directory server" because I thought it was referring to the server that snipeit was hosted on. After checking that box everything worked fine.

This fixed my issue. Thank you @diegorod !

Ok that’s great news!

From: Charles notifications@github.com
Sent: Thursday, September 26, 2019 1:13 PM
To: snipe/snipe-it snipe-it@noreply.github.com
Cc: Cameshia Cargle ccargle@txamfoundation.com; Comment comment@noreply.github.com
Subject: Re: [snipe/snipe-it] Not able to use LDAP/AD login, There was an error authenticating the LDAP user: Could not find user in LDAP directory (#6509)

My issue was a dumb one - I didn't check the box "This is an Active Directory server" because I thought it was referring to the server that snipeit was hosted on. After checking that box everything worked fine.

This fixed my issue. Thank you @diegorodhttps://github.com/diegorod !

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHubhttps://github.com/snipe/snipe-it/issues/6509?email_source=notifications&email_token=AGEAFJGEIDQ5XHT37RL6WODQLT3UFA5CNFSM4GKNVCF2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7WPTCI#issuecomment-535624073, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AGEAFJBVBRZAZS4XFJRGAZ3QLT3UFANCNFSM4GKNVCFQ.

My issue was a dumb one - I didn't check the box "This is an Active Directory server" because I thought it was referring to the server that snipeit was hosted on. After checking that box everything worked fine.

this helped me !!!
same thing i never was thinking to mark this checkbox , its not an LDAP server ...

My issue was a dumb one - I didn't check the box "This is an Active Directory server" because I thought it was referring to the server that snipeit was hosted on. After checking that box everything worked fine.

Yep, thought the same. It's worded weird...

@dieorod - I had this same exact problem. It turned out to be my Base Bind DN. The problem showed up after I upgraded to v4.6.15. Plus it isn't helpful that the error doesn't indicate any errors for the actual problem. This took me days to figure out!!!

Below is an example of my base bind dn.

Base Bind DN My example: OU=Sync,DC=your,DC=domain,DC=com

I hope this is helpful.

thanks bro! this fixed my issue!!! you r the best one!