LDAP authentication fails with "could not search LDAP for filter"
search cancel

LDAP authentication fails with "could not search LDAP for filter"

book

Article ID: 296655

calendar_today

Updated On:

Products

VMware Tanzu Greenplum

Issue/Introduction

All existing and new users are not able to access Greenplum using LDAP authentication
attempt to login: 
[greenplum]$ psql -h mdw -p 5432 -U myuser -d mydb
Password for user myuser:
psql: FATAL: LDAP authentication failed for user "myuser"

The following error is seen in the master log: 
2020-12-17 09:14:55.418542 +01,"myldapuser","mydb",p402713,th-432154496,"10.1.1.1","16047",2020-12-17 09:14:55 +01,0,con65903,,seg-1,,,,sx1,"LOG","00000","could not search LDAP for filter ""(samaccountname=myldapuser)"" on server ""ldapserver.com"": Operations error",,,,,,,0,,"auth.c",2299,
2020-12-17 09:14:55.418577 +01,"myldapuser","mydb",p402713,th-432154496,"10.1.1.1","16047",2020-12-17 09:14:55 +01,0,con65903,,seg-1,,,,sx1,"FATAL","28000","LDAP authentication failed for user ""myldapuser""","Connection matched pg_hba.conf line 113: ""host all +g_ldap 10.0.0.0/0 ldap ldapserver=ldapserver.com ldapbasedn=""DC=fr,DC=port,DC=COM"" ldapbinddn=""[email protected]"" ldapbindpasswd=""XXXXX"" ldapsearchattribute=""samaccountname""""",,,,,,0,,"auth.c",318,


Environment

Product Version: 6.12

Resolution

General Troubleshooting Tips 

  • Changing log_min_messages to DEBUG5 didn't show any new messages in master log file.
  • You can use ldapsearch to confirm you have communication with the ldapserver.
ldapsearch -D "[email protected]" -w "XXXX" -h ldapserver.com -b "DC=fr,DC=port,DC=com" -x "(&(samaccountname=myldapuser))" -A
(...)
# search result
search: 2
result: 0 Success
  • Using tcpdump is useful to see the ldap error:
13:37:06.709198 IP 10.44.133.160.ldap > 10.44.65.242.12084: Flags [P.], seq 23:197, ack 123, win 2081, options [nop,nop,TS val 2120027106 ecr 2343691674], length 174
        0x0000:  4500 00e2 7bf5 4000 7e06 a436 0a2c 85a0  E...{.@.~..6.,..
        0x0010:  0a2c 41f2 0185 2f34 c4c3 83ad 56de e095  .,A.../4....V...
        0x0020:  8018 0821 ab36 0000 0101 080a 7e5d 0be2  ...!.6......~]..
        0x0030:  8bb1 e59a 3084 0000 00a8 0201 0365 8400  ....0........e..
        0x0040:  0000 9f0a 0101 0400 0484 0000 0094 3030  ..............00
        0x0050:  3030 3034 4443 3a20 4c64 6170 4572 723a  0004DC:.LdapErr:
        0x0060:  2044 5349 442d 3043 3039 3041 3744 2c20  .DSID-0C090A7D,.
        0x0070:  636f 6d6d 656e 743a 2049 6e20 6f72 6465  comment:.In.orde
        0x0080:  7220 746f 2070 6572 666f 726d 2074 6869  r.to.perform.thi
        0x0090:  7320 6f70 6572 6174 696f 6e20 6120 7375  s.operation.a.su
        0x00a0:  6363 6573 7366 756c 2062 696e 6420 6d75  ccessful.bind.mu
        0x00b0:  7374 2062 6520 636f 6d70 6c65 7465 6420  st.be.completed.
        0x00c0:  6f6e 2074 6865 2063 6f6e 6e65 6374 696f  on.the.connectio
        0x00d0:  6e2e 2c20 6461 7461 2030 2c20 7633 3833  n.,.data.0,.v383
        0x00e0:  3900 0000 0000 0000 0000 0000 0000 0000  9...............

 

Possible Workaround

In some situations, the issue occurred because there was no OU (organization unit) in the pg_hba.conf.

Original entry:

host all +g_ldap 10.0.0.0/0 ldap ldapserver=ldapserver.com ldapbasedn="DC=fr,DC=port,DC=com" ldapbinddn="[email protected]" ldapbindpasswd="xxxx" ldapsearchattribute="samaccountname"

Fixed entry: 
host all +g_ldap 10.0.0.0/0 ldap ldapserver=ldapserver.com ldapbasedn="OU=Mycompany,DC=fr,DC=port,DC=com" ldapbinddn="[email protected]" ldapbindpasswd="xxxx" ldapsearchattribute="samaccountname"

After running gpstop -u, the issue is resolved.

Powered by Wolken Software