Joining the list with some more details, and a question:
What steps does the authentication mechanism take when authenticating a user and what is the “Gateway Username” used for? Its description reads “The login name for the gateway to use when querying Active Directory. Used for retrieving the list of users and roles via LDAP.” but something doesn’t add up for me, so let me try to explain.
I have configured Ignition to use “admin” as the gateway user, with cn=
and dc=xxx,dc=yyy,yyy=zzz
, and it’s able to log in successfully (also the search base and filters for users and groups/roles):
[13:42:31]: [profileName=LDAP] Connecting to "ldap://server:389" as "cn=admin,dc=xxx,dc=yyy,dc=zzz"...
[13:42:31]: [profileName=LDAP] Searching for user in [dc=xxx,dc=yyy,dc=zzz] with filter "(objectClass=inetOrgPerson)"...
[13:42:31]: [profileName=LDAP] Successfully loaded user: "{username=cgi}"
[13:42:31]: [profileName=LDAP] Successfully loaded user: "{username=fan}"
[13:42:31]: [profileName=LDAP] Successfully loaded user: "{username=cgi2}"
[13:42:31]: [profileName=LDAP] Found 3 user in 1 ms
[13:42:31]: [profileName=LDAP] Connecting to "ldap://server:389" as "cn=admin,dc=xxx,dc=yyy,dc=zzz"...
[13:42:31]: [profileName=LDAP] Searching for roles in [ou=groups,dc=xxx,dc=yyy,dc=zzz] with filter "(objectClass=groupOfUniqueNames)"...
[13:42:31]: [profileName=LDAP] Found 9 roles in 1 ms
Now, when I try to login with one of the users (cgi2), the initial bind is successful, however the system subsequently tries to query the tree with the exact same user, instead of the admin, and fails (obviously the user is restricted and does not have the same rights as the admin):
[13:42:35]: [profileName=LDAP] Connecting to "ldap://server:389" as "cn=cgi2,dc=xxx,dc=yyy,dc=zzz"...
[13:42:35]: [profileName=LDAP] Searching for user in [dc=xxx,dc=yyy,dc=zzz] with filter "(&(objectClass=inetOrgPerson)(cn={0}))"...
[13:42:35]: Authentication as user "cgi2" failed with NamingException: [LDAP: error code 32 - No Such Object]
In conclusion, can anyone please shed some light on this? Why do we need the “Gateway User” if it’s not used during authentication (unless I’m missing something)? Additionally, is there any way to allow for plain old LDAP access, as opposed to AD?
If not, does anyone have some base-code / sample for an authentication module that can be shared? Depending on the complexity and my spare time, I’d be interested in trying to create an LDAP authentication module.