First time AD authentication does not create account

Summary
When logging in the first time using AD credentials, a new account is not created.

  • Currently evaluating E20 on Ubuntu 18.04 server.

Steps to reproduce

  • Setup AD authentication and verfied that it does bind to AD and can sync users.
  • Login for the first time using an AD account.

Expected behavior
AD account logins for first time and creates account then continues with login.

Observed behavior

  • Login Results in invalid username or password.
  • No entries in log.
  • The AD server does register a successful login for AD account.

Found way to make it work, but is required for each new user:

  • First create an email account for users.
  • Login as user then goto “Account Settings”, “Security”, “Sign-in Method”.
  • Then change to AD and enter credentials.
  • From this point AD authentications works for user.

Hi there, @doguri .

  • Since you mentioned that the AD server syncs users, can you please adjust the LogSettings.FileLevel to DEBUG so we can capture the log entries when you reproduce the issue?

  • Also, can you verify that when you sync users, the sync table shows success status?

  • How do you configure the user filter on your LDAP configuration? When you run an ldapsearch of this user according to the filter, were you able to return the user’s information?
  • I have set LogSettings.FileLevel to DEBUG
    Still getting invalid username or password.
    There is no log entries when trying to log in.
    AD server shows successful login.

  • Yes, when I sync AD/LDAP I get a success status with users and groups scanned.

  • The user filter for LDAP is set to objectClass=Person

  • When running ldapsearch for the user, returns all attributes for that user.

Hi, @doguri

Got it. Would you mind sending a sanitized copy of your config.json (removing any sensitive information such as password) to my DM so I can check on it as well as the snippet of the mattermost.log when you attempted the log in?

Strange that nothing gets logged into the mattermost.log as it should be something that looks like this even when they username / password is invalid for AD/LDAP user.

{"level":"debug","ts":1626844348.0812848,"caller":"mlog/log.go:230","msg":"Enter a valid email or username and/or password.","path":"/api/v4/users/login","request_id":"XXXXXXXXXX","ip_addr":"XXXXXXXXXX","user_id":"","method":"POST","err_where":"login","http_code":401,"err_details":""}
{"level":"debug","ts":1626844348.0825486,"caller":"web/handlers.go:107","msg":"Received HTTP request","method":"POST","url":"/api/v4/users/login","request_id":"XXXXXXXXXX","host":"XXXXXXXXXX","scheme":"","status_code":"401"}

This is how it looks like on the UI:

image

I jumped the gun a bit. It didn’t show anything in the logs at first, but eventually came up with an invalid email error.

Our AD is used for accounts only and dosen’t have the email attribute populated. I put the email address in the AD and it seems to work now.

I also tried using the principle user name which user@ad.company,com in it. I’m assuming its trying to validate the email address is “something”@“something”.“something”.

All is good now, thanks for your help.

-David

1 Like