We're Hiring!

Mattermost, Inc.

Users not able to login using LDAP

I have mattermost E10 in docker container.
I have configured univention LDAP. After LDAP sync 102 users are showing.
But users are not able to login. Find below LDAP configuration.

“LdapSettings”: {
“Enable”: true,
“EnableSync”: true,
“LdapServer”: “xxxxxxxxx”,
“LdapPort”: 389,
“ConnectionSecurity”: “none”,
“BaseDN”: “ou=Users,ou=xxx,dc=xxx,dc=org”,
“BindUsername”: “uid=xxxbot,ou=Users,ou=xxx,dc=xxx,dc=org”,
“BindPassword”: “*******”,
“UserFilter”: “”,
“GroupFilter”: “”,
“GuestFilter”: “”,
“EnableAdminFilter”: false,
“AdminFilter”: “”,
“GroupDisplayNameAttribute”: “”,
“GroupIdAttribute”: “”,
“FirstNameAttribute”: “”,
“LastNameAttribute”: “”,
“EmailAttribute”: “userPrincipalName”,
“UsernameAttribute”: “sAMAccountName”,
“NicknameAttribute”: “”,
“IdAttribute”: “uid”,
“PositionAttribute”: “”,
“LoginIdAttribute”: “sAMAccountName”,
“PictureAttribute”: “jpegPhoto”,
“SyncIntervalMinutes”: 60,
“SkipCertificateVerification”: true,
“QueryTimeout”: 10,
“MaxPageSize”: 0,
“LoginFieldName”: “”,
“LoginButtonColor”: “#0000”,
“LoginButtonBorderColor”: “#2389D7”,
“LoginButtonTextColor”: “#2389D7”,
“Trace”: false

Please help me to resolve the issue.

Thanks
Amarnath

Logs are below

{“level”:“debug”,“ts”:1603781647.4792924,“caller”:“mlog/log.go:169”,“msg”:“Invalid or expired session, please login again.”,“path”:"/api/v4/channels/members/me/view",“request_id”:“ybtf59ubr3gw58669nc3un3ako”,“ip_addr”:“172.16.52.81”,“user_id”:"",“method”:“POST”,“err_where”:"",“http_code”:401,“err_details”:“UserRequired”}
{“level”:“debug”,“ts”:1603781647.4793646,“caller”:“web/handlers.go:100”,“msg”:“Received HTTP request”,“method”:“POST”,“url”:"/api/v4/channels/members/me/view",“request_id”:“ybtf59ubr3gw58669nc3un3ako”,“status_code”:“401”}
{“level”:“debug”,“ts”:1603781647.4990017,“caller”:“app/web_conn.go:417”,“msg”:“websocket.read: client side closed socket”,“user_id”:“uw4e6bjmcfrbpj7yqesdpjtwxc”}
{“level”:“debug”,“ts”:1603781647.4990907,“caller”:“web/handlers.go:100”,“msg”:“Received HTTP request”,“method”:“GET”,“url”:"/api/v4/websocket",“request_id”:“huyuj3zfwtye3qbkd4hq6zdcxy”}
{“level”:“debug”,“ts”:1603781647.512818,“caller”:“web/handlers.go:100”,“msg”:“Received HTTP request”,“method”:“GET”,“url”:"/",“request_id”:“ajis79fiutbftd4zyifybdrf5a”,“status_code”:“304”}
{“level”:“debug”,“ts”:1603781648.2084017,“caller”:“web/handlers.go:100”,“msg”:“Received HTTP request”,“method”:“GET”,“url”:"/api/v4/license/client",“request_id”:“ewekwanbkib83qayhmhfy8t18c”,“status_code”:“200”}
{“level”:“debug”,“ts”:1603781648.2086496,“caller”:“mlog/log.go:169”,“msg”:“Invalid or expired session, please login again.”,“path”:"/api/v4/warn_metrics/status",“request_id”:“w7ra68umsjyq8erzsoqr6wz6co”,“ip_addr”:“172.16.52.81”,“user_id”:"",“method”:“GET”,“err_where”:"",“http_code”:401,“err_details”:“UserRequired”}
{“level”:“debug”,“ts”:1603781648.2086957,“caller”:“web/handlers.go:100”,“msg”:“Received HTTP request”,“method”:“GET”,“url”:"/api/v4/warn_metrics/status",“request_id”:“w7ra68umsjyq8erzsoqr6wz6co”,“status_code”:“401”}
{“level”:“debug”,“ts”:1603781648.2088985,“caller”:“web/handlers.go:100”,“msg”:“Received HTTP request”,“method”:“GET”,“url”:"/api/v4/config/client",“request_id”:“4e6ninceyjbmfm6keoruqxduww”,“status_code”:“200”}
{“level”:“debug”,“ts”:1603781648.2200174,“caller”:“web/handlers.go:100”,“msg”:“Received HTTP request”,“method”:“GET”,“url”:"/api/v4/plugins/webapp",“request_id”:“wa9erza71ty4ipr4cppzg41y4r”,“status_code”:“200”}
{“level”:“error”,“ts”:1603781668.838305,“caller”:“mlog/log.go:190”,“msg”:“Enter a valid email or username and/or password.”,“path”:"/api/v4/users/login",“request_id”:“1gork3mhspfafjsk553icarq4r”,“ip_addr”:“172.16.52.81”,“user_id”:"",“method”:“POST”,“err_where”:“login”,“http_code”:401,“err_details”:""}
{“level”:“debug”,“ts”:1603781668.8383765,“caller”:“web/handlers.go:100”,“msg”:“Received HTTP request”,“method”:“POST”,“url”:"/api/v4/users/login",“request_id”:“1gork3mhspfafjsk553icarq4r”,“status_code”:“401”}
{“level”:“error”,“ts”:1603781674.9012408,“caller”:“mlog/log.go:190”,“msg”:“Enter a valid email or username and/or password.”,“path”:"/api/v4/users/login",“request_id”:“t8tgxceq1pfaxjrq8joh3fbakh”,“ip_addr”:“172.16.52.81”,“user_id”:"",“method”:“POST”,“err_where”:“login”,“http_code”:401,“err_details”:""}
{“level”:“debug”,“ts”:1603781674.9013128,“caller”:“web/handlers.go:100”,“msg”:“Received HTTP request”,“method”:“POST”,“url”:"/api/v4/users/login",“request_id”:“t8tgxceq1pfaxjrq8joh3fbakh”,“status_code”:“401”}
{“level”:“error”,“ts”:1603781675.3800004,“caller”:“mlog/log.go:190”,“msg”:“Enter a valid email or username and/or password.”,“path”:"/api/v4/users/login",“request_id”:“6stjbdn7hjyudcju8zwb18khxy”,“ip_addr”:“172.16.52.81”,“user_id”:"",“method”:“POST”,“err_where”:“login”,“http_code”:401,“err_details”:""}
{“level”:“debug”,“ts”:1603781675.3800883,“caller”:“web/handlers.go:100”,“msg”:“Received HTTP request”,“method”:“POST”,“url”:"/api/v4/users/login",“request_id”:“6stjbdn7hjyudcju8zwb18khxy”,“status_code”:“401”}
{“level”:“error”,“ts”:1603781675.5835216,“caller”:“mlog/log.go:190”,“msg”:“Enter a valid email or username and/or password.”,“path”:"/api/v4/users/login",“request_id”:“6qzhr7zjpi8zupcfs5c8rctmbh”,“ip_addr”:“172.16.52.81”,“user_id”:"",“method”:“POST”,“err_where”:“login”,“http_code”:401,“err_details”:""}
{“level”:“debug”,“ts”:1603781675.5835748,“caller”:“web/handlers.go:100”,“msg”:“Received HTTP request”,“method”:“POST”,“url”:"/api/v4/users/login",“request_id”:“6qzhr7zjpi8zupcfs5c8rctmbh”,“status_code”:“401”}
{“level”:“error”,“ts”:1603781675.781025,“caller”:“mlog/log.go:190”,“msg”:“Enter a valid email or username and/or password.”,“path”:"/api/v4/users/login",“request_id”:“ubj1ihigkjb3mmkgzmeknsb88y”,“ip_addr”:“172.16.52.81”,“user_id”:"",“method”:“POST”,“err_where”:“login”,“http_code”:401,“err_details”:""}
{“level”:“debug”,“ts”:1603781675.7810743,“caller”:“web/handlers.go:100”,“msg”:“Received HTTP request”,“method”:“POST”,“url”:"/api/v4/users/login",“request_id”:“ubj1ihigkjb3mmkgzmeknsb88y”,“status_code”:“401”}
{“level”:“error”,“ts”:1603781675.978612,“caller”:“mlog/log.go:190”,“msg”:“Enter a valid email or username and/or password.”,“path”:"/api/v4/users/login",“request_id”:“a5c3ykawxpnt9e88bmgcjexgbe”,“ip_addr”:“172.16.52.81”,“user_id”:"",“method”:“POST”,“err_where”:“login”,“http_code”:401,“err_details”:""}
{“level”:“debug”,“ts”:1603781675.9786954,“caller”:“web/handlers.go:100”,“msg”:“Received HTTP request”,“method”:“POST”,“url”:"/api/v4/users/login",“request_id”:“a5c3ykawxpnt9e88bmgcjexgbe”,“status_code”:“401”}
{“level”:“debug”,“ts”:1603781679.629147,“caller”:“web/handlers.go:100”,“msg”:“Received HTTP request”,“method”:“GET”,“url”:"/api/v4/license/client",“request_id”:“nt9owqm4ubgf3nidjqhktri1ha”,“status_code”:“200”}
{“level”:“debug”,“ts”:1603781679.6295834,“caller”:“web/handlers.go:100”,“msg”:“Received HTTP request”,"m

Hello, @amarnathsaha

Essentially, I can see two main issues based on the mattermost.log snippet that you have provided:

Invalid or expired session, please login again.
Enter a valid email or username and/or password

Troubleshooting Questions

  • When you mentioned that the users were unable to login, can you please confirm if they were attempting to log in using the right username / email and password credential?

  • Since you mentioned that all the users are shown (I assume from System Console > User Management > Users and their Sign-in Method is set to LDAP), do you mean that all 102 users cannot log in and getting this error in the log in screen?

If yes, this case is most likely related to the credentials (either the wrong username / email or password or both).


mattermost1144×584 26.7 KB

In System Console > User Management > Users there is no Sign-in Method is set to LDAP . All 102 LDAP users are not able to login showing same error.

I am using Univention Corporate Server LDAP.
I am trying to login by correct username and password. In System Console > User Management > Users . Only showing 2 users which is created manualy, not showing any user of LDAP. But After LDAP sync 102 users and 0 groups are showing and LDAP connection is successful.

Hello, @amarnathsaha

Got it. The reason why the 102 users are not listed in the System Console > User Management > Users list is due to the fact that none of them has been able to log in. Mattermost will only list them in there once they have logged in successfully for the first time.

Since the synchronization was successful and you did mention that you tried to log in using username and password, do the 102 users have email address associated with their account? If yes, have they tried to login using their email and password?

If not, may I know how the EmailAttribute is set to userPrincipalName? Does that mean that all users do not have any email address tied to their account?

Hey , i configured ldap today and i am facing the same issue on Enterprise trial 20 . Only new users created on ldap can log in or if i change existing users password otherwise i get wrong password as well .

Hi, @Steve

I’ll need to get more information to understand why the authentication is failing.

  • What is the error that you are seeing on the UI when you try to log in?

  • Using tail -f /opt/mattermost/logs/mattermost.log in the Mattermost Server CLI to run an active tailing of the log, can you reproduce the login issue and share the snippet (with sensitive information removed such as password, ID, IP address) here?

  • You mentioned about changing existing user password. Were you referring to existing local or LDAP users?

I’d like to take a look at these before diving deeper into the problem. Thanks.

Hey i am actually going through this with another team member but awesome for the quick reply :slight_smile:
I am posting just so OP knows it maybe a general issue so he isn’t debugging like crazy to see what’s happening .

but for context:
I am just getting wrong username/password combination on the UI when i try to log in.

{“level”:“error”,“ts”:1603997473.1188908,“caller”:“mlog/log.go:229”,“msg”:“Enter a valid email or username and/or password.”,“path”:"/api/v4/users/login",“request_id”:“a1xc655ahbfm3cg9psgujp1s7o”,“ip_addr”:“xxxxxxxxxxxxxx”,“user_id”:"",“method”:“POST”,“err_where”:“login”,“http_code”:401,“err_details”:""}

I am facing the issue to all of my existing ldap users , existing such as they were created before i configure mattermost with ldap .
If i create a new user afterwards(afterwards such as after i configured ldap and mattermost ) it works fine.
If i change existing users password on ldap it works fine (keep in mind usr/pass credential is 100% correct , have another system running with ldap integrations(same ldap i get users for mattermost) and accounts i test work fine .

Hi, @Steve

You are most welcome. Going through the explanation you provided, this statement definitely caught my attention:

If i change existing users password on ldap it works fine (keep in mind usr/pass credential is 100% correct ,

Mattermost will only read the information of the attributes configured in the LDAP configuration (such as Username, Email, Profile Picture, etc) and stores it in the database.

While Mattermost does not store LDAP user passwords in the Users table (only for local users), the login process will check the password real time during authentication by sending the request to the LDAP server, checking if the credentials (email / username + password) is correct, before sending the request back to Mattermost to either tell it to allow the user to login or failure due to incorrect credentials.

Could it be that the existing user passwords has expired when the issue occurred which eventually gets resolved by changing the password on LDAP side and authenticating again after that?

Did the Username or Email attribute changed for those existing users as well?

Hey again,
for the existing users that they fail to log in to mattermost i can log in just fine (with that same account i used on mattermost) on another system that uses my ldap as well so no they are not expired.

In order to log in to mattermost with ldap i need either:
Create a new user
Change the password on my existing users ( the users that was in the ldap database before i configure it to work with mattermost).

Hello, @Steve

Got it. Still puzzles me a little bit when the issue is fixed when the old LDAP user’s password gets changed.

  • Were you able to directly log in after you change it from the LDAP side or did you have to manually sync the directory from Mattermost AD/LDAP Synchronize Now before the old users log in again?

  • What do you mean by “before configuring it to work with Mattermost”? Does that mean that the AD/LDAP was configured before > old LDAP users were able to login > something breaks causing the old users not able to login after that?

Just trying to tie the strings together here.

Hello @ahmaddanial
I have tried to check connectivity between mattermost and ldap by using ldap-check.sh script (How to Run ldap-check.sh on Mattermost Server) and output of this script is below.

[root@configuration bin]# ./ldap-check.sh -u cmsbot
Looking for config.json
Found config at …/config/config.json
ldapsearch -LLL -x -h 192.168.x.xx -p 389 -D “uid=cmsbot,ou=Users,ou=CMS,dc=cms,dc=org” -w “xxxxxxx” -b “ou=Users,ou=CMS,dc=cms,dc=org” “(uid=cmsbot)” uid sAMAccountName userPrincipalName

dn: uid=cmsbot,ou=Users,ou=CMS,dc=cms,dc=org
uid: cmsbot

[root@configuration bin]# ./ldap-check.sh -u anath
Looking for config.json
Found config at …/config/config.json
ldapsearch -LLL -x -h 192.168.x.xx -p 389 -D “uid=cmsbot,ou=Users,ou=CMS,dc=cms,dc=org” -w “xxxxxxxx” -b “ou=Users,ou=CMS,dc=cms,dc=org” “(uid=anath)” uid sAMAccountName userPrincipalName

dn: uid=anath,ou=Users,ou=CMS,dc=cms,dc=org
uid: anath


Ldap Settings in mattermost are below.

“LdapSettings”: {
“Enable”: true,
“EnableSync”: true,
“LdapServer”: “192.168.x.xx”,
“LdapPort”: 389,
“ConnectionSecurity”: “”,
“BaseDN”: “ou=Users,ou=CMS,dc=cms,dc=org”,
“BindUsername”: “uid=cmsbot,ou=Users,ou=CMS,dc=cms,dc=org”,
“BindPassword”: “xxxxxxxx”,
“UserFilter”: “”,
“GroupFilter”: “”,
“GuestFilter”: “”,
“EnableAdminFilter”: false,
“AdminFilter”: “”,
“GroupDisplayNameAttribute”: “”,
“GroupIdAttribute”: “”,
“FirstNameAttribute”: “”,
“LastNameAttribute”: “”,
“EmailAttribute”: “userPrincipalName”,
“UsernameAttribute”: “sAMAccountName”,
“NicknameAttribute”: “”,
“IdAttribute”: “uid”,
“PositionAttribute”: “”,
“LoginIdAttribute”: “sAMAccountName”,
“PictureAttribute”: “”,
“SyncIntervalMinutes”: 60,
“SkipCertificateVerification”: false,
“QueryTimeout”: 60,
“MaxPageSize”: 0,
“LoginFieldName”: “”,
“LoginButtonColor”: “#0000”,
“LoginButtonBorderColor”: “#2389D7”,
“LoginButtonTextColor”: “#2389D7”,
“Trace”: false

Please check and reply asap.

Thanks
Amarnath