Conjur enterprise 12.7 failed authenticate via LDAP

hello

I have an error trying to auth to conjure via ldap user:
conjur enterprise 12.7
in audit.json:

{“subject@43868”:{“role”:“company:user:conjuradm@company.local”},“policy@43868”:{“version”:“35”,“id”:“company:policy:root”},“client@43868”:{“ip”:“10.200.69.80”},“auth@43868”:{“user”:“company:user:admin”},“action@43868”:{“result”:“success”,“operation”:“change”},“PROGRAM”:“conjur”,“PID”:“1825f4cc-c144-4f62-86ff-5b2fa3f2a79f”,“MSGID”:“policy”,“MESSAGE”:“company:user:admin changed role company:user:conjuradm@company.local”,“LEVEL”:“notice”,“ISODATE”:“2023-03-01T20:35:36.853+00:00”,“FACILITY”:“authpriv”}
{“subject@43868”:{“resource”:“company:user:conjuradm@company.local”,“annotation”:“Email”},“policy@43868”:{“version”:“35”,“id”:“company:policy:root”},“client@43868”:{“ip”:“10.200.69.80”},“auth@43868”:{“user”:“company:user:admin”},“action@43868”:{“result”:“success”,“operation”:“add”},“PROGRAM”:“conjur”,“PID”:“1825f4cc-c144-4f62-86ff-5b2fa3f2a79f”,“MSGID”:“policy”,“MESSAGE”:“company:user:admin added annotation Email on company:user:conjuradm@company.local”,“LEVEL”:“notice”,“ISODATE”:“2023-03-01T20:35:36.853+00:00”,“FACILITY”:“authpriv”}
{“subject@43868”:{“resource”:“company:user:conjuradm@company.local”},“policy@43868”:{“version”:“35”,“id”:“company:policy:root”},“client@43868”:{“ip”:“10.200.69.80”},“auth@43868”:{“user”:“company:user:admin”},“action@43868”:{“result”:“success”,“operation”:“add”},“PROGRAM”:“conjur”,“PID”:“1825f4cc-c144-4f62-86ff-5b2fa3f2a79f”,“MSGID”:“policy”,“MESSAGE”:“company:user:admin added resource company:user:conjuradm@company.local”,“LEVEL”:“notice”,“ISODATE”:“2023-03-01T20:35:36.854+00:00”,“FACILITY”:“authpriv”}
{“subject@43868”:{“role”:“company:user:conjuradm@company.local”,“owner”:“company:group:conjur-admins”},“policy@43868”:{“version”:“35”,“id”:“company:policy:root”},“client@43868”:{“ip”:“10.200.69.80”},“auth@43868”:{“user”:“company:user:admin”},“action@43868”:{“result”:“success”,“operation”:“add”},“PROGRAM”:“conjur”,“PID”:“1825f4cc-c144-4f62-86ff-5b2fa3f2a79f”,“MSGID”:“policy”,“MESSAGE”:“company:user:admin added ownership of company:group:conjur-admins in company:user:conjuradm@company.local”,“LEVEL”:“notice”,“ISODATE”:“2023-03-01T20:35:36.855+00:00”,“FACILITY”:“authpriv”}
{“subject@43868”:{“role”:“company:user:conjuradm@company.local”},“policy@43868”:{“version”:“35”,“id”:“company:policy:root”},“client@43868”:{“ip”:“10.200.69.80”},“auth@43868”:{“user”:“company:user:admin”},“action@43868”:{“result”:“success”,“operation”:“add”},“PROGRAM”:“conjur”,“PID”:“1825f4cc-c144-4f62-86ff-5b2fa3f2a79f”,“MSGID”:“policy”,“MESSAGE”:“company:user:admin added role company:user:conjuradm@company.local”,“LEVEL”:“notice”,“ISODATE”:“2023-03-01T20:35:36.855+00:00”,“FACILITY”:“authpriv”}
{“subject@43868”:{“role”:“company:group:conjur/authn-ldap/company-ldap-server/clients”,“member”:“company:user:conjuradm@company.local”},“policy@43868”:{“version”:“3”,“id”:“company:policy:conjur/authn-ldap”},“client@43868”:{“ip”:“10.200.69.80”},“auth@43868”:{“user”:“company:user:admin”},“action@43868”:{“result”:“success”,“operation”:“add”},“PROGRAM”:“conjur”,“PID”:“ce02e7df-8f57-45a6-b03c-76fbdf325ca6”,“MSGID”:“policy”,“MESSAGE”:“company:user:admin added membership of company:user:conjuradm@company.local in company:group:conjur/authn-ldap/company-ldap-server/clients”,“LEVEL”:“notice”,“ISODATE”:“2023-03-01T20:35:55.677+00:00”,“FACILITY”:“authpriv”}
{“subject@43868”:{“role”:“company:user:conjuradm@company.local”},“client@43868”:{“ip”:“127.0.0.1”},“auth@43868”:{“user”:“company:user:conjuradm@company.local”,“service”:“company:webservice:conjur/authn-ldap/company-ldap-server”,“authenticator”:“authn-ldap”},“action@43868”:{“result”:“failure”,“operation”:“login”},“PROGRAM”:“conjur”,“PID”:“db60593c-ae1e-4de7-bfbd-b722bace9367”,“MSGID”:“authn”,“MESSAGE”:"company:user:conjuradm@company.local failed to login with authenticator authn-ldap service company:webservice:conjur/authn-ldap/company-ldap-server: Connection reset by peer @ io_fillbuf - fd:19 ",“LEVEL”:“warning”,“ISODATE”:“2023-03-01T20:36:51.422+00:00”,“FACILITY”:“authpriv”}

KR

Based on the message, “Connection reset by peer”, it seems that Conjur cannot connect to the LDAP server at the URL configured in the policy.
Have you been able to log into Conjur with any other LDAP users? Can you ping the LDAP server from the Conjur container?

Hello
{“subject@43868”:{“role”:“domain:user:conjuradm@domain.local”},“client@43868”:{“ip”:“127.0.0.1”},“auth@43868”:{“user”:“domain:user:conjuradm@domain.local”,“service”:“domain:webservice:conjur/authn-ldap/domain-ldap-server”,“authenticator”:“authn-ldap”},“action@43868”:{“result”:“failure”,“operation”:“login”},“PROGRAM”:“conjur”,“PID”:“440430f5-28e7-46b0-8cae-4d7604a4127f”,“MSGID”:“authn”,“MESSAGE”:“domain:user:conjuradm@domain.local failed to login with authenticator authn-ldap service domain:webservice:conjur/authn-ldap/domain-ldap-server: CONJ00002E Invalid credentials”,“LEVEL”:“warning”,“ISODATE”:“2023-03-06T08:23:06.510+00:00”,“FACILITY”:“authpriv”}

after changing to 389 and to plaintext connection works but I still can’t log in with the AD user.
what should be the user id (ldap “cn” or “upn”)?
what should the owner be like?

  • !user
    id: conjuradm@domain.local
    owner: !group conjur-admins ## local conjur group
    annotations:
    Email: conjuradm@domain.local

and grant him to

  • !grant
    role: !group conceptdata-ldap-server/clients
    member: !user /conjuradm@domain.local

sorry for the confusion there was a wrong ldap search template :slight_smile:

Can you please post your policy YAML for the LDAP authenticator?
By default it will match based on the uid but this is configurable via the filter_template annotation.
See this guide for more details.

Where was a wrong ldap search template pointed to a UID value and we use AD, it is working right now.
Sorry for the confusion and thank you for your help