KNIME server LDAP freezes server

chrismlg · October 29, 2021, 3:35am

I’ve just set up KNIME server and am configuring the LDAP authentication.

I’ve set up the AD auth as below
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://<DC FQDN>:389" connectionName= "" connectionPassword="" userSubtree="true" userBase="" userSearch="(sAMAccountName={0})" userRoleName="memberOf" roleBase="OU=Security Groups," roleName="CN" roleSubtree="true" roleSearch="(member={0})" roleNested="true"/>
/>

I’ve tested these settings using the LDAP browser suggested by knime for troubleshooting and that works as expected.

However whenever I try to log in as a LDAP user, the KNIME server freezes and needs to be restarted.
I turned on some more log files and this is the last line before it freezes:

29-Oct-2021 03:13:30.447 FINE [http-nio-8080-exec-3] org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate user [] with realm [org.apache.catalina.realm.JNDIRealm]

Any ideas?

MichaelRespondek · October 29, 2021, 2:35pm

Hi @chrismlg,

Welcome to the KNIME community.

Your example configuration uses the direct bind mode to connect to the LDAP. This could be working but it seems that Apache is splitting your authentication request into 2: First the user request with the given credentials followed by a second for the group request. Latter is done without the given credentials and will therefore fail on most AD setups as anonymous requests are mostly blocked.

The direct bind will work if you only request user information but then you would have no group memberships to grant permissions on.

Could you try to use the compare mode instead using a service account to read the LDAP, we provide a example in our guide I will use here also:

<Realm className="org.apache.catalina.realm.JNDIRealm"
   connectionName="cn=Manager,dc=example,dc=com"
   connectionPassword="secret"
   connectionURL="ldap://52.50.222.127:389"
   userSubtree="true"
   userBase="cn=Users,dc=domain,dc=com"
   userSearch="(sAMAccountName={0})"
   userRoleName="memberOf"
   roleBase="cn=Users,dc=domain,dc=com"
   roleName="cn"
   roleSearch="(member={0})"
   roleSubtree="true"
   roleNested="true"/>

This should work on any LDAP/AD, you only need to configure the service accounts credentials using connectionName and connectionPassword.

Best,
Michael