Group's not working with LDAP

[thepunknerd]

Summary

We are trying to have our concourse environment work with Active Directory. We have it fully working and connected in terms of users. We can log in just fine. The user side and user search works great. The groups are not working and it seems concourse can not find the groups users are members of leading to us to be unable to set team auth based on AD security groups as desired.

Steps to reproduce

In our etc/concourse/web_environment config file we have the following for ldap

#Active Directory Settings
CONCOURSE_LDAP_DISPLAY_NAME=Team AD
CONCOURSE_LDAP_HOST=dc.domain.com
CONCOURSE_LDAP_CA_CERT=/etc/concourse/ldap.pem
CONCOURSE_LDAP_BIND_DN='CN=Administrator,CN=Users,DC=Domain,DC=Com'
CONCOURSE_LDAP_BIND_PW='OurPassHere'
CONCOURSE_LDAP_USER_SEARCH_BASE_DN='DC=Domain,DC=Com'
CONCOURSE_LDAP_USER_SEARCH_USERNAME=sAMAccountName
CONCOURSE_LDAP_USER_SEARCH_SCOPE=sub
CONCOURSE_LDAP_USER_SEARCH_ID_ATTR=sAMAccountName
#CONCOURSE_LDAP_USER_SEARCH_FILTER=(objectCategory=Person)
CONCOURSE_LDAP_USER_SEARCH_EMAIL_ATTR=mail
CONCOURSE_LDAP_USER_SEARCH_NAME_ATTR=name
CONCOURSE_LDAP_GROUP_BASE_DN='OU=Concourse,OU=Team Groups,DC=Domain,DC=Com'
CONCOURSE_LDAP_GROUP_SEARCH_SCOPE=sub
CONCOURSE_LDAP_GROUP_SEARCH_GROUP_ATTR=member
CONCOURSE_LDAP_GROUP_SEARCH_NAME_ATTR=cn
CONCOURSE_LDAP_GROUP_SEARCH_USER_ATTR=distinguishedName
CONCOURSE_LDAP_GROUP_SEARCH_FILTER=(objectCategory=Group)
#CONCOURSE_MAIN_TEAM_LDAP_USER=me
CONCOURSE_MAIN_TEAM_LDAP_GROUP=concourse_admin

Expected results

We would expect this to allow for any AD user who is a member of the security group concourse_admin to be a part of the main team and have access to all pipelines when they log into the web portal

Actual results

When an AD user who is a member of that security group logs on they are unable to see any pipelines. Uncommenting the line for CONCOURSE_MAIN_TEAM_LDAP_USER will allow any user listed to have access though. Only one of these two methods is functional for us.

Additional context

Trying to set groups through the use fly cmds also does not create the desired result. We have seen that this issue is similar to that of #2638 and have tried matching the solution found on there to no success.

Triaging info

• Concourse version: v7.8.3
• Browser (if applicable):
• Did this used to work? No

[pezhore]

This is weird - from my understanding of LDAP queries, this should work, but testing in my environment - I have the same issue.

[xtremerui]

Hi, we test the LDAP by this LDAP config and the Concourse yml.

What is the log output when an AD user logging in, for example from the linked issue:

{"timestamp":"1538080212.178583622","source":"atc","message":"atc.dex.event","log_level":1,"data":{"fields":{},"message":"login successful: connector "ldap", username="user1", email="[[email protected]](mailto:[email protected])", groups=[]","session":"5"}}

[thepunknerd]

Sorry for a very late followup, got busy with other higher priority efforts at work.

The log output is effectively the same as yours. Here is one I had saved from when I was originally working on this
{"timestamp":"2024-01-03T21:32:38.613956538Z","level":"info","source":"atc","message":"atc.dex.event","data":{"fields":{},"message":"login successful: connector \"ldap\", username=\”Name\”, preferred_username=\"\", email=\"[email protected]\”, groups=[]","session":"18"}}

I'd personally expect it to have some group listed as the given user is part of the group concourse_admin and that group is set to have access to all the teams we use, despite this logging into concourse with ldap works you just can't see anything