AD LDAP authentication failure

[SergeyTrue]

Issue submitter TODO list

• I've looked up my issue in FAQ
• I've searched for an already existing issues here
• I've tried running main-labeled docker image and the issue still persists there
• I'm running a supported version of the application which is listed here

Describe the bug (actual behavior)

I have configured kafka-ui to authenticate via LDAP. I get error
o.s.s.l.a.a.ActiveDirectoryLdapAuthenticationProvider: Active Directory authentication failed: Supplied password was invalid
whenever i try to login. I'm sure I've ented correct credentials (both in UI the ldap config). I tried credentials of different users, but result is the same.

Expected behavior

I would expect that I would be able to login using my AD password.

Your installation details

/etc/kafkaui/roles.yml

auth:
  type: LDAP
spring:
  ldap:
    urls: ldap://t-global.company:389
    base: "CN={0},OU=NoAdmins,OU=MSK,OU=Users,DC=T-Global,DC=company"
    admin-user: "CN=Doe John,OU=NoAdmins,OU=MSK,OU=Users,DC=T-Global,DC=company" 
    admin-password: "pass"
    user-filter-search-base: "DC=t-Global,DC=company"
    user-filter-search-filter: "(&(sAMAccountName={0})(objectClass=user))"
    group-filter-search-base: "OU=Groups,OU=company,DC=T-Global,DC=company"
oauth2:
  ldap:
    activeDirectory: true
    activeDirectory:
      domain: t-global.company

ldapsearch output, for the role i'm trying to authenticate both in IU and specified in the config:

ldapsearch -H ldap://t-global.company:389 -D "CN=Doe John,OU=NoAdmins,OU=CITY,OU=Users,OU=company,DC=T-Global,DC=company" -w "pass" -b "DC=T-Global,DC=company" "(sAMAccountName=DoeJ)"
# Doe John, NoAdmins, CITY, Users, company, T-Global.company
dn: CN=Doe John,OU=NoAdmins,OU=CITY,OU=Users,OU=company,DC=T-Global,DC=company
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Doe John

distinguishedName: CN=Doe John,OU=NoAdmins,OU=CITY,OU=Users,OU=company,DC=T-
 Global,DC=company
memberOf: CN=MNG_SRV_S-NSK90-APP0276_Admins,OU=S-NSK90-APP0276,OU=NSK,OU=Serve
 rs,OU=Manage,OU=Groups,OU=company,DC=T-Global,DC=company
name: Doe John
sAMAccountName: DoeJ
userPrincipalName: DoeJ@t-global.company
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=T-Global,DC=company

Steps to reproduce

Kafka is runnigng in docker swarm:
docker stack deploy -c docker-compose.yml kafka_cluster

Screenshots

No response

Logs

Here are the logs from kafka-ui service.

33mo.s.s.l.a.a.ActiveDirectoryLdapAuthenticationProvider�[0;39m: Active Directory authentication failed: Supplied password was invalid

Additional context

No response

[github-actions]

Hi SergeyTrue! 👋

Welcome, and thank you for opening your first issue in the repo!

Please wait for triaging by our maintainers.

As development is carried out in our spare time, you can support us by sponsoring our activities or even funding the development of specific issues.
Sponsorship link

If you plan to raise a PR for this issue, please take a look at our contributing guide.

[SergeyTrue]

Addidilal info:

1. Here is how the error in UI looks like
   

2. Uploaded my docker-compose.yml
   docker-compose (1).txt

3. Full log from kafka-ui service.

kafka_ui.log

The last line of the logs is the error I get whenever I try to login. The error messages before are not direclty related to the login event, but maybe they can help to find out what's going wrong.
4) The image in my docker-compose is tagged
artifactory.gitlab.company.ru/docker/kafbat/kafka-ui:latest
It's our company's registry which mirrors docker-hub.

[Haarolean]

Hi, we have the following resources related to LDAP/AD:

• a docker compose example with rroemhild/test-openldap ldap server, this works fine
• AD auth test, which also runs on main fine

The issue most likely is with your config, usually, it's about filters.

Try adding the following config properties:

logging:
  level:
    org.springframework.security.ldap: TRACE

Restart, re-authenticate, check logs, especially for SpringSecurityLdapTemplate, this will give you some insight on what's happening with these filters.

[kapybro]

Further user feedback is requested. Please reply within 7 days or we might close the issue.

[SergeyTrue]

Hi @Haarolean
Thanks for your prompt reply! I'll try it out and let you know.

[kapybro]

Thanks for the additional feedback! We'll get back to your issue soon.

[SergeyTrue]

I have managed to increase logging level by doing this:

logging:
  level:
    org.springframework.security.ldap.SpringSecurityLdapTemplate: TRACE
    org.springframework.ldap: TRACE
    org.springframework.security: TRACE
    javax.naming: TRACE
    javax.naming.ldap: TRACE

For some reason I don't see SpringSecurityLdapTemplate in the logs.

But I found the follwoing: it looks like that system adds @@null to the username instead of domain.
So instead of DoeJ@t-global.company it's trying to authenticate with DoeJ@@null. (It's the name of the user who tries to login, not the one from config)

[33mo.s.s.l.a.a.ActiveDirectoryLdapAuthenticationProvider[0;39m: Authentication for DoeJ@@null failed:javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09044A, comment: AcceptSecurityContext error, data 52e, v3839 ]

Might this @@null be the reason for Supplied password was invalid? Or is it a normal way to pass the username?

Full trace:

 [30m2025-04-11 16:23:07,952[0;39m [39mTRACE[0;39m [[34mboundedElastic-4[0;39m] [33mo.s.s.a.ProviderManager[0;39m: Authenticating request with ActiveDirectoryLdapAuthenticationProvider (1/1)
 [30m2025-04-11 16:23:07,958[0;39m [39mDEBUG[0;39m [[34mboundedElastic-4[0;39m] [33mo.s.s.l.a.a.ActiveDirectoryLdapAuthenticationProvider[0;39m: Authentication for DoeJ@@null failed:javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09044A, comment: AcceptSecurityContext error, data 52e, v3839 ]
 [30m2025-04-11 16:23:07,959[0;39m [34mINFO [0;39m [[34mboundedElastic-4[0;39m] [33mo.s.s.l.a.a.ActiveDirectoryLdapAuthenticationProvider[0;39m: Active Directory authentication failed: Supplied password was invalid
 [30m2025-04-11 16:23:07,959[0;39m [39mDEBUG[0;39m [[34mboundedElastic-4[0;39m] [33mo.s.s.w.s.a.AuthenticationWebFilter[0;39m: Authentication failed: Bad credentials
 org.springframework.security.authentication.BadCredentialsException: Bad credentials
        at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.badCredentials(ActiveDirectoryLdapAuthenticationProvider.java:279)
        at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.badCredentials(ActiveDirectoryLdapAuthenticationProvider.java:283)
        at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.bindAsUser(ActiveDirectoryLdapAuthenticationProvider.java:210)
        at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.doAuthentication(ActiveDirectoryLdapAuthenticationProvider.java:168)
        at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:80)
        at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182)
        at org.springframework.security.authentication.ReactiveAuthenticationManagerAdapter.doAuthenticate(ReactiveAuthenticationManagerAdapter.java:60)
        at reactor.core.publisher.MonoFlatMap$FlatMapMain.onNext(MonoFlatMap.java:132)
        at reactor.core.publisher.FluxSubscribeOnValue$ScheduledScalar.run(FluxSubscribeOnValue.java:181)
        at reactor.core.scheduler.SchedulerTask.call(SchedulerTask.java:68)
        at reactor.core.scheduler.SchedulerTask.call(SchedulerTask.java:28)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
        at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
        at java.base/java.lang.Thread.run(Thread.java:1583)
 Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09044A, comment: AcceptSecurityContext error, data 52e, v3839 ]

[Haarolean]

Try replacing your stuff with

oauth2:
  ldap:
    activeDirectory: false
    activeDirectory.domain: domain.com

note last line difference with your config

[SergeyTrue]

I tried the following:

1. With activeDirectory: true :

oauth2:
  ldap:
    activeDirectory: true
    activeDirectory.domain: t-global.company 

Nothing changes, I still get DoeJ@@null in the logs. Logs look exactly the same way as above.
I also tried capitalizing the domain name, and writing the property as just domain: t-global.company. By the way, logs look similar to these: #351 (comment)

2. With activeDirectory: false :

oauth2:
  ldap:
    activeDirectory: false 
    activeDirectory.domain: t-global.company 

Logs look different now:

 [33mo.s.s.l.a.BindAuthenticator[0;39m: Failed to bind with any user DNs [DC=T-Global,DC=company]
 [33mo.s.s.l.a.BindAuthenticator[0;39m: Searching for user using FilterBasedLdapUserSearch [searchFilter=(sAMAccountName={0}); searchBase=OU=Users,DC=t-Global,DC=company; scope=subtree; searchTimeLimit=0; derefLinkFlag=false ]
 [33mo.s.s.l.s.FilterBasedLdapUserSearch[0;39m: Searching for user 'DoeJ', with FilterBasedLdapUserSearch [searchFilter=(sAMAccountName={0}); searchBase=OU=Users,DC=t-Global,DC=company; scope=subtree; searchTimeLimit=0; derefLinkFlag=false ]
 [33mo.s.s.w.s.a.AuthenticationWebFilter[0;39m: Authentication failed: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09044A, comment: AcceptSecurityContext error, data 52e, v3839 ]
 org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09044A, comment: AcceptSecurityContext error, data 52e, v3839 ]  

However we have Active Directroy. Maybe the error is caused trying to into Active Directory with activeDirectory: false.

[Haarolean]

Might this @@null be the reason

100%, it defaults to null in this case.

Is your config actually passed? Why SPRING_CONFIG_LOCATION, not SPRING_CONFIG_ADDITIONAL-LOCATION as specified in docs?

[SergeyTrue]

Why SPRING_CONFIG_LOCATION, not SPRING_CONFIG_ADDITIONAL-LOCATION as specified in docs?

My bad. Corrected to SPRING_CONFIG_ADDITIONAL-LOCATION, and now LDAP-authentication works.
Thank you so much!