LDAP Authentication: Connection timed out

hhager · August 9, 2023, 8:11am

I’ve configured the password authenticator to use ldap.
There is a Trino LDAP service user configured through
ldap.bind-dn, ldap.bind-password and ldap.group-auth-pattern according to documentation
https://docs.starburst.io/latest/security/ldap.html#authorization-using-trino-ldap-service-user

The request to LDAP hits timeout.
Starburst server.log shows the following message: (credentials are redacted)
DEBUG http-worker-196 io.trino.plugin.base.ldap.JdkLdapClient Password validation successful for user DN [<my-bind-dn>]
but on the next line:
DEBUG http-worker-196 io.trino.plugin.password.ldap.LdapAuthenticator Authentication failed for user [<user-name-from-web-login>], null
and the reason for failed authentication is:
javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: <my-ldap-server-domain> [Root exception is java.net.ConnectException: Connection timed out]]

It seems that the authentication for the LDAP service user is successful, however the actual user authentication fails due to a time out.

A ldap query (using ldapsearch command line utility) from the host system is able to connect to same ldap server using the same credentials.

Do you have any idea what is causing the connection time out?

simpligility · August 9, 2023, 6:00pm

Given that the connection from the coordinator works with another tool I suggest to verify that the details are exactly the same. This also applies to any used certificates if you are using LDAPS, as well as the exact LDAP connection patterns.

Maybe also try with a simpler connection to the server and make that work from SEP. And lastly I suggest to contact our support team since they can help you on your actual system and test things out with you.

hem · August 10, 2023, 3:01am

javax.naming.PartialResultException: This is typically thrown when the LDAP server returns a referral or continuation reference, but the referral handling is not enabled. In the context of the exception you provided, it might simply be wrapping the underlying communication error.

You could try using GC port (3268/3269) to see if this helps.

hhager · August 10, 2023, 9:59am

Thank you @hem for pointing me to LDAP referrals and continuations. I was able to resolve the timeout by creating a query which does not return referrals. The solution; set an explicit base-dn where searched object resides.
e.g:
fails with base-dn: DC=<my-dc>,dc=com
fixed with base-dn: OU=<my-ou>,DC=<my-dc>,dc=com

This answer on stackoverflow led me to the solution.

hem · August 10, 2023, 10:23am

Perfect. thanks for the update