When configuring the Rublon Authentication Proxy to integrate it with your Active Directory (AD), you might encounter the error message "User not found in AD" in the Auth Proxy log file. This error indicates that the Auth Proxy could not locate the user in your AD during the authentication process. This guide will help you troubleshoot common causes of this error and provide solutions to resolve it.
Understanding the Error
The "User not found in AD" error generally means that using the provided search_dn and logging in as the user specified by access_user_dn, the Auth Proxy could not find the target user based on the specified username_attribute. This issue is often due to configuration settings rather than permission problems.
Common Causes and Solutions
1. Access User Lacks Permissions to Read the LDAP Tree
Cause: The user specified by access_user_dn in your Auth Proxy configuration does not have sufficient permissions to read the LDAP directory. As a result, Auth Proxy cannot find the users attempting to log in.
Solution: Ensure that the access_user_dn user has read permissions for the necessary parts of the LDAP directory. This user should be able to search and read user entries within the specified search_dn.
2. The search_dn Option Is Too Narrow
Cause: The search_dn parameter is set to a distinguished name (DN) that does not encompass the users you are trying to authenticate. This restricts the search scope and prevents the Auth Proxy from finding user entries.
Solution: Adjust the search_dn to a broader DN that includes all relevant user entries. For initial configurations, it's recommended to set search_dn to a higher-level DN (e.g., dc=example,dc=com) and narrow it down later if necessary.
3. Invalid Username Attribute
Cause: The username_attribute does not match the attribute used for usernames in your AD. By default, it is set to sAMAccountName, but your Active Directory might use a different attribute like cn or userPrincipalName.
Solution: Verify which attribute your users use to log in. Update the username_attribute parameter in your Auth Proxy configuration to match this attribute.
4. Overly Restrictive Filters
Cause: Additional options like security_group_dn or custom_ldap_filter are set, further narrowing the search results. This can prevent the Auth Proxy from finding users if the filters exclude them.
Solution: For the initial setup, we advise you to omit or comment out the security_group_dn and custom_ldap_filter options. Add them only after confirming that basic authentication works.
Example Auth Proxy Configuration
Below is an example of an auth_source configuration in a config.yml file for the Auth Proxy:
- name: EXAMPLE_AD type: LDAP ip: 10.0.10.5 # Enter your AD's IP address here port: 636 transport_type: ssl search_dn: dc=example,dc=com # Start with a broad DN username_attribute: sAMAccountName # Ensure this matches your AD's username attribute access_user_dn: cn=access_user,dc=example,dc=com # Full DN of a user with read access access_user_password: password # Password for the access user
Comments:
ip: Replace with the IP address of your AD server.
search_dn: Initially set this to a broad DN that includes all your users.
username_attribute: Confirm this matches the attribute your users use to log in (e.g., sAMAccountName, cn, userPrincipalName).
access_user_dn: Provide the full DN of a user with read access to the LDAP directory.
access_user_password: The password for the access_user_dn user.
Additional Tips
Check Permissions: While the issue is often configuration-related, ensure that the access_user_dn user has the necessary permissions to search and read user entries.
Test LDAP Connectivity: Use LDAP tools like LDAP Admin to test connectivity and verify that the access_user_dn user can search for users under the specified search_dn.
Avoid Initial Filters: Do not set security_group_dn or custom_ldap_filter during the initial configuration. Add these filters later to refine your search criteria if needed.
Verify User Attributes: Confirm that the users exist under the specified search_dn and that their login attribute matches the username_attribute in your configuration.
Conclusion
By carefully reviewing and adjusting your Auth Proxy configuration, you can resolve the "User not found in AD" error. Start with a broad search scope and minimal filters to confirm basic functionality before refining your settings to match your specific environment.
If you continue to experience issues, consider sharing a sanitized version of your configuration file (after removing sensitive information like passwords and secrets) with Rublon Support for further assistance.
Helpful Links
Rublon Authentication Proxy - Documentation
How can I test LDAP(S) authentication with the Rublon Auth Proxy using LDAP Admin?
What should I do before sending the Rublon Authentication Proxy configuration and log file(s)?
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article