LDAP in Concourse, Why Hast Thou Errored On Me?

Photo by Marko Horvat on Unsplash

What we were doing

Recently, we were helping a client to integrate logging into Concourse. Deploying Concourse with the concourse-bosh-deployment is fairly easy with a base concourse.yml and features added with various ops files. One of the available ops files adds LDAP authentication which the client wanted. We wound up with a deployment similar to:

bosh deploy -d control_plane_concourse concourse.yml \  -o operations/ldap.yml \
  -o operations/add-main-team-ldap-users.yml \
  -o operations/tls.yml \
  -o operations/tls-vars.yml \
  -o operations/credhub.yml \
  -o operations/credhub-path-prefix.yml

Symptoms

After deploying Concourse to use LDAP authentication, we tried logging in. No dice. So we bosh ssh’d onto the Web VM and looked at the logs in /var/vcap/sys/log/web. Scrolling through the logs found this error:

"level":"error","source":"atc","message":"atc.dex.event","data":{"fields":{},
  "message":"Failed to login user: ldap: entry missing following required attribute(s):
  [\"\"]","session":"7"}

Solution

There were no errors during the BOSH deploy but obviously we were missing something. After a bit of trial and we error discovered that the following needed to be populated:

These values can be set in CredHub or provided as vars-file when performing the BOSH deployment. After a redeployment Concourse authentication to LDAP worked as expected!

Spread the word

twitter icon facebook icon linkedin icon