Photo by Marko Horvat on Unsplash
What we were doing
Recently, we were helping a client to integrate logging into Concourse. Deploying Concourse with the concourse-bosh-deployment is fairly easy with a base concourse.yml and features added with various ops files. One of the available ops files adds LDAP authentication which the client wanted. We wound up with a deployment similar to:
bosh deploy -d control_plane_concourse concourse.yml \
-o operations/ldap.yml \
-o operations/add-main-team-ldap-users.yml \
-o operations/tls.yml \
-o operations/tls-vars.yml \
-o operations/credhub.yml \
-o operations/credhub-path-prefix.yml
Symptoms
After deploying Concourse to use LDAP authentication, we tried logging in. No dice. So we bosh ssh’d onto the Web VM and looked at the logs in /var/vcap/sys/log/web. Scrolling through the logs found this error:
"level":"error","source":"atc","message":"atc.dex.event","data":{"fields":{},
"message":"Failed to login user: ldap: entry missing following required attribute(s):
[\"\"]","session":"7"}
Solution
There were no errors during the BOSH deploy but obviously we were missing something. After a bit of trial and we error discovered that the following needed to be populated:
- ldap_user_search_id_attr, should not be empty
- ldap_user_search_email_attr, should be set to mail
- ldap_user_search_username, should not be empty
- These values can be set in CredHub or provided as `vars-file’ when performing the BOSH deployment. After a redeployment Concourse authentication to LDAP worked as expected!