LDAP Auth ArgumentNullException

tjonesy · 21 November 2023 17:45

OS Name/Version: Ubuntu 22.04

Product Name/Version: Cubecoders AMP Network Edition 2.4.6.6 (Decadeus), built 05/10/2023 11:56

Problem Description:
I have been attempting to setup LDAP for auth using authentik ldap outpost as a backend. I set up ldap-swak as a proxy to help debug. I managed to get it to make a succesful bind and search but now I am getting an ArgumentNullException. Any help would be appreciated.

New install of AMP on Ubuntu 22.04
Configured as Controller
Followed Network and Enterprise edition setup guide
Configured LDAP
Restarted ADS
Attempted to login

AMPConfig.conf login section

################################
# Login
################################
Login.UseAuthServer=False
# Login.AuthServerURL - The URL for the ADS instance providing authentication when using UseAuthServer
Login.AuthServerURL=
Login.MetricsServerPort=12820
Login.UseLDAPLogins=True
Login.LDAPAuthDomain=ldap.l.example.com/ou=users,dc=ldap,dc=l,dc=example,dc=com
Login.LDAPGroupPrefix=AMP_
Login.LDAPUserDomain=authentik.example.com
Login.LDAPADPre2000=False
Login.LDAPStripDomainFromFilter=True
Login.LDAPQueryUsername=cn=<usernam>,ou=users,dc=ldap,dc=l,dc=example,dc=com
Login.LDAPQueryPassword=<password>

ldap-swak intercept

ldap-swak 17:34:52.536 DEBUG CredentialsOperationInterceptor - Simple bind cn=<username>,ou=users,dc=ldap,dc=l,dc=example,dc=com pw '<password>'
ldap-swak 17:34:52.537 INFO CredentialsOperationInterceptor - Intercepted credentials cn=<username>,ou=users,dc=ldap,dc=l,dc=example,dc=com:<password>
ldap-swak [21/Nov/2023:17:34:52 +0000] BIND REQUEST conn=9 op=0 msgID=1 version=3 dn="cn=<username>,ou=users,dc=ldap,dc=l,dc=example,dc=com" authType="SIMPLE"
ldap-swak [21/Nov/2023:17:34:57 +0000] BIND RESULT conn=9 op=0 msgID=1 resultCode=0 etime=4942.544
ldap-swak [21/Nov/2023:17:34:57 +0000] SEARCH REQUEST conn=9 op=1 msgID=2 base="ou=users,dc=ldap,dc=l,dc=example,dc=com" scope=2 filter="(&(objectClass=user)(sAMAccountName=<username>))" attrs="SAMAccountName,memberOf,distinguishedName"
ldap-swak Search result: dn: cn=<username>,ou=users,dc=ldap,dc=l,dc=example,dc=com
ldap-swak sAMAccountName: <username>
ldap-swak memberOf: cn=AMP,ou=groups,dc=ldap,dc=l,dc=example,dc=com
ldap-swak memberOf: cn=AMP_GROUP1,ou=groups,dc=ldap,dc=l,dc=example,dc=com
ldap-swak memberOf: cn=AMP_Admins,ou=groups,dc=ldap,dc=l,dc=example,dc=com
ldap-swak memberOf: cn=AMP_GROUP2,ou=groups,dc=ldap,dc=l,dc=example,dc=com
ldap-swak memberOf: cn=AMP_GROUP3,ou=groups,dc=ldap,dc=l,dc=example,dc=com
ldap-swak
ldap-swak [21/Nov/2023:17:34:57 +0000] SEARCH RESULT conn=9 op=1 msgID=2 resultCode=0 etime=411.647 entriesReturned=1

ADS logs

[17:34:52] [Logger Debug]         : Login request from 192.168.1.24 for <username>
[17:34:57] [Logger Warning]       : LDAP authentication failure: Value cannot be null.
  Parameter name: source
[17:34:57] [Core Error]           : ArgumentNullException
[17:34:57] [Logger Error]         : [0] (ArgumentNullException) : Value cannot be null.                                                         
  Parameter name: source
[17:34:57] [Core Error]           :   at Linq.Enumerable.Cast[TResult] (Collections.IEnumerable source)
  at GSMyAdmin.Authentication.LDAPAuth.Authenticate (String username, String password)                                                          
[17:34:57] [Logger Warning]       : Slow method invocation: Login took 5865ms to complete.
[17:34:57] [Logger Warning]       : Slow response: Core.Login took 5873ms to complete.

Update:

So after a minor bit of de-compiling I found this regex s, "^CN=(.+?),.+$", "$1", RegexOptions.None and noticed it is case sensitive. Any chance that could be made case insensitive? My ldap server does not have the option to use uppercase “CN”.

Mike · 22 November 2023 13:59

This implies that when AMP queried either the “memberOf” or “SAMAccountName” property for a user, no value was returned.

I’ve added a fallback for the case where SAMAccountName doesn’t exist based on the distinguished name of the user that the login request is for.

tjonesy · 22 November 2023 16:09

If you look at the ldap-swak intercept it is returning both memberOf and SAMAccountName. However in the memberOf my ldap server is returning lowercase cn= but AMP is only looking for uppercase CN= (which does work for active directory but not for authentik)

Mike · 22 November 2023 16:10

I don’t think that would cause the exception at that particular point, but it may be not showing a helpful stack trace. Regardless I’ve made it case insensitive.

tjonesy · 22 November 2023 18:51

Thank you! I appreciate the help. I set up a dedicated test controller for getting ldap to work so feel free to let me know when there is a version available for me to test.

Mike · 22 November 2023 18:57

The development build has this change in already. The main release is due to be in a few hours.

tjonesy · 23 November 2023 05:42

I am still getting the exception. I think I am on the latest development build. Is there config I can modify to get any more detailed logs or is this as detailed as it gets?

[05:37:29] [Logger Info]          : Starting AMP version 2.4.6.8 (Decadeus), built 22/11/2023 16:24                                                                                  [50/50][05:37:29] [Logger Info]          : Stream: Development / Development - built by CUBECODERS/buildbot on CCL-DEV
...
[05:37:30] [Logger Info]          : LDAP authentication enabled for domain ldap-test.l.example.com/ou=users,dc=ldap,dc=l,dc=example,dc=com
...
[05:37:47] [Logger Debug]         : Login request from 192.168.x.xx for xxxxxx
[05:37:54] [Logger Warning]       : LDAP authentication failure: Value cannot be null.
Parameter name: source
[05:37:54] [Core Error]           : ArgumentNullException
[05:37:54] [Logger Error]         : [0] (ArgumentNullException) : Value cannot be null.
Parameter name: source
[05:37:54] [Core Error]           :   at Linq.Enumerable.Cast[TResult] (Collections.IEnumerable source)
  at GSMyAdmin.Authentication.LDAPAuth.Authenticate (String username, String password)
[05:37:54] [Logger Debug]         : Login failed for xxxxxx - Failure :  -
[05:37:54] [Logger Warning]       : Slow method invocation: Login took 7058ms to complete.
[05:37:54] [Logger Warning]       : Slow response: Core.Login took 7067ms to complete.

Update:
After updating to mainline this morning I got a new exception

[15:18:07] [Logger Debug]         : Login request from 192.168.x.xx for xxxxxx
[15:18:13] [Logger Warning]       : LDAP authentication failure: Object reference not set to an instance of an object
[15:18:13] [Core Error]           : NullReferenceException
[15:18:13] [Logger Error]         : [0] (NullReferenceException) : Object reference not set to an instance of an object
[15:18:13] [Core Error]           :   at Novell.Directory.Ldap.Connection.shutdown (String reason, Int32 semaphoreId, Novell.Directory.Ldap.InterThreadException notifyUser)
  at Novell.Directory.Ldap.Connection.destroyClone (Boolean apiCall)
  at Novell.Directory.Ldap.LdapConnection.Disconnect (Novell.Directory.Ldap.LdapConstraints cons, Boolean how)
  at Novell.Directory.Ldap.LdapConnection.Disconnect ()
  at DirectoryServices.DirectorySearcher.Dispose (Boolean disposing)
  at ComponentModel.Component.Dispose ()
  at GSMyAdmin.Authentication.LDAPAuth.Authenticate (String username, String password)
[15:18:13] [Logger Debug]         : Login failed for xxxxxx- Failure :  -

system · 23 December 2023 05:42

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.