mirror of
https://github.com/dbeaver/cloudbeaver.git
synced 2026-03-04 08:52:27 -05:00
LDAP integration improvements #731
Labels
No labels
AS
can't reproduce
can't reproduce
deployment
development
documentation
duplicate
duplicate
ee
enhancement
external
new driver
performance
third party issue
wait for response
wait for review
wontfix
x:Oracle
x:cassandra
x:clickhouse
x:db2
x:duckdb
x:greenplum
x:h2
x:h2gis
x:hana
x:hive
x:intersystems
x:kyuubi
x:maria
x:mongo
x:mysql
x:postgresql
x:presto
x:sql server
x:sqlite
x:teradata
x:trino
xf:accessibility
xf:administration
xf:authentication
xf:aws
xf:commit-mode
xf:connection
xf:data editor
xf:datatransfer
xf:dba
xf:driver management
xf:erd
xf:filters
xf:i18n
xf:i18n
xf:installer
xf:json
xf:ldap
xf:local config
xf:log viewer
xf:metadata
xf:metadata editor
xf:navigator
xf:okta
xf:query manager
xf:resource manager
xf:scripts
xf:sql editor
xf:tasks
xf:ui/uix
xo: Firefox
xo:eclipse
xo:internet explorer
xo:macos
xp:major
xrn:internal
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/cloudbeaver#731
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @jonsbun on GitHub (Jun 17, 2024).
Originally assigned to: @HocKu7 on GitHub.
Is your feature request related to a problem? Please describe.
CloudBeaver 24.1.0 finally got LDAP support. However, according feedback LDAP integration lack of main functionally to use it properly at this moment.
Describe the solution you'd like
Missing configuration of the bind user (service account) to the LDAP server.
In general, an LDAP query looks something like this:
ldapsearch -x -D "<bind-user>" -w "<bind-password>" -b "<base-dn>" "<filter>" -H "<ldap-host>:<ldap-port>". From the current configuration looks like the bind user is not used at all.Missing configuration of the unique identifier for the user.
Depending on the LDAP this attribute could be uid, sAMAccountName, mail, etc. At this moment no clue what is being used in CloudBeaver LDAP authentication.
Impossible to map LDAP users with the CloudBeaver Teams.
@EvgeniaBzzz commented on GitHub (Jun 20, 2024):
@jonsbun
Thank you for summarizing all the feedback!
We will make improvements in future releases.
@brunobergamo commented on GitHub (Jul 3, 2024):
HI, The ldap that I have to connect, it is not necessary to set the userName with
cn=.In LdapAuthProvider, we have :
I do need to set Context.SECURITY_PRINCIPAL with my userName with @domain .
environment.put(Context.SECURITY_PRINCIPAL, userName );Is this open issue handle this case ?
Best Regards
@EvgeniaBzzz commented on GitHub (Sep 5, 2024):
In version 24.2.0 the first two points have been implemented.
New parameters added:
ldap-identifier-attr- User identifier attributeldap-bind-user- Bind User DNldap-bind-user-pwd- Bind User Passwordldap-filter- User FilterSome extra information you can find in the LDAP Authentication article
@iegurbide commented on GitHub (Nov 14, 2024):
What exactly is the use of ldap-cn? It does not seem to be described anywhere.
In the LDAP Authentication article it is refered to as a unique identifier but no information on how it is used.
I have succesfully integrated Cloudbeaver with an Active Directory and am able to successfully log in but only by providing the full DN in the LDAP tab which is quite annoying.
Are we able to login in via another field such as SAMAccountName? This is a common use case in Active Directory and is what I supposed ldap-cn value was for but it does not seem to be working.
Should ldap-dn be appendended to the end of the dn provided in te ldap tag? This also doesn't seem to be the case.
@EvgeniaBzzz commented on GitHub (Nov 14, 2024):
@iegurbide
The right one parametr is
ldap-identifier-attr, notldap-cnSorry for the confusion 😞 We'll correct the article.
Please, try to set
ldap-identifier-attr=SAMAccountName@rgl1234 commented on GitHub (Nov 15, 2024):
Also ldap-identifier-attr=SAMAccountName is not working correctly
see log:
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100245, problem 2001 (NO_OBJECT), data 0, best match of:
'OU=example1,OU=example2,DC=domain,DC=local'
]; remaining name 'sAMAccountName=xyz,OU=example1,OU=example2,DC=domain,DC=local'
As you can see sAMAccountName is available in "remaining name"...I think this is how cloudbeaver is searching for the user in LDAP-directory. But as DN of user is different, user cannot be found. DN in AD is:
'CN=Firstname Lastname,OU=example1,OU=example2,DC=domain,DC=local'
How can this be fixed?
@iegurbide commented on GitHub (Nov 18, 2024):
+1.
Seeing the same behaviour as @rgl1234 .
@kakawait commented on GitHub (Nov 18, 2024):
See https://github.com/dbeaver/cloudbeaver/issues/3076#issuecomment-2483275251
@EvgeniaBzzz commented on GitHub (Nov 18, 2024):
@rgl1234 @iegurbide @kakawait
Some improvements are needed for your case. We'll add it in one of the future releases.
@SimonSunxz commented on GitHub (Nov 19, 2024):
+1,Seeing the same behaviour as @iegurbide,I am using CE 24.2, i configured cn,ou,dc,dc,dc in "ldap-dn". Then on the login page I must enter the full dn to log in successfully, but actually I need to use a user account in AD . when i use user account system error "LDAP user access validation by filter failed: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310028D, problem 2001 (NO_OBJECT), data 0",How can I solve this problem?
@kakawait commented on GitHub (Nov 19, 2024):
See above https://github.com/dbeaver/cloudbeaver/issues/2715#issuecomment-2483569602
@DenisSinelnikov commented on GitHub (Dec 26, 2024):
Hi @jonsbun,
I am working on your question and would like to clarify point number 3.
You want to map LDAP users with Сloudbeaver Teams, which way do you mean, mapping LDAP group entities or mapping an attribute with a group value?
@jonsbun commented on GitHub (Dec 27, 2024):
Hi @DenisSinelnikov,
The idea is the same as mentioned here: https://github.com/dbeaver/cloudbeaver/wiki/Teams#integration-with-identity-providers
@LonwoLonwo commented on GitHub (Jan 6, 2025):
Hello
We added the ability to set an attribute to be used as the user's login. The new parameter is
ldap-login.The bind user (
ldap-bind-userandldap-bind-user-pwd) must also be configured to use the attribute.Now, the parameters look like this:
These changes are found in the latest release, 24.3.2 (06.01.25).
@SimonSunxz commented on GitHub (Jan 10, 2025):
In the latest version, after configuring it this way, I tried logging in with an account using sAMAccountName from LDAP, but it failed with "User authentication failed:
LDAP authentication failed: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09050E, comment: AcceptSecurityContext error, data 52e, v4f7c]". It seems that the login is still not working correctly.
@rgl1234 commented on GitHub (Jan 10, 2025):
Hi
It works on my side. But please check: attributes are case sensitive!
@SimonSunxz commented on GitHub (Jan 10, 2025):
Thank you so much! It really turned out to be a case sensitivity issue in the configuration.it's OK now.
@dariamarutkina commented on GitHub (Jan 20, 2025):
Hello @jonsbun !
In version 24.3.3 the third point has been implemented.
A new LDAP Group name field has been added. It is located in the Admin part, in the Teams. In this field, you can specify a group, both in LDAP and after the user's login, this user will be mapped to CloudBeaver team
@iegurbide commented on GitHub (Jan 20, 2025):
Hi, will the group mapping feature also be available in the Community Edition by setting values in the cloudbeaver.runtime.conf?
@dariamarutkina commented on GitHub (Jan 21, 2025):
Hello @iegurbide !
This field is available in the Community Edition in the UI only in the CloudBeaver team settings
@iegurbide commented on GitHub (Feb 20, 2025):
Hi,
after some tests this seems to still not be clear.
How are groups retrieved and from what base in the LDAP? There seems to be no group related parameters to specify the configuration in .cloudbeaver.runtime.conf.
Is the memberOf attribute being used?
Furthermore, what is the group name? A DN corresponding to a group? The CN?
Documenting this would be appreciated.
@valentintraen commented on GitHub (Apr 10, 2025):
Hi,
I can't get the link between team and ldap group to work. I've tried everything, the mapping never seems to happen.
Do you have examples of functional mappings?
The user-dn displayed on my user details page is indeed correct.
I have the impression that the bind parameters are used for the connection (which works well) but not for retrieving the groups (my bind user is allowed to get groups, that has been validated with ldapsearch, grafana, hv vault, mysql and mongodb) :
10-04-2025 14:51:33.021 [qtp29838617-185] DEBUG i.c.server.graphql.GraphQLEndpoint - API > authLogin [user: null, sessionId: a821d083-9614-4e2b-ac81-2d93c4594af4] [variables] provider: ldap configuration: ******** credentials: ******** linkUser: false forceSessionsLogout: false 10-04-2025 14:51:33.166 [qtp29838617-185] ERROR i.c.s.ldap.auth.LdapAuthProvider - Group not found javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C090BE3, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839] at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3300) at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3206) at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2997) at java.naming/com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1876) at java.naming/com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1799) at java.naming/com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392) at java.naming/com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358) at java.naming/com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341) at java.naming/javax.naming.directory.InitialDirContext.search(InitialDirContext.java:346) at io.cloudbeaver.service.ldap.auth.LdapAuthProvider.getGroupForMember(LdapAuthProvider.java:447) at io.cloudbeaver.service.ldap.auth.LdapAuthProvider.detectAutoAssignments(LdapAuthProvider.java:420) at io.cloudbeaver.service.security.CBEmbeddedSecurityController.getAutoAssignUserData(CBEmbeddedSecurityController.java:2352) at io.cloudbeaver.service.security.CBEmbeddedSecurityController.finishAuthentication(CBEmbeddedSecurityController.java:2204) at io.cloudbeaver.service.security.CBEmbeddedSecurityControllerPro.finishAuthentication(CBEmbeddedSecurityControllerPro.java:120) at io.cloudbeaver.service.security.CBEmbeddedSecurityController.authenticate(CBEmbeddedSecurityController.java:1620) at io.cloudbeaver.service.auth.impl.WebServiceAuthImpl.authLogin(WebServiceAuthImpl.java:92) at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) at java.base/java.lang.reflect.Method.invoke(Method.java:580) at io.cloudbeaver.service.WebServiceBindingBase$ServiceInvocationHandler.invoke(WebServiceBindingBase.java:171) at jdk.proxy8/jdk.proxy8.$Proxy15.authLogin(Unknown Source) at io.cloudbeaver.service.auth.WebServiceBindingAuth.lambda$0(WebServiceBindingAuth.java:39) at graphql.execution.ExecutionStrategy.invokeDataFetcher(ExecutionStrategy.java:533) at graphql.execution.ExecutionStrategy.fetchField(ExecutionStrategy.java:497) at graphql.execution.ExecutionStrategy.fetchField(ExecutionStrategy.java:438) at graphql.execution.ExecutionStrategy.resolveFieldWithInfo(ExecutionStrategy.java:397) at graphql.execution.ExecutionStrategy.getAsyncFieldValueInfo(ExecutionStrategy.java:335) at graphql.execution.AsyncExecutionStrategy.execute(AsyncExecutionStrategy.java:57) at graphql.execution.Execution.executeOperation(Execution.java:180) at graphql.execution.Execution.execute(Execution.java:116) at graphql.GraphQL.execute(GraphQL.java:546) at graphql.GraphQL.lambda$parseValidateAndExecute$13(GraphQL.java:476) at java.base/java.util.concurrent.CompletableFuture.uniComposeStage(CompletableFuture.java:1187) at java.base/java.util.concurrent.CompletableFuture.thenCompose(CompletableFuture.java:2341) at graphql.GraphQL.parseValidateAndExecute(GraphQL.java:471) at graphql.GraphQL.lambda$executeAsync$9(GraphQL.java:429) at java.base/java.util.concurrent.CompletableFuture.uniComposeStage(CompletableFuture.java:1187) at java.base/java.util.concurrent.CompletableFuture.thenCompose(CompletableFuture.java:2341) at graphql.GraphQL.executeAsync(GraphQL.java:418) at graphql.GraphQL.execute(GraphQL.java:359) at io.cloudbeaver.server.graphql.GraphQLEndpoint.executeQuery(GraphQLEndpoint.java:262) at io.cloudbeaver.server.graphql.GraphQLEndpoint.executeSingleQuery(GraphQLEndpoint.java:203) at io.cloudbeaver.server.graphql.GraphQLEndpoint.doPost(GraphQLEndpoint.java:186) at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:653) at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:723) at org.eclipse.jetty.ee10.servlet.ServletHolder.handle(ServletHolder.java:736) at org.eclipse.jetty.ee10.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1614) at org.eclipse.jetty.ee10.websocket.servlet.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:195) at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205) at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1586) at org.eclipse.jetty.ee10.servlet.ServletHandler$MappedServlet.handle(ServletHandler.java:1547) at org.eclipse.jetty.ee10.servlet.ServletChannel.dispatch(ServletChannel.java:819) at org.eclipse.jetty.ee10.servlet.ServletChannel.handle(ServletChannel.java:436) at org.eclipse.jetty.ee10.servlet.ServletHandler.handle(ServletHandler.java:464) at org.eclipse.jetty.ee10.servlet.SessionHandler.handle(SessionHandler.java:717) at org.eclipse.jetty.server.handler.ContextHandler.handle(ContextHandler.java:1060) at org.eclipse.jetty.server.Server.handle(Server.java:182) at org.eclipse.jetty.server.internal.HttpChannelState$HandlerInvoker.run(HttpChannelState.java:662) at org.eclipse.jetty.server.internal.HttpConnection.onFillable(HttpConnection.java:418) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:322) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:99) at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:478) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:441) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:293) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.run(AdaptiveExecutionStrategy.java:201) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:311) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:979) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1209) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1164) at java.base/java.lang.Thread.run(Thread.java:1583)@HocKu7 commented on GitHub (Apr 15, 2025):
@valentintraen Hi, thank you for your report. We will investigate the issue and come back after
@LonwoLonwo commented on GitHub (May 21, 2025):
Hello @valentintraen
We have a fix for your case. You can find it in the last CloudBeaver release, 25.0.4.
Will wait for your feedback.
@LonwoLonwo commented on GitHub (May 21, 2025):
Hello @iegurbide
You can find all connected documentation here: https://github.com/dbeaver/cloudbeaver/wiki/LDAP-Authentication
If not all the answers are in this documentation, feel free to ask more questions. Your input will help us improve it.
@valentintraen commented on GitHub (May 21, 2025):
Hi,
Same problem here.
This is the connection log :
21-05-2025 13:43:18.750 [qtp746757564-67] DEBUG i.c.s.ldap.auth.LdapAuthProvider - Can't extract 'null' from ldap attributes 21-05-2025 13:43:18.755 [qtp746757564-67] ERROR i.c.s.ldap.auth.LdapAuthProvider - Group not found javax.naming.PartialResultException: Unprocessed Continuation Reference(s) at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3023) at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2997) at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.getNextBatch(AbstractLdapNamingEnumeration.java:148) at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:217) at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMore(AbstractLdapNamingEnumeration.java:189) at io.cloudbeaver.service.ldap.auth.LdapAuthProvider.getGroupForMember(LdapAuthProvider.java:504) at io.cloudbeaver.service.ldap.auth.LdapAuthProvider.detectAutoAssignmentTeam(LdapAuthProvider.java:465) at io.cloudbeaver.service.ldap.auth.LdapAuthProvider.detectAutoAssignments(LdapAuthProvider.java:94) at io.cloudbeaver.service.security.CBEmbeddedSecurityController.getAutoAssignUserData(CBEmbeddedSecurityController.java:2409) at io.cloudbeaver.service.security.CBEmbeddedSecurityController.finishAuthentication(CBEmbeddedSecurityController.java:2253) at io.cloudbeaver.service.security.CBEmbeddedSecurityController.authenticate(CBEmbeddedSecurityController.java:1659) at io.cloudbeaver.service.auth.impl.WebServiceAuthImpl.initiateAuthentication(WebServiceAuthImpl.java:171) at io.cloudbeaver.service.auth.impl.WebServiceAuthImpl.authLogin(WebServiceAuthImpl.java:74) at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) at java.base/java.lang.reflect.Method.invoke(Method.java:580) at io.cloudbeaver.service.WebServiceBindingBase$ServiceInvocationHandler.invoke(WebServiceBindingBase.java:171) at jdk.proxy7/jdk.proxy7.$Proxy12.authLogin(Unknown Source) at io.cloudbeaver.service.auth.WebServiceBindingAuth.lambda$0(WebServiceBindingAuth.java:39) at graphql.execution.ExecutionStrategy.invokeDataFetcher(ExecutionStrategy.java:533) at graphql.execution.ExecutionStrategy.fetchField(ExecutionStrategy.java:497) at graphql.execution.ExecutionStrategy.fetchField(ExecutionStrategy.java:438) at graphql.execution.ExecutionStrategy.resolveFieldWithInfo(ExecutionStrategy.java:397) at graphql.execution.ExecutionStrategy.getAsyncFieldValueInfo(ExecutionStrategy.java:335) at graphql.execution.AsyncExecutionStrategy.execute(AsyncExecutionStrategy.java:57) at graphql.execution.Execution.executeOperation(Execution.java:180) at graphql.execution.Execution.execute(Execution.java:116) at graphql.GraphQL.execute(GraphQL.java:546) at graphql.GraphQL.lambda$parseValidateAndExecute$13(GraphQL.java:476) at java.base/java.util.concurrent.CompletableFuture.uniComposeStage(CompletableFuture.java:1187) at java.base/java.util.concurrent.CompletableFuture.thenCompose(CompletableFuture.java:2341) at graphql.GraphQL.parseValidateAndExecute(GraphQL.java:471) at graphql.GraphQL.lambda$executeAsync$9(GraphQL.java:429) at java.base/java.util.concurrent.CompletableFuture.uniComposeStage(CompletableFuture.java:1187) at java.base/java.util.concurrent.CompletableFuture.thenCompose(CompletableFuture.java:2341) at graphql.GraphQL.executeAsync(GraphQL.java:418) at graphql.GraphQL.execute(GraphQL.java:359) at io.cloudbeaver.server.graphql.GraphQLEndpoint.executeQuery(GraphQLEndpoint.java:265) at io.cloudbeaver.server.graphql.GraphQLEndpoint.executeSingleQuery(GraphQLEndpoint.java:206) at io.cloudbeaver.server.graphql.GraphQLEndpoint.doPost(GraphQLEndpoint.java:189) at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:653) at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:723) at org.eclipse.jetty.ee10.servlet.ServletHolder.handle(ServletHolder.java:736) at org.eclipse.jetty.ee10.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1614) at org.eclipse.jetty.ee10.websocket.servlet.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:195) at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205) at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1586) at org.eclipse.jetty.ee10.servlet.ServletHandler$MappedServlet.handle(ServletHandler.java:1547) at org.eclipse.jetty.ee10.servlet.ServletChannel.dispatch(ServletChannel.java:819) at org.eclipse.jetty.ee10.servlet.ServletChannel.handle(ServletChannel.java:436) at org.eclipse.jetty.ee10.servlet.ServletHandler.handle(ServletHandler.java:464) at org.eclipse.jetty.ee10.servlet.SessionHandler.handle(SessionHandler.java:717) at org.eclipse.jetty.server.handler.ContextHandler.handle(ContextHandler.java:1060) at org.eclipse.jetty.server.Server.handle(Server.java:182) at org.eclipse.jetty.server.internal.HttpChannelState$HandlerInvoker.run(HttpChannelState.java:662) at org.eclipse.jetty.server.internal.HttpConnection.onFillable(HttpConnection.java:418) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:322) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:99) at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:478) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:441) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:293) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.run(AdaptiveExecutionStrategy.java:201) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:311) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:979) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1209) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1164) at java.base/java.lang.Thread.run(Thread.java:1583)Do you have examples of functional group mappings please ?
@EvgeniaBzzz commented on GitHub (May 28, 2025):
@valentintraen
E.g. for this group:
dn: cn=developers,ou=Groups,dc=example,dc=com
objectClass: groupOfNames
cn: developers
member: uid=user1,ou=People,dc=example,dc=com
member: uid=user2,ou=People,dc=example,dc=com
Set cn=developers to CB team (LDAP Group name parameter)
Users will be mapped after the first login
@valentintraen commented on GitHub (Jun 2, 2025):
I'm sorry but I really can't get it to work. With this configuration, I no longer have the error "ERROR i.c.s.ldap.auth.LdapAuthProvider - Group not found" :
Here is the log when I log in :
In the interface I have configured a team with cn=[my_ldap_group] in the "LDAP Group name" section but it does not contain any users.
@valentintraen commented on GitHub (Jun 2, 2025):
I've found !
With my users in ou=Utilisateurs and my groups in CN=Users, (users and groups share the same ldap-dn), here is a functional configuration:
and I must declare my ldap group like this in my team:
CN=[my_ldap_group],CN=Users@nickramos94 commented on GitHub (Oct 17, 2025):
Hi everyone,
unfortunately I can't make the binding between Cloudbeaver and AD groups to work.
This is how I set up the LDAP integration:
So the ldap-filter parameter allows the access only to the users that are part of the cdb_access group.
What I'm trying to do is create a group in cloudbeaver called dba_oracle bound to the AD group cdb_dba_oracle which is a member of the cdb_access group.
I tried to do like @valentintraen did and declared the LDAP group name in Cloudbeaver's GUI as
cn=cdb_dba_oracle,cn=cbd_accessI even went as far as to provide the whole group's location
cn=cdb_dba_oracle,cn=cbd_access,OU=CloudBeaver,OU=Groups,OU=Central Systems,DC=domain,DC=comBut the outcome is always the same: my user gets logged into a generic workspace with no connections and the log claims that Cloudbeaver is unable to find the group.
@EvgeniaBzzz commented on GitHub (Dec 17, 2025):
Issue with mapping memberOf was fixed in 25.3.0. It should now work properly.