starred/cloudbeaver
1
0
Fork 0
mirror of https://github.com/dbeaver/cloudbeaver.git synced 2026-04-26 06:06:00 +03:00
Code Issues 212 Projects Releases Packages Wiki Activity

[GH-ISSUE #3536] LDAP User ID cryptic #1278

New issue
Closed
opened 2026-03-07 21:01:59 +03:00 by kerem · 11 comments
kerem commented 2026-03-07 21:01:59 +03:00
Owner
Copy link

Originally created by @MatthiasSchnoeke on GitHub (Jun 20, 2025).
Original GitHub issue: https://github.com/dbeaver/cloudbeaver/issues/3536

Originally assigned to: @HocKu7 on GitHub.

Description

We run CB community edition 25.1.0.202506020921

  1. After LDAP integration the AD user will shown with cryptical user id name. That's difficult to ready the user list.
    e.g ��u[��d��k����p
    Image

  2. How to work with AD groups.
    We create a new AD group "SG_Cloudbeaver_Developer" and in CB a new team with CN "SG_Cloudbeaver_Developer" as LDAP Group Name. After that we would expect that the members of this AD group will shown as a team user automaticly after frist login and the team database connection is visible.

Steps to reproduce

No response

Expected/Desired Behavior

  1. User id is readable and not cryptic. (e.g. sAMAccountName)
  2. After creating an AD group, specifying an AD user as a member and creating a team with the corresponding LDAP group name (CN), the user is automatically displayed as a team member and gets database connection access as defined.

CloudBeaver Version

25.1.0.202506020921

Additional context

No response

Originally created by @MatthiasSchnoeke on GitHub (Jun 20, 2025). Original GitHub issue: https://github.com/dbeaver/cloudbeaver/issues/3536 Originally assigned to: @HocKu7 on GitHub. ### Description We run CB community edition 25.1.0.202506020921 1. After LDAP integration the AD user will shown with cryptical user id name. That's difficult to ready the user list. e.g ��u[��d��k����p ![Image](https://github.com/user-attachments/assets/4daec901-75ba-4244-9800-f674216fc153) 2. How to work with AD groups. We create a new AD group "SG_Cloudbeaver_Developer" and in CB a new team with CN "SG_Cloudbeaver_Developer" as LDAP Group Name. After that we would expect that the members of this AD group will shown as a team user automaticly after frist login and the team database connection is visible. ### Steps to reproduce _No response_ ### Expected/Desired Behavior 1. User id is readable and not cryptic. (e.g. sAMAccountName) 2. After creating an AD group, specifying an AD user as a member and creating a team with the corresponding LDAP group name (CN), the user is automatically displayed as a team member and gets database connection access as defined. ### CloudBeaver Version 25.1.0.202506020921 ### Additional context _No response_
kerem commented 2026-03-07 21:02:00 +03:00
Author
Owner
Copy link

@EvgeniaBzzz commented on GitHub (Jun 20, 2025):

Hi @MatthiasSchnoeke
1.Set ldap-identifier-attr to sAMAccountName so that users can log in with their sAMAccountName, and their user ID will match it as well

<!-- gh-comment-id:2991819351 --> @EvgeniaBzzz commented on GitHub (Jun 20, 2025): Hi @MatthiasSchnoeke 1.Set `ldap-identifier-attr` to `sAMAccountName` so that users can log in with their `sAMAccountName`, and their user ID will match it as well
kerem commented 2026-03-07 21:02:01 +03:00
Author
Owner
Copy link

@EvgeniaBzzz commented on GitHub (Jun 20, 2025):

  1. Does your CB team look like that?

Image

I just checked on my side, and the new user was successfully mapped to the CB team on his first login.

<!-- gh-comment-id:2991856345 --> @EvgeniaBzzz commented on GitHub (Jun 20, 2025): 2. Does your CB team look like that? ![Image](https://github.com/user-attachments/assets/0f686989-6828-4bf5-a35c-0d496f78eecc) I just checked on my side, and the new user was successfully mapped to the CB team on his first login.
kerem commented 2026-03-07 21:02:01 +03:00
Author
Owner
Copy link

@MatthiasSchnoeke commented on GitHub (Jun 21, 2025):

Thank you for the quick response.

to 1. After changing to ldap-identifier-attr="sAMAccountName" I get an authentication error even though the user is not locked in the AD. The same when I switched back do ldap-identifier-attr="CN". After deleting storage (PVC OpenShift) the login with DN is possible again.

So I am confused why ldap-identifier-attr=‘CN’ expects the DN
and
ldap-identifier-attr=“sAMAccountName” leads to an invalid credential and later to a wrong error message ‘User locked’.

org.jkiss.dbeaver.model.exec.DBCException: User account is locked
at io.cloudbeaver.service.security.CBEmbeddedSecurityController.findUserByCredentials(CBEmbeddedSecurityController.java:1039)
at io.cloudbeaver.service.security.CBEmbeddedSecurityController.findUserByCredentials(CBEmbeddedSecurityController.java:966)
at io.cloudbeaver.service.security.CBEmbeddedSecurityController.findOrCreateExternalUserByCredentials(CBEmbeddedSecurityController.java:2545)
at io.cloudbeaver.service.security.CBEmbeddedSecurityController.finishAuthentication(CBEmbeddedSecurityController.java:2269)
at io.cloudbeaver.service.security.CBEmbeddedSecurityController.authenticate(CBEmbeddedSecurityController.java:1670)
at io.cloudbeaver.service.auth.impl.WebServiceAuthImpl.initiateAuthentication(WebServiceAuthImpl.java:171)
at io.cloudbeaver.service.auth.impl.WebServiceAuthImpl.authLogin(WebServiceAuthImpl.java:74)
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
at java.base/java.lang.reflect.Method.invoke(Method.java:580)

<!-- gh-comment-id:2993631144 --> @MatthiasSchnoeke commented on GitHub (Jun 21, 2025): Thank you for the quick response. to 1. After changing to ldap-identifier-attr="sAMAccountName" I get an authentication error even though the user is not locked in the AD. The same when I switched back do ldap-identifier-attr="CN". After deleting storage (PVC OpenShift) the login with DN is possible again. So I am confused why ldap-identifier-attr=‘CN’ expects the DN and ldap-identifier-attr=“sAMAccountName” leads to an invalid credential and later to a wrong error message ‘User locked’. org.jkiss.dbeaver.model.exec.DBCException: User account is locked at io.cloudbeaver.service.security.CBEmbeddedSecurityController.findUserByCredentials(CBEmbeddedSecurityController.java:1039) at io.cloudbeaver.service.security.CBEmbeddedSecurityController.findUserByCredentials(CBEmbeddedSecurityController.java:966) at io.cloudbeaver.service.security.CBEmbeddedSecurityController.findOrCreateExternalUserByCredentials(CBEmbeddedSecurityController.java:2545) at io.cloudbeaver.service.security.CBEmbeddedSecurityController.finishAuthentication(CBEmbeddedSecurityController.java:2269) at io.cloudbeaver.service.security.CBEmbeddedSecurityController.authenticate(CBEmbeddedSecurityController.java:1670) at io.cloudbeaver.service.auth.impl.WebServiceAuthImpl.initiateAuthentication(WebServiceAuthImpl.java:171) at io.cloudbeaver.service.auth.impl.WebServiceAuthImpl.authLogin(WebServiceAuthImpl.java:74) at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) at java.base/java.lang.reflect.Method.invoke(Method.java:580)
kerem commented 2026-03-07 21:02:01 +03:00
Author
Owner
Copy link

@MatthiasSchnoeke commented on GitHub (Jun 21, 2025):

my current config:

    authConfigurations: [
        {
            id: "ldap",
            provider: "ldap",
            displayName: "LDAP",
            disabled: false,
            iconURL: "",
            description: "Login with your Aareon user",
            parameters: {
            ldap-host: "ldap.xxx",
            ldap-port: "389",
            ldap-login: "sAMAccountName",
            ldap-dn: "OU=xxx DE,OU=xxx,DC=xxx,DC=xxx,DC=xxx",
            ldap-identifier-attr: "CN",
            ldap-bind-user: "CN=xxx,OU=xxx,OU=xxx DE,OU=xxx,DC=xxx,DC=xxx,DC=com",
            ldap-bind-user-pwd: 'xxx'
            }
        }
    ],
<!-- gh-comment-id:2993634742 --> @MatthiasSchnoeke commented on GitHub (Jun 21, 2025): my current config: authConfigurations: [ { id: "ldap", provider: "ldap", displayName: "LDAP", disabled: false, iconURL: "", description: "Login with your Aareon user", parameters: { ldap-host: "ldap.xxx", ldap-port: "389", ldap-login: "sAMAccountName", ldap-dn: "OU=xxx DE,OU=xxx,DC=xxx,DC=xxx,DC=xxx", ldap-identifier-attr: "CN", ldap-bind-user: "CN=xxx,OU=xxx,OU=xxx DE,OU=xxx,DC=xxx,DC=xxx,DC=com", ldap-bind-user-pwd: 'xxx' } } ],
kerem commented 2026-03-07 21:02:01 +03:00
Author
Owner
Copy link

@MatthiasSchnoeke commented on GitHub (Jun 23, 2025):

Unfortunaley after LDAP Login (via DN) my user is not automatically mapped and can not find the team related dn connections.

Image

Image

Image

<!-- gh-comment-id:2995475580 --> @MatthiasSchnoeke commented on GitHub (Jun 23, 2025): Unfortunaley after LDAP Login (via DN) my user is not automatically mapped and can not find the team related dn connections. ![Image](https://github.com/user-attachments/assets/1606a680-e27b-44e6-8021-09b5fb052cf4) ![Image](https://github.com/user-attachments/assets/3679b0c4-c57b-416c-aa8a-12cc9cc0ff16) ![Image](https://github.com/user-attachments/assets/ddbc427f-ec91-4458-84c2-82dc285c399a)
kerem commented 2026-03-07 21:02:01 +03:00
Author
Owner
Copy link

@MatthiasSchnoeke commented on GitHub (Jun 23, 2025):

My ldap user also does not receive database connections after being assigned to an existing team (without ldap team)

Image

<!-- gh-comment-id:2995541528 --> @MatthiasSchnoeke commented on GitHub (Jun 23, 2025): My ldap user also does not receive database connections after being assigned to an existing team (without ldap team) ![Image](https://github.com/user-attachments/assets/2bb1b2d3-f2fc-4b0a-98ac-a3e84ffb15e5)
kerem commented 2026-03-07 21:02:01 +03:00
Author
Owner
Copy link

@HocKu7 commented on GitHub (Jun 24, 2025):

@MatthiasSchnoeke

to 1. After changing to ldap-identifier-attr="sAMAccountName" I get an authentication error even though the user is not locked in the AD

What was the error? Are the credentials valid?

<!-- gh-comment-id:2999556869 --> @HocKu7 commented on GitHub (Jun 24, 2025): @MatthiasSchnoeke > to 1. After changing to ldap-identifier-attr="sAMAccountName" I get an authentication error even though the user is not locked in the AD What was the error? Are the credentials valid?
kerem commented 2026-03-07 21:02:01 +03:00
Author
Owner
Copy link

@MatthiasSchnoeke commented on GitHub (Jun 24, 2025):

Yes, the credetials are ok.

<!-- gh-comment-id:3001151505 --> @MatthiasSchnoeke commented on GitHub (Jun 24, 2025): Yes, the credetials are ok.
kerem commented 2026-03-07 21:02:01 +03:00
Author
Owner
Copy link

@HocKu7 commented on GitHub (Jul 2, 2025):

@MatthiasSchnoeke Hi, can you please provide footage showing your issue? Also, it would be very useful to see a server's log file to understand your issue

<!-- gh-comment-id:3027137230 --> @HocKu7 commented on GitHub (Jul 2, 2025): @MatthiasSchnoeke Hi, can you please provide footage showing your issue? Also, it would be very useful to see a server's log file to understand your issue
kerem commented 2026-03-07 21:02:01 +03:00
Author
Owner
Copy link

@MatthiasSchnoeke commented on GitHub (Jul 11, 2025):

IT seems I'm not the only one with this issue.

Here my current configutation.

    authConfigurations: [
        {
            id: "ldap",
            provider: "ldap",
            displayName: "LDAP",
            disabled: false,
            iconURL: "",
            description: "Login with your User",
            parameters: {
            ldap-host: "[my_host]",
            ldap-port: "389",
            ldap-login: "sAMAccountName",
            ldap-dn: "OU=[my_ou2],OU=[my_ou1],DC=ad,DC=[my_domain],DC=com",
            ldap-identifier-attr: "CN",
            ldap-bind-user: "CN=svc_Cloudbeaver,OU=ResourceAccounts,OU=[my_ou2],OU=[my_ou1],DC=ad,DC=[my_domain],DC=com",
            ldap-bind-user-pwd: '[my_password]'
            }
        }
    ]

Group DN: CN=SG_Cloudbeaver_Developer,OU=Cloudbeaver,OU=Access,OU=Groups,OU=[my_ou2],OU=[my_ou1],DC=ad,DC=[my_domain],DC=com

User DN: CN=Matthias,OU=User,OU=Mainz,OU=Locations,OU=[my_ou2],OU=[my_ou1],DC=ad,DC=[my_domain],DC=com

Image
<!-- gh-comment-id:3062332436 --> @MatthiasSchnoeke commented on GitHub (Jul 11, 2025): IT seems I'm not the only one with this issue. Here my current configutation. authConfigurations: [ { id: "ldap", provider: "ldap", displayName: "LDAP", disabled: false, iconURL: "", description: "Login with your User", parameters: { ldap-host: "[my_host]", ldap-port: "389", ldap-login: "sAMAccountName", ldap-dn: "OU=[my_ou2],OU=[my_ou1],DC=ad,DC=[my_domain],DC=com", ldap-identifier-attr: "CN", ldap-bind-user: "CN=svc_Cloudbeaver,OU=ResourceAccounts,OU=[my_ou2],OU=[my_ou1],DC=ad,DC=[my_domain],DC=com", ldap-bind-user-pwd: '[my_password]' } } ] Group DN: CN=SG_Cloudbeaver_Developer,OU=Cloudbeaver,OU=Access,OU=Groups,OU=[my_ou2],OU=[my_ou1],DC=ad,DC=[my_domain],DC=com User DN: CN=Matthias,OU=User,OU=Mainz,OU=Locations,OU=[my_ou2],OU=[my_ou1],DC=ad,DC=[my_domain],DC=com <img width="1076" height="372" alt="Image" src="https://github.com/user-attachments/assets/c3aaa0cb-ddd0-4ea2-9ae8-7796c8fffa28" />
kerem commented 2026-03-07 21:02:01 +03:00
Author
Owner
Copy link

@MatthiasSchnoeke commented on GitHub (Jul 15, 2025):

The same problem when I move the SVC to Goups OU.

Image
<!-- gh-comment-id:3073347554 --> @MatthiasSchnoeke commented on GitHub (Jul 15, 2025): The same problem when I move the SVC to Goups OU. <img width="550" height="228" alt="Image" src="https://github.com/user-attachments/assets/117e24df-3b94-4358-b37b-5b475f817437" />
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
devel
dbeaver/cloudbeaver#4120-support-token-header
dbeaver/pro#8978-advanced-paste
dbeaver/pro#5680-add-generation-rest-api-for-te
8961-cb-checkboxes-are-not-clickable-in-main-toolbar-dropdown-menu
dbeaver/pro#9047-cb-explain-execution-plan-ai
8328-cb-sql-query-generation-add-settings-for-the-generated-sql-window
8473-ai-confirmation
8107-cb-increase-the-contrast-of-some-elements
dbeaver/cloudbeaver#4249-session-id-rotation
dbeaver/pro#8234-udbt-only-for-admins
dbeaver/pro#9061-NPE-on-starting-RM-and-QM-applications
dbeaver/pro#8707-remove-folder-feature
dbeaver/pro#8766-migrate-to-junit5
dbeaver/pro#8711-sql-executation-plan-improvments
9048-cb-deadlock
release_26_0_3
dbeaver/pro#8044-add-api-for-database-user-preference
8839-entraid-not-working-from-within-myappsmicrosoftcom
8559-te-launch-redesign
8670-cb-multi-paste-support-in-data-editor-3
8943-cb-bump-npm-dependencies
dbeaver/pro#8655-cb-ai-functions-support
dbeaver/pro#8746-oauth
dbeaver/pro#8824-Unify-file-lock-handling-for-local-and-shared-fs
7912-db-oauth-in-te
dbeaver/pro#4158-tree-advanced-filter
dbeaver/dbeaver-devops#1604-non-root-user-25-2
dbeaver/pro#5124-fix-case-insensetive-username-in-import
3815-ctrl-z-is-unstable-lib-523-version
8894-ai-assistant-cache
dbeaver/pro#8896-Remove-added-h2_server_v3
release_26_0_2
dbeaver/pro#8392-Add-H2-driver-with-the-newest-version
8065-lsp-front-end
release_26_0_1
dbeaver/pro#7844-cb-lsp-server
dbeaver/pro#7530-csp-protection
release_26_0_0
release_25_3_5
release_25_3_4
release_25_3_3
7953-cb-ability-to-pin-rows-in-the-data-editor
devops-2221-base-java-repo
7923-cb-ws-events-are-misconfigured
release_25_3_2
release_25_3_1
release_25_3_0
release_25_2_5
dbeaver/pro#5267/auth-providers-refactoring
dbeaver/pro#6364-add-option-to-set-default-view-for-project
release_25_2_4
dbeaver/pro#5476-task-scheduler-refactor
release_25_2_3
7128-remove-deprecated-api
release_25_2_0
release_25_2_1
release_25_2_2
4569-cb-3681-use-something-better-than-md5-hash-to-pass-local-user-passwords
dbeaver/dbeaver-devops#1604-non-root-user-without-user-in-image
dbeaver/pro#6976-logging-poc
dbeaver/pro#6324-cursor-sync
dbeaver/pro#5630-add-cache-for-queries
dbeaver/pro#5574/fix/multi-query-vqb
dbeaver/pro#5802/feat/table-api
5664-cb-vscode-value-panel-support-text-format
CB-6291-build-local-script-do-not-clone-all-required-repos-for-successful-build
4288-core-fix-critical-cve-2022-0839-and-cve-2022-0839-in-liquibase-bundle
3944-model-data
4207-core-duplicate-cb-session-id-in-dc-side
chore/update-vite-assets-plugin
25.1.5
25.1.4
25.1.3
25.1.2
25.1.1
25.1.0
25.0.5
25.0.4
25.0.3
25.0.2
25.0.1
25.0.0
24.3.5
24.3.4
24.3.3
24.3.2
24.3.0
24.3.1
24.2.5
24.2.4
24.2.3
24.2.2
24.2.1
24.2.0
24.1.5
24.1.4
24.1.3
24.1.2
24.1.0
24.1.1
24.0.5
24.0.4
24.0.3
24.0.2
24.0.1
24.0.0
23.3.5
23.3.4
23.3.3
23.3.2
23.3.1
23.3.0
23.2.5
23.2.4
23.2.3
23.2.2
23.2.1
23.2.0
23.1.5
23.1.4
23.1.3
23.1.2
23.1.1
v23.1.0
v23_0_5
21.3.3
21.2.4
1.2.0
1.1.0
1.0.4
1.0.3
1.0.1b
1.0.2
1.0.1
1.0.0
Labels
Clear labels   
AS

   
can't reproduce

   
can't reproduce

   
deployment

   
development

   
documentation

   
duplicate

   
duplicate

   
ee

   
enhancement

   
external

   
new driver

   
performance

   
pull-request

Mirrored from GitHub Pull Request

  
third party issue

   
wait for response

   
wait for review

   
wontfix

   
x:Oracle

   
x:cassandra

   
x:clickhouse

   
x:db2

   
x:duckdb

   
x:greenplum

   
x:h2

   
x:h2gis

   
x:hana

   
x:hive

   
x:intersystems

   
x:kyuubi

   
x:maria

   
x:mongo

   
x:mysql

   
x:postgresql

   
x:presto

   
x:sql server

   
x:sqlite

   
x:teradata

   
x:trino

   
xf:accessibility

   
xf:administration

   
xf:ai

   
xf:authentication

   
xf:aws

   
xf:commit-mode

   
xf:connection

   
xf:dark theme

   
xf:data editor

   
xf:datatransfer

   
xf:dba

   
xf:driver management

   
xf:erd

   
xf:filters

   
xf:i18n

   
xf:i18n

   
xf:installer

   
xf:json

   
xf:kerberos

   
xf:ldap

   
xf:local config

   
xf:log viewer

   
xf:metadata

   
xf:metadata editor

   
xf:navigator

   
xf:okta

   
xf:query manager

   
xf:resource manager

   
xf:scripts

   
xf:sql editor

   
xf:tasks

   
xf:ui/uix

   
xo: Firefox

   
xo:eclipse

   
xo:internet explorer

   
xo:macos

   
xp:major

   
xrn:internal
No labels
AS
can't reproduce
can't reproduce
deployment
development
documentation
duplicate
duplicate
ee
enhancement
external
new driver
performance
pull-request
third party issue
wait for response
wait for review
wontfix
x:Oracle
x:cassandra
x:clickhouse
x:db2
x:duckdb
x:greenplum
x:h2
x:h2gis
x:hana
x:hive
x:intersystems
x:kyuubi
x:maria
x:mongo
x:mysql
x:postgresql
x:presto
x:sql server
x:sqlite
x:teradata
x:trino
xf:accessibility
xf:administration
xf:ai
xf:authentication
xf:aws
xf:commit-mode
xf:connection
xf:dark theme
xf:data editor
xf:datatransfer
xf:dba
xf:driver management
xf:erd
xf:filters
xf:i18n
xf:i18n
xf:installer
xf:json
xf:kerberos
xf:ldap
xf:local config
xf:log viewer
xf:metadata
xf:metadata editor
xf:navigator
xf:okta
xf:query manager
xf:resource manager
xf:scripts
xf:sql editor
xf:tasks
xf:ui/uix
xo: Firefox
xo:eclipse
xo:internet explorer
xo:macos
xp:major
xrn:internal
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/cloudbeaver#1278
No description provided.