exa-Vandana
Moderator
Moderator

Table of Contents

Scope

Sometimes a user may encounter 'Authentication Failed' error when trying to login to Exasol using LDAP authentication.

Diagnosis

An Authentication Failed error may look like one of the following screenshots:

exa-Vandana_0-1621342489198.png
exa-Vandana_1-1621342715904.png

 

Explanation

In general, the authentication error means that the user name or password is not correct.

But in case when you authenticate a user with LDAP and if the user’s distinguished name contains spaces, then you might also get the ‘Authentication Failure’ error because the distinguished name is not set up correctly and it cannot handle the spaces.

You can check in the exa_dba_audit_sessions table that the session_id is null and the error_code , error_text column would be 08004 , ‘Connection exception – authentication failed’ respectively. 

select session_id, user_name, error_code, error_text from exa_dba_audit_sessions where  success is false order by login_time desc;
SESSION_ID USER_NAME ERROR_CODE ERROR_TEXT
(null) user1 08004 Connection exception - authentication failed.

 

Recommendation

Please recreate the LDAP user with double quotes ( “ “ ) to handle the spaces. For example :

CREATE USER firstname_lastname IDENTIFIED AT LDAP
AS 'cn="firstname lastname”,dc=authorization,dc=exasol,dc=com';

You can check this in the DISTINGUISHED_NAME of the EXA_DBA_USERS table.

Additional References

https://docs.exasol.com/sql/create_user.htm#Authenti3

https://community.exasol.com/t5/database-features/manual-ldap-connection-test/ta-p/1679

Comments
kimmo
Padawan

This is a very useful information. I'm still struggling with this topic though.

I've added the address of our LDAP server (Active Directory) in my database settings (in EXAoperation), with and without port:

exa_ldap.png

After starting database again I tried several versions of a "CREATE USER" statement, first of all with the distinguished name copied right from the LDAP explorer:

CREATE USER kimmo IDENTIFIED AT LDAP AS 'cn="Kimmo *****",ou=users,ou=company,dc=example,dc=com';

CREATE USER kimmo IDENTIFIED AT LDAP AS 'cn="Kimmo *****",dc=example,dc=com';

[...]

But always the same result: Connection exception - authentication failed.

Exasol database has a tcp/ip connection to the LDAP server - checked with "SELECT test.lua_connect('10.1.2.3', '389') res FROM dual;"

Any ideas what might be the issue here?

exa-Gerardo
Team Exasol
Team Exasol

Hello Kimmo,

Please have a look at the below documents, they may help you in finding what is wrong or missing in your case:

https://docs.exasol.com/sql/create_user.htm#Authenti3

https://community.exasol.com/t5/database-features/manual-ldap-connection-test/ta-p/1679

Best,

Gerardo