Some users in Lenses with LDAP are unable to login ("Invalid LDAP regex" error)

Edward_k · January 31, 2024, 7:58pm

Some users are able to connect while others aren’t, and the following error message keeps appearing:

WARN [i.l.s.l.LdapMemberOfUserGroupPlugin] [lenses-akka.actor.default-dispatcher-6] Invalid LDAP regex ‘(?i)cn=([-\w]+),(?:ou=Kafka_company,)?ou=groups_company,dc=ldap,dc=lenses,dc=local$’. Could not match:cn=groupWrite,ou=groups,dc=ldap,dc=lenses,dc=local
2024-01-31 14:31:31,199 ERROR [a.a.ActorSystemImpl] [lenses-akka.actor.default-dispatcher-6] Exception when handling request by: [login] POST /api /login {body as application/json (UTF-8)} → status code - possible codes (Map()) {body as text/plain (UTF-8)}/{body as text/plain (UTF-8)}
io.lenses.security.authentication.NoMatchingGroupsException: User [user_company] groups do not match any ones defined in Lenses. When using LDAP, this means there is no group registered in Lenses which matches the groups the user is linked to in LDAP. As a result the login is rejected
at io.lenses.security.management.SecurityManagerPermissionProvider.$anonfun$grant$2(SecurityManagerPermissionProvider.scala:37)
at flatMap @ io.lenses.security.management.SecurityManagerPermissionProvider.grant(SecurityManagerPermissionProvider.scala:28)
2024-01-31 14:31:31,219 INFO [a.a.ActorSystemImpl] [lenses-akka.actor.default-dispatcher-6] Request: POST->http:// localhost:9991/api/login returned 500 Internal Server Error in 457ms

How can I solve this?

grudtnerv · January 31, 2024, 8:06pm

Hello Edward_k,

The issue according to this error message is your regex used to extract the groups. You need to ensure that the groups that exist on the LDAP server are the same as those that will be extracted by the regex. The error message portion:

“Invalid LDAP regex '(?i)cn=([-\w]+),(?:ou=Kafka_company,) ou=groups_company,dc=ldap,dc=lenses,dc=local$'. Could not match:cn=groupRead,ou=groups,dc=ldap,dc=lenses,dc=local”

shows that the “ou=groups_company” configured in Lenses is not the same as what is received from the LDAP server “ou=groups”. You need to modify the regex in the Lenses configuration to extract the same “ou” configured on the LDAP server. Additionally, it’s possible to identify that this happened with the user “userW” by looking at the error message a bit further:

“io.lenses.security.authentication.NoMatchingGroupsException: User [userW] groups do not match any ones defined in Lenses”.

The documentation provides more detailed information on LDAP configuration in Lenses: Lenses LDAP authentication | Lenses.io Documentation.

Topic		Replies	Views
LDAP user exists, with groups, but can't login Lenses	1	22	January 31, 2025
ID Provider not supported - SSO Issue idp provider issue Lenses	1	239	October 17, 2023
Trying to get Azure SSO to work with Lenses 5.0.4 Lenses	1	203	April 5, 2023
S3 Source connector - java.lang.IllegalStateException when using Regex Apache Kafka Connectors	1	238	May 11, 2023
What Regex engine does Lenses SQL Processor/Streaming SQL engine use? Lenses	0	143	May 30, 2023

Some users in Lenses with LDAP are unable to login ("Invalid LDAP regex" error)

Related topics