[Exist-open] LDAP authentication

[Jo C. <Jo....@ha...>]

Hi all,

I am trying to get LDAP authentication to work against a Samba AD DC
setup.  Here's an anonymized version of my config.xml

<security-manager xmlns="http://exist-db.org/Configuration" version="2.1">

<authentication-entry-point>/authentication/login</authentication-entry-point>
    <realm id="LDAP" version="1.0" principals-are-case-insensitive="true">
  <context>
    <authentication>
      simple
    </authentication>
    <use-ssl>true</use-ssl>
    <url>ldaps://samba-ad-dc.local.my-domain.com</url>
    <domain>local.my-domain.com</domain>
    <search>
      <base>DC=local,DC=my-domain,DC=com</base>
      <default-username>te...@lo...</default-username>
      <default-password>test-password</default-password>
      <account>
        <search-filter-prefix>objectClass=user</search-filter-prefix>
        <search-attribute key="objectSid">objectSid</search-attribute>
        <search-attribute
key="primaryGroupID">primaryGroupID</search-attribute>
        <search-attribute key="name">sAMAccountName</search-attribute>
        <search-attribute key="dn">distinguishedName</search-attribute>
        <search-attribute key="memberOf">memberOf</search-attribute>
        <metadata-search-attribute key="http://axschema.org/namePerson/first
">givenName</metadata-search-attribute>
        <metadata-search-attribute key="http://axschema.org/contact/email
">mail</metadata-search-attribute>
        <metadata-search-attribute key="http://axschema.org/namePerson/last
">sn</metadata-search-attribute>
        <metadata-search-attribute key="http://axschema.org/namePerson
">name</metadata-search-attribute>
      </account>
      <group>
        <search-filter-prefix>objectClass=group</search-filter-prefix>
        <search-attribute key="member">member</search-attribute>
        <search-attribute
key="primaryGroupToken">primaryGroupToken</search-attribute>
        <search-attribute key="objectSid">objectSid</search-attribute>
        <search-attribute key="name">sAMAccountName</search-attribute>
        <search-attribute key="dn">distinguishedName</search-attribute>
        <whitelist>
          <principal>Domain Users</principal>
        </whitelist>
      </group>
    </search>
    <transformation>
      <add-group>group.users</add-group>
    </transformation>
  </context>
</realm>
<!--<events></events>-->
</security-manager>

based on http://demo.exist-db.org/exist/apps/doc/security and the example
here.

Logins as, e.g., me...@lo... fail with (what looks like) an
unknown exception:

org.exist.security.AuthenticationException:
samba-ad-dc.local.my-domain.com:636
        at
org.exist.security.realm.ldap.LDAPRealm.authenticate(LDAPRealm.java:152)
~[exist-security-ldap-5.3.1.jar:5.3.1]

Does anyone have this or similar setup working?

Install details are:
eXist Version: 5.3.1  [but also relevant on later builds]
eXist Build: 20211214004738
Operating System: Linux 3.10.0-1062.12.1.el7.x86_64 amd64
Java Version: 1.8.0_242

Any tips or hints are very welcome.  Best regards, -- Jo