ERROR: LDAP login failed: could not obtain an STS token: Post "https://127.0.0.1:15001/sts/v1beta/token": failed to obtain an endpoint for deployment anthos-identity-service/ais: Unauthorized
ERROR: Configuring Anthos authentication failed
解决方案
您可以通过以下方式之一解决这些问题:
如果 GKE Identity Service 无法连接到 LDAP 服务器,请执行以下操作:
如需验证任何网络流量是否可以从集群到达 LDAP 服务器(身份提供方),请使用 telnet、nc 或类似命令连接到 LDAP 服务器。如需连接到 LDAP 服务器,您需要在运行 GKE Identity Service 的节点或 Pod 中执行命令。
GKE Identity Service 的 ClientConfig 中的 LDAP 提供方设置配置不正确。
LDAP 服务器上不存在您提供的用户凭据。
LDAP 服务器已关闭。
错误消息
以下消息适用于执行 gcloud anthos auth login 命令时发生的错误。
ERROR: LDAP login failed: could not obtain an STS token: Post "https://127.0.0.1:15001/sts/v1beta/token": failed to obtain an endpoint for deployment anthos-identity-service/ais: Unauthorized
ERROR: Configuring Anthos authentication failed
解决方案
作为集群管理员,您可以通过以下方式查看 GKE Identity Service 日志并解决身份验证问题:
Attempting to bind as the LDAP service account:GKE Identity Service 正在尝试使用 ClientConfig 中提供的服务账号凭据连接到 LDAP 服务器。缺少此日志消息表示存在连接问题。
Successfully completed BIND as LDAP service account:GKE Identity Service 能够成功连接到 LDAP 服务器并使用其服务账号进行用户身份验证。缺少此日志消息表示存在配置问题。
Successfully found an entry for the user in the database:LDAP 服务器中存在用户条目。这意味着 baseDN、filter 和 loginAttribute 字段配置正确,可以检索用户。仅当日志记录详细程度高于默认级别时,系统才会显示此消息。如需详细了解如何启用日志,请参阅启用调试日志。
Attempting to BIND as the user to verify their credentials:GKE Identity Service 正在尝试验证用户凭据。
如果 GKE Identity Service 与已安装的 Google Cloud CLI 版本之间存在版本兼容性不匹配,则会出现此问题。
错误消息
unable to parse STS Token Response
could not obtain an STS token: JSON parse error: The request was malformed.
could not obtain an STS token: Grant type must confirm that the request is intended for a token exchange.
could not obtain an STS token: Requested token type must correspond to an access token.
could not obtain an STS token: Subject token type must be a valid token type supported for token exchange.
解决方案
您需要将 gcloud 实用程序和 GKE Identity Service 升级到最新的可用版本。
401 身份验证失败状态代码
如果 Kubernetes API 服务器无法对服务进行身份验证并返回 401 错误代码,则会出现此问题。
错误消息
ERROR: LDAP login failed: STSToken() failed: could not obtain an STS token: Post "https://127.0.0.1:15001/sts/v1beta/token": DialContext() failed: podEndpoint() failed to obtain an endpoint for deployment anthos-identity-service/ais: Unauthorized
ERROR: Configuring Anthos authentication failed
解决方案
您可以通过以下任一方式来解决此问题:
使用以下命令检查 GKE Identity Service Pod 是否处于 running 状态:
kubectl get pods -l k8s-app=ais -n anthos-identity-service --kubeconfig USER_CLUSTER_KUBECONFIG
使用以下命令检查 ClientConfig 中的 LDAP 配置:
kubectl get clientconfig -n kube-public -o jsonpath='{.items[].spec.authentication[].ldap}' --kubeconfig USER_CLUSTER_KUBECONFIG
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-09-01。"],[],[],null,["This document provides troubleshooting guidance for LDAP server issues in\nGKE Identity Service.\n\nConnectivity issue\n\nWhen you configure GKE Identity Service, you can run into connectivity\nissues while trying to connect to an LDAP server. The connectivity issue can also\noccur when the certificate used to identify the LDAP server doesn't match the\ncertificate mentioned in the ClientConfig.\n\nError message\n\nThe following messages are applicable to errors that occur when the\n`gcloud anthos auth login` command is executed.\n\n- `ERROR: LDAP login failed: could not obtain an STS token: Post \"https://127.0.0.1:15001/sts/v1beta/token\": failed to obtain an endpoint for deployment anthos-identity-service/ais: Unauthorized`\n- `ERROR: Configuring Anthos authentication failed`\n\nSolution\n\nYou can resolve the issues in one of the following ways:\n\n- If GKE Identity Service can't connect to the LDAP server, do the following:\n - To verify if any network traffic can reach the LDAP server (identity provider) from the cluster, use `telnet`, `nc`, or a similar command to connect to the LDAP server. To connect to the LDAP server, you need to execute the command in the node or pod where GKE Identity Service is running.\n - If the command is successful, then the GKE Identity Service pod should connect to the LDAP server.\n - If the command fails, it indicates that there's an issue with network connectivity. You need to check your network settings or reach out to your network administrator to resolve the connection issue.\n- Verify that the public certificate in the configuration is [formatted correctly](/kubernetes-engine/enterprise/identity/setup/format-certificates) and matches your LDAP server for the following cases:\n - You use LDAP with TLS.\n - You authenticate to LDAP with a service account. You use a certificate to identify the service account with the LDAP server.\n\nAuthentication issue\n\nAn authentication issue occurs in one of the following cases:\n\n- The LDAP provider settings are incorrectly configured in the ClientConfig for GKE Identity Service.\n- The user credentials you provided do not exist on the LDAP server.\n- The LDAP server is down.\n\n| **Note:** Although issues related to connectivity and authentication have similar causes, you can further qualify these issues from the logs.\n\nError message\n\nThe following messages are applicable to errors that occur when the `gcloud anthos auth login` command is executed.\n\n- `ERROR: LDAP login failed: could not obtain an STS token: Post \"https://127.0.0.1:15001/sts/v1beta/token\": failed to obtain an endpoint for deployment anthos-identity-service/ais: Unauthorized`\n- `ERROR: Configuring Anthos authentication failed`\n\nSolution\n\nAs a cluster administrator, review the GKE Identity Service logs and resolve the authentication issues in the following ways:\n\n- `Can't contact LDAP server`: For more information on how to resolve this issue, see [connectivity issues](#connectivityissues).\n- `Attempting to bind as the LDAP service account`: GKE Identity Service is attempting to connect to the LDAP server using the service account credentials provided in the ClientConfig. The absence of this log message indicates there's a [connectivity issue](#connectivityissues).\n- `Successfully completed BIND as LDAP service account`: GKE Identity Service is able to successfully connect to the LDAP server and use its service account for user authentication. The absence of this log message indicates there's a configuration issue.\n- `Successfully found an entry for the user in the database`: A user entry exists on the LDAP server. This implies that the `baseDN`, `filter`, and `loginAttribute` fields are configured correctly to retrieve users. This message is displayed only when the logging verbosity is above the default level. For more information on enabling logs, see [Enable the debug log](/kubernetes-engine/enterprise/identity/setup/user-access-troubleshooting#enable_the_debug_log).\n- `Attempting to BIND as the user to verify their credentials`: GKE Identity Service is attempting to verify user credentials.\n- `Successfully completed LDAP authentication`: User authentication is successful. The absence of this log message indicates invalid credentials.\n\nAuthentication token has expired\n\nDespite a successful login, you can run into issues where the authentication token has expired.\n\nError message\n\n`ERROR: You must be logged in to the server (Unauthorized)`\n\nSolution\n\nYou can resolve the issue by logging in again to the server.\n\nIssue with RBAC role binding to the user or group\n\nThis issue occurs when your authentication is successful but authorization fails\ndue to the absence of RBAC roles binding to the user or group. For instance, this\nissue persists when you try to issue the command `kubectl get pods`.\n\nError message\n\n`Error from server (Forbidden): \u003cSERVICE or PODS\u003e is forbidden: \u003cMORE DETAILS\u003e`\n\nSolution\n\nYou can resolve the issue by doing the following:\n\n1. Sign in to your LDAP server to view the target user's groups.\n2. Verify if your Kubernetes role and role bindings are defined correctly and match the values in your LDAP directory. An administrator can help verify the role bindings through Kubernetes [User Impersonation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation).\n3. Update the role binding such that the target user's group is authorized to perform the required action.\n4. Verify that the values for `baseDN` and optionally the `filter` and `identifierAttribute` for groups are correct. GKE Identity Service uses the group configuration from these fields to query all groups that the user belongs to. If `baseDN` is empty, then no groups are provided to the Kubernetes API server. There are no messages logged in such a case. If `baseDN` is not empty, then GKE Identity Service queries the database for the user's groups.\n - If the query is successful, then the groups are provided to the Kubernetes API server.\n - If the query is unsuccessful, the groups are not provided to the Kubernetes API server. In this case, you need to fix the `baseDN` and `filter` configuration values for groups.\n\nUser belongs to multiple groups\n\nThis issue occurs when a user belongs to multiple groups.\n\nError message\n\n`could not obtain an STS token: STS token exceeds allowed size limit. Possibility of too many groups associated with the credentials provided.`\n\nSolution\n\nAs a cluster administrator, you need to configure the `filter` field in the ClientConfig to reduce the number of groups returned by the query to the LDAP server.\n\nVersion compatibility issue\n\nThis issue occurs when there is a version compatibility mismatch between GKE Identity Service and the installed Google Cloud CLI version.\n\nError message\n\n- `unable to parse STS Token Response`\n- `could not obtain an STS token: JSON parse error: The request was malformed.`\n- `could not obtain an STS token: Grant type must confirm that the request is intended for a token exchange.`\n- `could not obtain an STS token: Requested token type must correspond to an access token.`\n- `could not obtain an STS token: Subject token type must be a valid token type supported for token exchange.`\n\nSolution\n\nYou need to upgrade the gcloud utility and GKE Identity Service to the latest available version.\n\n401 authentication failed status code\n\nThis issue occurs when the Kubernetes API server is unable to authenticate the\nservice and returns a 401 error code.\n\nError message\n\n- `ERROR: LDAP login failed: STSToken() failed: could not obtain an STS token: Post \"https://127.0.0.1:15001/sts/v1beta/token\": DialContext() failed: podEndpoint() failed to obtain an endpoint for deployment anthos-identity-service/ais: Unauthorized`\n\n- `ERROR: Configuring Anthos authentication failed`\n\nSolution\n\nYou can resolve this issue in one of the following ways:\n\n- Check if the GKE Identity Service pod is in the `running` state by using the following command: \n\n ```yaml\n kubectl get pods -l k8s-app=ais -n anthos-identity-service --kubeconfig \u003cvar translate=\"no\"\u003eUSER_CLUSTER_KUBECONFIG\u003c/var\u003e\n ```\n- Check the LDAP configuration in the ClientConfig by using the following command: \n\n ```yaml\n kubectl get clientconfig -n kube-public -o jsonpath='{.items[].spec.authentication[].ldap}' --kubeconfig \u003cvar translate=\"no\"\u003eUSER_CLUSTER_KUBECONFIG\u003c/var\u003e\n ```\n- Review the logs for detailed information regarding the error. For more information on logging, see [Using logging and monitoring for system components](/anthos/clusters/docs/on-prem/latest/how-to/logging-and-monitoring)."]]
