ERROR: LDAP login failed: could not obtain an STS token: Post "https://127.0.0.1:15001/sts/v1beta/token": failed to obtain an endpoint for deployment anthos-identity-service/ais: Unauthorized
ERROR: Configuring Anthos authentication failed
解決方案
你可以透過下列任一方式解決問題:
如果 GKE Identity Service 無法連線至 LDAP 伺服器,請按照下列步驟操作:
如要確認是否有任何網路流量可從叢集連線至 LDAP 伺服器 (身分識別提供者),請使用 telnet、nc 或類似指令連線至 LDAP 伺服器。如要連線 LDAP 伺服器,您需要在執行 GKE Identity Service 的節點或 Pod 中執行指令。
GKE Identity Service 的 ClientConfig 中,LDAP 供應商設定有誤。
您提供的使用者憑證不存在於 LDAP 伺服器。
LDAP 伺服器發生問題。
錯誤訊息
下列訊息適用於執行 gcloud anthos auth login 指令時發生的錯誤。
ERROR: LDAP login failed: could not obtain an STS token: Post "https://127.0.0.1:15001/sts/v1beta/token": failed to obtain an endpoint for deployment anthos-identity-service/ais: Unauthorized
Attempting to bind as the LDAP service account:GKE 身分識別服務嘗試使用 ClientConfig 中提供的服務帳戶憑證連線至 LDAP 伺服器。如果沒有這則記錄訊息,表示連線發生問題。
Successfully completed BIND as LDAP service account:GKE Identity Service 能夠順利連線至 LDAP 伺服器,並使用其服務帳戶進行使用者驗證。如果沒有這則記錄訊息,表示設定有問題。
Successfully found an entry for the user in the database:LDAP 伺服器上存在使用者項目。這表示 baseDN、filter 和 loginAttribute 欄位已正確設定,可擷取使用者。只有在記錄詳細程度高於預設層級時,才會顯示這則訊息。如要進一步瞭解如何啟用記錄,請參閱「啟用偵錯記錄」。
Attempting to BIND as the user to verify their credentials:GKE Identity Service 正在嘗試驗證使用者憑證。
如果 GKE Identity Service 與已安裝的 Google Cloud CLI 版本不相容,就會發生這個問題。
錯誤訊息
unable to parse STS Token Response
could not obtain an STS token: JSON parse error: The request was malformed.
could not obtain an STS token: Grant type must confirm that the request is intended for a token exchange.
could not obtain an STS token: Requested token type must correspond to an access token.
could not obtain an STS token: Subject token type must be a valid token type supported for token exchange.
解決方案
您需要將 gcloud 公用程式和 GKE Identity Service 升級至最新版本。
401 驗證失敗狀態碼
如果 Kubernetes API 伺服器無法驗證服務,並傳回 401 錯誤代碼,就會發生這個問題。
錯誤訊息
ERROR: LDAP login failed: STSToken() failed: could not obtain an STS token: Post "https://127.0.0.1:15001/sts/v1beta/token": DialContext() failed: podEndpoint() failed to obtain an endpoint for deployment anthos-identity-service/ais: Unauthorized
ERROR: Configuring Anthos authentication failed
解決方案
您可以透過下列任一方式解決這個問題:
使用下列指令,檢查 GKE Identity Service Pod 是否處於 running 狀態:
kubectl get pods -l k8s-app=ais -n anthos-identity-service --kubeconfig USER_CLUSTER_KUBECONFIG
使用下列指令檢查 ClientConfig 中的 LDAP 設定:
kubectl get clientconfig -n kube-public -o jsonpath='{.items[].spec.authentication[].ldap}' --kubeconfig USER_CLUSTER_KUBECONFIG
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-01 (世界標準時間)。"],[],[],null,["# Troubleshooting LDAP server issues\n==================================\n\nThis document provides troubleshooting guidance for LDAP server issues in\nGKE Identity Service.\n\nConnectivity issue\n------------------\n\nWhen you configure GKE Identity Service, you can run into connectivity\nissues while trying to connect to an LDAP server. The connectivity issue can also\noccur when the certificate used to identify the LDAP server doesn't match the\ncertificate mentioned in the ClientConfig.\n\n### Error message\n\nThe following messages are applicable to errors that occur when the\n`gcloud anthos auth login` command is executed.\n\n- `ERROR: LDAP login failed: could not obtain an STS token: Post \"https://127.0.0.1:15001/sts/v1beta/token\": failed to obtain an endpoint for deployment anthos-identity-service/ais: Unauthorized`\n- `ERROR: Configuring Anthos authentication failed`\n\n### Solution\n\nYou can resolve the issues in one of the following ways:\n\n- If GKE Identity Service can't connect to the LDAP server, do the following:\n - To verify if any network traffic can reach the LDAP server (identity provider) from the cluster, use `telnet`, `nc`, or a similar command to connect to the LDAP server. To connect to the LDAP server, you need to execute the command in the node or pod where GKE Identity Service is running.\n - If the command is successful, then the GKE Identity Service pod should connect to the LDAP server.\n - If the command fails, it indicates that there's an issue with network connectivity. You need to check your network settings or reach out to your network administrator to resolve the connection issue.\n- Verify that the public certificate in the configuration is [formatted correctly](/kubernetes-engine/enterprise/identity/setup/format-certificates) and matches your LDAP server for the following cases:\n - You use LDAP with TLS.\n - You authenticate to LDAP with a service account. You use a certificate to identify the service account with the LDAP server.\n\nAuthentication issue\n--------------------\n\nAn authentication issue occurs in one of the following cases:\n\n- The LDAP provider settings are incorrectly configured in the ClientConfig for GKE Identity Service.\n- The user credentials you provided do not exist on the LDAP server.\n- The LDAP server is down.\n\n| **Note:** Although issues related to connectivity and authentication have similar causes, you can further qualify these issues from the logs.\n\n### Error message\n\nThe following messages are applicable to errors that occur when the `gcloud anthos auth login` command is executed.\n\n- `ERROR: LDAP login failed: could not obtain an STS token: Post \"https://127.0.0.1:15001/sts/v1beta/token\": failed to obtain an endpoint for deployment anthos-identity-service/ais: Unauthorized`\n- `ERROR: Configuring Anthos authentication failed`\n\n### Solution\n\nAs a cluster administrator, review the GKE Identity Service logs and resolve the authentication issues in the following ways:\n\n- `Can't contact LDAP server`: For more information on how to resolve this issue, see [connectivity issues](#connectivityissues).\n- `Attempting to bind as the LDAP service account`: GKE Identity Service is attempting to connect to the LDAP server using the service account credentials provided in the ClientConfig. The absence of this log message indicates there's a [connectivity issue](#connectivityissues).\n- `Successfully completed BIND as LDAP service account`: GKE Identity Service is able to successfully connect to the LDAP server and use its service account for user authentication. The absence of this log message indicates there's a configuration issue.\n- `Successfully found an entry for the user in the database`: A user entry exists on the LDAP server. This implies that the `baseDN`, `filter`, and `loginAttribute` fields are configured correctly to retrieve users. This message is displayed only when the logging verbosity is above the default level. For more information on enabling logs, see [Enable the debug log](/kubernetes-engine/enterprise/identity/setup/user-access-troubleshooting#enable_the_debug_log).\n- `Attempting to BIND as the user to verify their credentials`: GKE Identity Service is attempting to verify user credentials.\n- `Successfully completed LDAP authentication`: User authentication is successful. The absence of this log message indicates invalid credentials.\n\nAuthentication token has expired\n--------------------------------\n\nDespite a successful login, you can run into issues where the authentication token has expired.\n\n### Error message\n\n`ERROR: You must be logged in to the server (Unauthorized)`\n\n### Solution\n\nYou can resolve the issue by logging in again to the server.\n\nIssue with RBAC role binding to the user or group\n-------------------------------------------------\n\nThis issue occurs when your authentication is successful but authorization fails\ndue to the absence of RBAC roles binding to the user or group. For instance, this\nissue persists when you try to issue the command `kubectl get pods`.\n\n### Error message\n\n`Error from server (Forbidden): \u003cSERVICE or PODS\u003e is forbidden: \u003cMORE DETAILS\u003e`\n\n### Solution\n\nYou can resolve the issue by doing the following:\n\n1. Sign in to your LDAP server to view the target user's groups.\n2. Verify if your Kubernetes role and role bindings are defined correctly and match the values in your LDAP directory. An administrator can help verify the role bindings through Kubernetes [User Impersonation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation).\n3. Update the role binding such that the target user's group is authorized to perform the required action.\n4. Verify that the values for `baseDN` and optionally the `filter` and `identifierAttribute` for groups are correct. GKE Identity Service uses the group configuration from these fields to query all groups that the user belongs to. If `baseDN` is empty, then no groups are provided to the Kubernetes API server. There are no messages logged in such a case. If `baseDN` is not empty, then GKE Identity Service queries the database for the user's groups.\n - If the query is successful, then the groups are provided to the Kubernetes API server.\n - If the query is unsuccessful, the groups are not provided to the Kubernetes API server. In this case, you need to fix the `baseDN` and `filter` configuration values for groups.\n\nUser belongs to multiple groups\n-------------------------------\n\nThis issue occurs when a user belongs to multiple groups.\n\n### Error message\n\n`could not obtain an STS token: STS token exceeds allowed size limit. Possibility of too many groups associated with the credentials provided.`\n\n### Solution\n\nAs a cluster administrator, you need to configure the `filter` field in the ClientConfig to reduce the number of groups returned by the query to the LDAP server.\n\nVersion compatibility issue\n---------------------------\n\nThis issue occurs when there is a version compatibility mismatch between GKE Identity Service and the installed Google Cloud CLI version.\n\n### Error message\n\n- `unable to parse STS Token Response`\n- `could not obtain an STS token: JSON parse error: The request was malformed.`\n- `could not obtain an STS token: Grant type must confirm that the request is intended for a token exchange.`\n- `could not obtain an STS token: Requested token type must correspond to an access token.`\n- `could not obtain an STS token: Subject token type must be a valid token type supported for token exchange.`\n\n### Solution\n\nYou need to upgrade the gcloud utility and GKE Identity Service to the latest available version.\n\n401 authentication failed status code\n-------------------------------------\n\nThis issue occurs when the Kubernetes API server is unable to authenticate the\nservice and returns a 401 error code.\n\n### Error message\n\n- `ERROR: LDAP login failed: STSToken() failed: could not obtain an STS token: Post \"https://127.0.0.1:15001/sts/v1beta/token\": DialContext() failed: podEndpoint() failed to obtain an endpoint for deployment anthos-identity-service/ais: Unauthorized`\n\n- `ERROR: Configuring Anthos authentication failed`\n\n### Solution\n\nYou can resolve this issue in one of the following ways:\n\n- Check if the GKE Identity Service pod is in the `running` state by using the following command: \n\n ```yaml\n kubectl get pods -l k8s-app=ais -n anthos-identity-service --kubeconfig \u003cvar translate=\"no\"\u003eUSER_CLUSTER_KUBECONFIG\u003c/var\u003e\n ```\n- Check the LDAP configuration in the ClientConfig by using the following command: \n\n ```yaml\n kubectl get clientconfig -n kube-public -o jsonpath='{.items[].spec.authentication[].ldap}' --kubeconfig \u003cvar translate=\"no\"\u003eUSER_CLUSTER_KUBECONFIG\u003c/var\u003e\n ```\n- Review the logs for detailed information regarding the error. For more information on logging, see [Using logging and monitoring for system components](/anthos/clusters/docs/on-prem/latest/how-to/logging-and-monitoring)."]]
