#236 LDAP settings

None
closed
John Beranek
None
5
2014-12-24
2012-02-08
D_V
No

Hi guys,

I am trying to configure MRBS with LDAP authentication. I am able to connect to the LDAP server but MRBS fails to authentication the user. Below is the settings that I have in the config.php file:

$auth["type"] = "ldap";

// 'auth_ldap' configuration settings

// Many of the LDAP parameters can be specified as arrays, in order to
// specify multiple LDAP directories to search within. Each item below
// will specify whether the item can be specified as an array. If any
// parameter is specified as an array, then EVERY array configuration
// parameter must have the same number of elements. You can specify a
// parameter as an array as in the following example:
//
// $ldap_host = array('localhost', 'otherhost.example.com');

// Where is the LDAP server.
// This can be an array.
$ldap_host = "xxxx.xxxxx.local";

// If you have a non-standard LDAP port, you can define it here.
// This can be an array.
//$ldap_port = 389;

// If you do not want to use LDAP v3, change the following to false.
// This can be an array.
$ldap_v3 = false;

// If you want to use TLS, change the following to true.
// This can be an array.
$ldap_tls = false;

// LDAP base distinguish name.
// This can be an array.
$ldap_base_dn = "OU=xxx,OU=xxx,DC=xxxx,DC=local";
//$ldap_base_dn = "ou=organizationalunit,dc=my-domain,dc=com";

// Attribute within the base dn that contains the username
// This can be an array.
//$ldap_user_attrib = "uid";

// If you need to search the directory to find the user's DN to bind
// with, set the following to the attribute that holds the user's
// "username". In Microsoft AD directories this is "sAMAccountName"
// This can be an array.
//$ldap_dn_search_attrib = "sAMAccountName";

// If you need to bind as a particular user to do the search described
// above, specify the DN and password in the variables below
// These two parameters can be arrays.
// $ldap_dn_search_dn = "cn=Search User,ou=Users,dc=some,dc=company";
// $ldap_dn_search_password = "some-password";

// 'auth_ldap' extra configuration for ldap configuration of who can use
// the system
// If it's set, the $ldap_filter will be used to determine whether a
// user will be granted access to MRBS
// This can be an array.
// An example for Microsoft AD:
//$ldap_filter = "memberof=cn=whater,ou=whatver,dc=example,dc=com";

// If you need to disable client referrals, this should be set to TRUE.
// Note: Active Directory for Windows 2003 forward requires this.
// $ldap_disable_referrals = TRUE;

// Set to TRUE to tell MRBS to look up a user's email address in LDAP.
// Utilises $ldap_email_attrib below
$ldap_get_user_email = FALSE;
// The LDAP attribute which holds a user's email address
// This can be an array.
$ldap_email_attrib = 'mail';

// The DN of the LDAP group that MRBS admins must be in. If this is defined
// then the $auth["admin"] is not used.
// This can be an array.
// $ldap_admin_group_dn = 'cn=admins,ou=whoever,dc=example,dc=com';

// The LDAP attribute that holds group membership details. Used with
// $ldap_admin_group_dn, above.
// This can be an array.
$ldap_group_member_attrib = 'memberof';

// Set to TRUE if you want MRBS to call ldap_unbind() between successive
// attempts to bind. Unbinding while still connected upsets some
// LDAP servers
$ldap_unbind_between_attempts = FALSE;

// Output debugging information for LDAP actions
$ldap_debug = TRUE;

I get the message unknown user. I know that I am able to connect to the server as I have no error messages and I have tested the settings on a different script. I also have the same settings on systemdefaults.inc.php.

Your help is much appreciated.

Discussion

  • D_V
    D_V
    2012-02-17

    This ticket is more than 6 months old, so is being closed in a mass update.

    If you still have more input on the ticket, feel free to reopen it.

    MRBS Admins

     
  • Roeseler
    Roeseler
    2012-06-20

    Hello great people!

    First I would like to congratulate you for the great tool that MRBS is.

    Unfortunately I am facing the same problem and banging my head on the wall for weeks.... :(

    I have MRBS v.1.4.8 running on a windows 2008 with IIS 7.

    My 'ldap' configuration:

    /********
    * Authentication settings - read AUTHENTICATION
    ********/

    $auth["session"] = "php"; // How to get and keep the user ID. One of
    // "http" "php" "cookie" "ip" "host" "nt" "omni"
    // "remote_user"

    //$auth["type"] = "config"; // How to validate the user/password. One of "none"
    $auth["type"] = "ldap"; // How to validate the user/password. One of "none"
    // "config" "db" "db_ext" "pop3" "imap" "ldap" "nis"
    // "nw" "ext".

    $ldap_host = "ad_server.mydomain";
    $ldap_v3 = TRUE;
    $ldap_base_dn = "cn=users,dc=mydomain";
    $ldap_dn_search_attrib = "sAMAccountName";

    $ldap_dn_search_dn = "cn=Administrator,ou=Users,dc=mydomain";
    $ldap_dn_search_password = "***";

    $ldap_debug = TRUE;

    unset($auth["admin"]); // Include this when copying to config.inc.php
    $auth["admin"][] = "127.0.0.1"; // localhost IP address. Useful with IP sessions.
    $auth["admin"][] = "Administrator"; // A user name from the user list. Useful
    // with most other session schemes.

    // 'auth_config' user database
    // Format: $auth["user"]["name"] = "password";
    $auth["user"]["Administrator"] = "**";
    $auth["user"]["roeseler"] = "*";

    // 'session_http' configuration settings
    $auth["realm"] = "rooms";

    With this configuration I'm getting the same error "Unknown user"
    I have LDAP debug enabled but I don't see any debugging in the tool nor in the WebServer and Domain Controler logs.

    Is there anything else that I can enable in order to debug this?

    Thanks in advance for your help.
    Pedro Röseelr

     
  • Roeseler
    Roeseler
    2012-06-21

    Another update.

    I've been doing some debugging on the php files, more exactly on the auth_ldap.inc file, although my php knowleges are almost null.
    I found out that the app is not getting inside the cicle
    foreach ($all_ldap_opts['ldap_host'] as $idx => $host)
    {

    // establish ldap connection
    // the '@' suppresses errors
    if (isset($all_ldap_opts['ldap_port'][$idx]))
    

    and I can't find out why, not even if I force the variable value with my AD ip address:
    $all_ldap_opts['ldap_host'] = "ad_ip_address";
    ECHO $all_ldap_opts['ldap_host'];

    I print the variable with success on the authentication page but when I try to login I still get the 'Unknown User' message.
    If I don't force the variable value, nothing is displayed.

    I also Installed Wireshark on the Web Server but I don´t see any connections going out to the AD server.

    This is extremely urgent so if you manage to give me a hand I would be grateful!

    Cheers,
    Pedro

     
  • Superbozo
    Superbozo
    2012-07-11

    Hello,

    On this line, correct with "cn=Users" insteed of "ou=Users"

    $ldap_dn_search_dn = "cn=Administrator,ou=Users,dc=mydomain";

    if you pay attention to the line "$ldap_base_dn", you will notice that you wrote correct "cn=Users"

    It worked for me

    cheers

     

    • Anonymous
      2012-10-18

      Hi Superbozo!

      Thanks for the tip!
      I tried it but unfortunately with the same result... :(
      I already have the tool on production but only one person is able to do the reservations, and the idea was to let everyone do it, decentralizing the task...

      Let's see if anyone has some other tip.

      Cheers

       

  • Anonymous
    2012-08-23

    Hello,
    I am Brazilian and first, I would like to thank the excellent MRBS. I apologize if there are errors in writing in my post.

    I really need your help. I can not authenticate using ldap, I have Active Diretcory on a Windows Server 2003, and made the following setting in config.inc.php:

    $Auth ["type"] = "ldap";

    $Ldap_host = "10.11.10.7";

    $LDAP_PORT = 389;

    $Ldap_v3 = true;

    $Ldap_tls = false;

    $Ldap_base_dn = "ou = mn users, dc = cbc, dc = com, dc = com";

    $Ldap_user_attrib = "sAMAccountName";

    $Ldap_dn_search_attrib = "sAMAccountName";

    $Ldap_dn_search_dn = "cn = users mn, ou = users, dc = cbc, dc = com, dc = com";

    $Ldap_dn_search_password = "Info * 2010";

    $Ldap_unbind_between_attempts = true;

    $Ldap_debug = TRUE;

    When attempting to authenticate the error has not logged and the following error:

    $
    Warning: array_fill () [function.array-fill]: Number of elements must be positive in C: \ xampp \ htdocs \ MRBS \ auth_ldap.inc on line 113

    Warning: array_fill () [function.array-fill]: Number of elements must be positive in C: \ xampp \ htdocs \ MRBS \ auth_ldap.inc on line 113

    Warning: array_fill () [function.array-fill]: Number of elements must be positive in C: \ xampp \ htdocs \ MRBS \ auth_ldap.inc on line 113

    Warning: array_fill () [function.array-fill]: Number of elements must be positive in C: \ xampp \ htdocs \ MRBS \ auth_ldap.inc on line 113

    Warning: array_fill () [function.array-fill]: Number of elements must be positive in C: \ xampp \ htdocs \ MRBS \ auth_ldap.inc on line 113

    Warning: array_fill () [function.array-fill]: Number of elements must be positive in C: \ xampp \ htdocs \ MRBS \ auth_ldap.inc on line 113

    Warning: array_fill () [function.array-fill]: Number of elements must be positive in C: \ xampp \ htdocs \ MRBS \ auth_ldap.inc on line 113

    Warning: array_fill () [function.array-fill]: Number of elements must be positive in C: \ xampp \ htdocs \ MRBS \ auth_ldap.inc on line 113

    Warning: array_fill () [function.array-fill]: Number of elements must be positive in C: \ xampp \ htdocs \ MRBS \ auth_ldap.inc on line 113

    Warning: array_fill () [function.array-fill]: Number of elements must be positive in C: \ xampp \ htdocs \ MRBS \ auth_ldap.inc on line 113

    Warning: array_fill () [function.array-fill]: Number of elements must be positive in C: \ xampp \ htdocs \ MRBS \ auth_ldap.inc on line 113

    Warning: Invalid argument supplied for foreach () in C: \ xampp \ htdocs \ MRBS \ auth_ldap.inc on line 117

    The server that installed the MRBS is not the same AD server, but I have that same server with the authentication ldap glpi running and your settings as follows:

    GLPI
    Server: 10.11.10.7
    LDAP Port: 389
    Connection Filter: (& (objectClass = user) (objectCategory = person) (! (UserAccountControl: 1.2.840.113556.1.4.803: = 2)))
    Basedn: cbc dc =, dc = com, dc = br
    rootdn (for non anonymous connection): cbc\mnadmin
    Pass (for connecting non-anonymous): Info*2010
    Login Field: samaccountname

    Other settings in glpi:
    Search Types: In Users
    Filter to search in groups: (& (objectClass = user) (objectCategory = person))
    Users containing its groups: memberof
    Use the search DN: Yes
    Attribute that represents entity: ou
    Search filter for entities: (objectclass = organizationalUnit)
    Uses TLS: No
    Because LDAP alias should be handled: Never des-referenced

     
    Last edit: Anonymous 2012-08-24
  • John Beranek
    John Beranek
    2012-10-18

    Why is everyone jumping on the same ticket with different LDAP problems, it's extremely confusing!

    Everyone needs to update to MRBS 1.4.9 and try again. There was a bug in reading the LDAP configuration variables in 1.4.8 that has been fixed in 1.4.9.

     

  • Anonymous
    2012-10-20

    Why is everyone jumping on the same ticket with different LDAP problems, it's extremely confusing!

    There were trying to help each other.

     

  • Anonymous
    2014-01-23

    Hello!
    how to configurate file config.inc.php connect to ldap?
    if
    domain:brm.com (dc=brm,dc=com)
    ldap://brm.com
    user:ldapuser
    password: pwd

     
  • John Beranek
    John Beranek
    2014-01-23

    Anonymous, please create a new ticket instead of replying on a really old one. LDAP configuration depends on the LDAP server you're using. Reading the comments in systemdefaults.inc.php should help you.

     
  • John Beranek
    John Beranek
    2014-01-23

    • status: open --> closed
    • assigned_to: John Beranek
    • Group: -->
     


Anonymous


Cancel   Add attachments