#236 LDAP settings

[D_V]

Hi guys,

I am trying to configure MRBS with LDAP authentication. I am able to connect to the LDAP server but MRBS fails to authentication the user. Below is the settings that I have in the config.php file:

$auth["type"] = "ldap";

// 'auth_ldap' configuration settings

// Many of the LDAP parameters can be specified as arrays, in order to
// specify multiple LDAP directories to search within. Each item below
// will specify whether the item can be specified as an array. If any
// parameter is specified as an array, then EVERY array configuration
// parameter must have the same number of elements. You can specify a
// parameter as an array as in the following example:
//
// $ldap_host = array('localhost', 'otherhost.example.com');

// Where is the LDAP server.
// This can be an array.
$ldap_host = "xxxx.xxxxx.local";

// If you have a non-standard LDAP port, you can define it here.
// This can be an array.
//$ldap_port = 389;

// If you do not want to use LDAP v3, change the following to false.
// This can be an array.
$ldap_v3 = false;

// If you want to use TLS, change the following to true.
// This can be an array.
$ldap_tls = false;

// LDAP base distinguish name.
// This can be an array.
$ldap_base_dn = "OU=xxx,OU=xxx,DC=xxxx,DC=local";
//$ldap_base_dn = "ou=organizationalunit,dc=my-domain,dc=com";

// Attribute within the base dn that contains the username
// This can be an array.
//$ldap_user_attrib = "uid";

// If you need to search the directory to find the user's DN to bind
// with, set the following to the attribute that holds the user's
// "username". In Microsoft AD directories this is "sAMAccountName"
// This can be an array.
//$ldap_dn_search_attrib = "sAMAccountName";

// If you need to bind as a particular user to do the search described
// above, specify the DN and password in the variables below
// These two parameters can be arrays.
// $ldap_dn_search_dn = "cn=Search User,ou=Users,dc=some,dc=company";
// $ldap_dn_search_password = "some-password";

// 'auth_ldap' extra configuration for ldap configuration of who can use
// the system
// If it's set, the $ldap_filter will be used to determine whether a
// user will be granted access to MRBS
// This can be an array.
// An example for Microsoft AD:
//$ldap_filter = "memberof=cn=whater,ou=whatver,dc=example,dc=com";

// If you need to disable client referrals, this should be set to TRUE.
// Note: Active Directory for Windows 2003 forward requires this.
// $ldap_disable_referrals = TRUE;

// Set to TRUE to tell MRBS to look up a user's email address in LDAP.
// Utilises $ldap_email_attrib below
$ldap_get_user_email = FALSE;
// The LDAP attribute which holds a user's email address
// This can be an array.
$ldap_email_attrib = 'mail';

// The DN of the LDAP group that MRBS admins must be in. If this is defined
// then the $auth["admin"] is not used.
// This can be an array.
// $ldap_admin_group_dn = 'cn=admins,ou=whoever,dc=example,dc=com';

// The LDAP attribute that holds group membership details. Used with
// $ldap_admin_group_dn, above.
// This can be an array.
$ldap_group_member_attrib = 'memberof';

// Set to TRUE if you want MRBS to call ldap_unbind() between successive
// attempts to bind. Unbinding while still connected upsets some
// LDAP servers
$ldap_unbind_between_attempts = FALSE;

// Output debugging information for LDAP actions
$ldap_debug = TRUE;

I get the message unknown user. I know that I am able to connect to the server as I have no error messages and I have tested the settings on a different script. I also have the same settings on systemdefaults.inc.php.

Your help is much appreciated.

[D_V]

This ticket is more than 6 months old, so is being closed in a mass update.

If you still have more input on the ticket, feel free to reopen it.

MRBS Admins

[Roeseler]

Hello great people!

First I would like to congratulate you for the great tool that MRBS is.

Unfortunately I am facing the same problem and banging my head on the wall for weeks.... :(

I have MRBS v.1.4.8 running on a windows 2008 with IIS 7.

My 'ldap' configuration:

/********
* Authentication settings - read AUTHENTICATION
********/

$auth["session"] = "php"; // How to get and keep the user ID. One of
// "http" "php" "cookie" "ip" "host" "nt" "omni"
// "remote_user"

//$auth["type"] = "config"; // How to validate the user/password. One of "none"
$auth["type"] = "ldap"; // How to validate the user/password. One of "none"
// "config" "db" "db_ext" "pop3" "imap" "ldap" "nis"
// "nw" "ext".

$ldap_host = "ad_server.mydomain";
$ldap_v3 = TRUE;
$ldap_base_dn = "cn=users,dc=mydomain";
$ldap_dn_search_attrib = "sAMAccountName";

$ldap_dn_search_dn = "cn=Administrator,ou=Users,dc=mydomain";
$ldap_dn_search_password = "***";

$ldap_debug = TRUE;

unset($auth["admin"]); // Include this when copying to config.inc.php
$auth["admin"][] = "127.0.0.1"; // localhost IP address. Useful with IP sessions.
$auth["admin"][] = "Administrator"; // A user name from the user list. Useful
// with most other session schemes.

// 'auth_config' user database
// Format: $auth["user"]["name"] = "password";
$auth["user"]["Administrator"] = "**";
$auth["user"]["roeseler"] = "*";

// 'session_http' configuration settings
$auth["realm"] = "rooms";

With this configuration I'm getting the same error "Unknown user"
I have LDAP debug enabled but I don't see any debugging in the tool nor in the WebServer and Domain Controler logs.

Is there anything else that I can enable in order to debug this?

Thanks in advance for your help.
Pedro Röseelr

[Roeseler]

Another update.

I've been doing some debugging on the php files, more exactly on the auth_ldap.inc file, although my php knowleges are almost null.
I found out that the app is not getting inside the cicle
foreach ($all_ldap_opts['ldap_host'] as $idx => $host)
{

// establish ldap connection
// the '@' suppresses errors
if (isset($all_ldap_opts['ldap_port'][$idx]))

and I can't find out why, not even if I force the variable value with my AD ip address:
$all_ldap_opts['ldap_host'] = "ad_ip_address";
ECHO $all_ldap_opts['ldap_host'];

I print the variable with success on the authentication page but when I try to login I still get the 'Unknown User' message.
If I don't force the variable value, nothing is displayed.

I also Installed Wireshark on the Web Server but I don´t see any connections going out to the AD server.

This is extremely urgent so if you manage to give me a hand I would be grateful!

Cheers,
Pedro

[Superbozo]

Hello,

On this line, correct with "cn=Users" insteed of "ou=Users"

$ldap_dn_search_dn = "cn=Administrator,ou=Users,dc=mydomain";

if you pay attention to the line "$ldap_base_dn", you will notice that you wrote correct "cn=Users"

It worked for me

cheers

[Anonymous]

Hi Superbozo!

Thanks for the tip!
I tried it but unfortunately with the same result... :(
I already have the tool on production but only one person is able to do the reservations, and the idea was to let everyone do it, decentralizing the task...

Let's see if anyone has some other tip.

Cheers

[Anonymous]

Hello,
I am Brazilian and first, I would like to thank the excellent MRBS. I apologize if there are errors in writing in my post.

I really need your help. I can not authenticate using ldap, I have Active Diretcory on a Windows Server 2003, and made the following setting in config.inc.php:

$Auth ["type"] = "ldap";

$Ldap_host = "10.11.10.7";

$LDAP_PORT = 389;

$Ldap_v3 = true;

$Ldap_tls = false;

$Ldap_base_dn = "ou = mn users, dc = cbc, dc = com, dc = com";

$Ldap_user_attrib = "sAMAccountName";

$Ldap_dn_search_attrib = "sAMAccountName";

$Ldap_dn_search_dn = "cn = users mn, ou = users, dc = cbc, dc = com, dc = com";

$Ldap_dn_search_password = "Info * 2010";

$Ldap_unbind_between_attempts = true;

$Ldap_debug = TRUE;

When attempting to authenticate the error has not logged and the following error:

$
Warning: array_fill () [function.array-fill]: Number of elements must be positive in C: \ xampp \ htdocs \ MRBS \ auth_ldap.inc on line 113

Warning: array_fill () [function.array-fill]: Number of elements must be positive in C: \ xampp \ htdocs \ MRBS \ auth_ldap.inc on line 113

Warning: array_fill () [function.array-fill]: Number of elements must be positive in C: \ xampp \ htdocs \ MRBS \ auth_ldap.inc on line 113

Warning: array_fill () [function.array-fill]: Number of elements must be positive in C: \ xampp \ htdocs \ MRBS \ auth_ldap.inc on line 113

Warning: array_fill () [function.array-fill]: Number of elements must be positive in C: \ xampp \ htdocs \ MRBS \ auth_ldap.inc on line 113

Warning: array_fill () [function.array-fill]: Number of elements must be positive in C: \ xampp \ htdocs \ MRBS \ auth_ldap.inc on line 113

Warning: array_fill () [function.array-fill]: Number of elements must be positive in C: \ xampp \ htdocs \ MRBS \ auth_ldap.inc on line 113

Warning: array_fill () [function.array-fill]: Number of elements must be positive in C: \ xampp \ htdocs \ MRBS \ auth_ldap.inc on line 113

Warning: array_fill () [function.array-fill]: Number of elements must be positive in C: \ xampp \ htdocs \ MRBS \ auth_ldap.inc on line 113

Warning: array_fill () [function.array-fill]: Number of elements must be positive in C: \ xampp \ htdocs \ MRBS \ auth_ldap.inc on line 113

Warning: array_fill () [function.array-fill]: Number of elements must be positive in C: \ xampp \ htdocs \ MRBS \ auth_ldap.inc on line 113

Warning: Invalid argument supplied for foreach () in C: \ xampp \ htdocs \ MRBS \ auth_ldap.inc on line 117

The server that installed the MRBS is not the same AD server, but I have that same server with the authentication ldap glpi running and your settings as follows:

GLPI
Server: 10.11.10.7
LDAP Port: 389
Connection Filter: (& (objectClass = user) (objectCategory = person) (! (UserAccountControl: 1.2.840.113556.1.4.803: = 2)))
Basedn: cbc dc =, dc = com, dc = br
rootdn (for non anonymous connection): cbc\mnadmin
Pass (for connecting non-anonymous): Info*2010
Login Field: samaccountname

Other settings in glpi:
Search Types: In Users
Filter to search in groups: (& (objectClass = user) (objectCategory = person))
Users containing its groups: memberof
Use the search DN: Yes
Attribute that represents entity: ou
Search filter for entities: (objectclass = organizationalUnit)
Uses TLS: No
Because LDAP alias should be handled: Never des-referenced

[John Beranek]

Why is everyone jumping on the same ticket with different LDAP problems, it's extremely confusing!

Everyone needs to update to MRBS 1.4.9 and try again. There was a bug in reading the LDAP configuration variables in 1.4.8 that has been fixed in 1.4.9.

[Anonymous]

Why is everyone jumping on the same ticket with different LDAP problems, it's extremely confusing!

There were trying to help each other.

[Anonymous]

Hello!
how to configurate file config.inc.php connect to ldap?
if
domain:brm.com (dc=brm,dc=com)
ldap://brm.com
user:ldapuser
password: pwd

[John Beranek]

Anonymous, please create a new ticket instead of replying on a really old one. LDAP configuration depends on the LDAP server you're using. Reading the comments in systemdefaults.inc.php should help you.