On a fresh 3.5 install, I'm trying to import what I had in apache AuthLDAPBindDN for my servers.
First problem, it seems I can't enter more than 100 characters in the Bind DN. Apache doesn't have this limitation
Second problem, I have spaces in my OU names, which is accepted by apache.
cn=ServiceAccountLdapGestioIP,ou=GestioIP,ou=Applications,ou=GENERIQUE,ou=SITES BIGCOMPANY,dc=ACME-BIGCOMPANY,dc=com
Any way to bypass this ?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
AH00526: Syntax error on line 1 of /usr/share/gestioip/etc/apache/apache_ldap.conf:
AuthLDAPBindDN takes one argument, DN to use to bind to LDAP server. If not provided, will do an anonymous bind.
Action 'configtest' failed.
The Apache error log may have more information.
Hi Michael
It's ok how you changed the file GipTemplate.pm.
You need also update the database table.
Log in to the mysql database:
$ mysql -u gestioip -p
mysql> use gestioip;
mysql> ALTER TABLE ldap_server MODIFY dn varchar(250);
Last edit: Marc Uebel 2021-09-05
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I tried to insert the config in the DB, I only manage to get internal server error with a LDAP user, the config apache_ldap.conf file doesn't support spaces in the DN too
Apache debug logs extract : [LDAP: ldap_simple_bind() failed][Can't contact LDAP server]
If I change the space with a "+" I bypass this message but can't log with my test user... [LDAP: ldap_simple_bind() failed][Invalid credentials]
I tried the service account which is used to bind to the AD : same issue with invalid credentials
OK, thank you for the hint.
If you install the new version on a new server, be aware that the databases of the different versions are not compatible. Update the old server to the last version before exporting the database.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi Marc,
On a fresh 3.5 install, I'm trying to import what I had in apache AuthLDAPBindDN for my servers.
First problem, it seems I can't enter more than 100 characters in the Bind DN. Apache doesn't have this limitation
Second problem, I have spaces in my OU names, which is accepted by apache.
cn=ServiceAccountLdapGestioIP,ou=GestioIP,ou=Applications,ou=GENERIQUE,ou=SITES BIGCOMPANY,dc=ACME-BIGCOMPANY,dc=com
Any way to bypass this ?
Little update, for the 100 characters it was easy to solve, maybe dirty
edit /var/www/html/gestioip/modules/GipTemplate.pm
In
sub create_form_element_text {Change to 150 the value
I manage to remove the check on the space by commenting this line in
/var/www/html/gestioip/res/ip_check_ldap_server.cgi
The test is successful.
But of course it doesn't solve my problem. Add button returns
I'll make more tests to try to bypass this. I'd rather avoid modifying the files and DB manually
It seems possible to insert whitespaces in mysql by modifying the SQL "insert" statements
https://stackoverflow.com/questions/10324836/mysql-insert-string-with-white-space
Hi Michael
It's ok how you changed the file GipTemplate.pm.
You need also update the database table.
Log in to the mysql database:
$ mysql -u gestioip -p
mysql> use gestioip;
mysql> ALTER TABLE ldap_server MODIFY dn varchar(250);
Last edit: Marc Uebel 2021-09-05
Could you consider an evolution on the form length on future versions ? If I remember correctly the DB entry is a varchar(150)
Yes, the form and DB will be updated to 250 characters in the next version.
Note the issue is on the table ldap_server, not ldap_group
The form is 100 but the DB 150 ;)
It's also possible to bypass the issue using the account with this format : account@acme.com (shorter)
correct. The affected table is ldap_server. I just change it in the previous post.
Thank you
I tried to insert the config in the DB, I only manage to get internal server error with a LDAP user, the config apache_ldap.conf file doesn't support spaces in the DN too
Apache debug logs extract :
[LDAP: ldap_simple_bind() failed][Can't contact LDAP server]
If I change the space with a "+" I bypass this message but can't log with my test user...
[LDAP: ldap_simple_bind() failed][Invalid credentials]
I tried the service account which is used to bind to the AD : same issue with invalid credentials
Your help will be appreciated
This is the same issue that this post anyway :
https://sourceforge.net/p/gestioip/discussion/981984/thread/1fedda369e/
I didn't have the issue previously as I have a previous working version which was updated to 3.5.
Last edit: Michael 2021-09-03
Hi Michael
In my apache test configuration, a whitespace does not cause an error:
Require ldap-group CN=TEST Group,CN=Users,DC=GestioIPTEST,DC=local
Regards
Marc
The issue is with the BIND DN, not the require directives.
Another regression I found is it's apparently impossible to declare two active ldap servers (for redundancy). It works in apache
In the next version, the form will allow whitespaces within the DN.
Thank you for the hint with the two servers. I will put this on the todo list.
You can use multiple server, it's not limited to 2
http://httpd.apache.org/docs/2.4/en/mod/mod_authnz_ldap.html#authldapurl
Thanks for this information, I'll wait for the next version to reinstall my server
OK, thank you for the hint.
If you install the new version on a new server, be aware that the databases of the different versions are not compatible. Update the old server to the last version before exporting the database.
Hi Marc,
Actualisation 7 doesn't seem to solve the issue with whitespaces
ERROR
"Bind DN" must not contain whitespaces.
Can you confirm ?
Any news about this ?