After a new look in the code, I think the problem because is not working in AD is because is searching "cn=userfax,dc=example,dc=com"
If I try to do a ldapsearch with that, ldapsearch return me an error:
"No such object ( 32 )
Matched DN: DC=example,DC=com"
But if I do a ldapsearch with dc=example,dc=com, works without problem. I think the problem is here, I don't tested, but I'm pretty sure OpenLDAP accept a query with "cn=userfax,dc=example,dc=com".
Maybe removing the user in the search makes the code works because the ldap_scope_subtree works.
Last edit: Crises 2019-03-20
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks for your input. While I am able to rework the code as needed, I am not able to test it. So, until someone comes along who is wanting to see an improvement or developments in the HylaFAX LDAP authentication and is willing to test things, I can't do much else.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Okey, time for long post. But I think we are near the solution.
First, in my previous post I think I made you fall into error. This execution is from ldapsearch, not the LDAP_test.c++.
Sorry!
Second, I tested your code and che changes are really awesome, because now the search is highly configurable. But again, the code only works with Full BaseDN with Active Directory.
Testing the code I did another interesting discover:
Active Directory accept the bind with user@basedn, so I modified the LDAP_test.c++ with this:
i = snprintf(sLDAPUserDN, sizeof(sLDAPUserDN), "%s@%s", user, (const char*)ldapBaseDN);
If I try this:
Attempting to connect to LDAP URI: "ldap://192.168.1.5"... Succeeded
Attempting to set LDAP version 3... Succeeded
Attempting to bind to LDAP server with: "userfax@example.com" and "123"... Succeeded
Attempting to search LDAP server with: "userfax@example.org" and "cn=userfax"... Search LDAP error
The problem is this variable: sLDAPUserDN
Is used for bind and after for the search. If we add a new param like:
Admittedly I am a little confused about what you're trying to suggest that we do. I think that you're suggesting that we add an additional configuration parameter in order to allow use of a different UserDN in the bind than in the search.
However, looking at the ldap_sasl_bind_s() man page here:
... says that, "For SASL binds the server always ignores any provided DN, so the dn parameter should always be NULL. ldap_sasl_bind_s() sends a single SASL bind request with the given SASL mechanism and credentials in the cred parameter."
In other words, it would seem that LDAPBindQuery is only used in the execution of ldap_search_ext_s(), anyway, in conjunction with LDAPSearchQuery. If LDAPBindQuery is actually being used in ldap_sasl_bind_s() then apparently we should stop providing UserDN to it and set that parameter to NULL. So, there isn't a point of creating an additional parameter because LDAPBindQuery should only being used in the search and not in the bind.
So, I suspect that all that we need to do is to change the name of LDAPBindQuery to something like "LDAPSearchDN" and possibly set the second parameter of ldap_sasl_bind_s() to NULL.
As for the mention about "the fax does not send"... does the fax job get submitted with a jobid number? Or is the job submission being rejected? I need more information about "works without problem" and "does not send".
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
If you are confused is because my level in English is really bad. Sorry.
For do this simple.
I have a LDAP_test.c++ modified by a coworker (the code that attached you yesterday). This code is working good. When I try to put that modified code into a Login.c++ and compilate, if I try to send a fax, "Login timeout" appears. I'm sure is my bad.
The code has 3 important parts:
i = snprintf(filter, sizeof(filter), "cn=%s", user);
The filter used in the search, works like a "(objectClass=*) in a ldapsearch, in this case "(cn=user)" or (sAMAccountName=user) depends the parameter what you want.
the new ldapSearchQuery is great for this because I can filter for whatever I want.
The second part:
ldap_sasl_bind_s: In my test, only works with user or user@example.com. With cn=user don't work. I think the best option is use only user.
And the last part:
ldap_search_ext_s: Need to be the BaseDN what you want. In my case dc=example, dc=org.
If the code do this, I think works perfectly.
So, I suspect that all that we need to do is to change the name of LDAPBindQuery to something like "LDAPSearchDN" and possibly set the second parameter of ldap_sasl_bind_s() to NULL. >
I think its a good idea!
My code only have 3 changes:
i = snprintf(filter, sizeof(filter), "cn=%s", user);
Changed uuid= for cn=. Easy.
i = snprintf(sLDAPUserDN, sizeof(sLDAPUserDN), "%s",(const char*)ldapBaseDN);
I'm trying to add a option for enable disable the group in LDAP. Because now my company don't want use specific group for fax users, but maybe in the future they want use a specific group.
But can be interesting add this function.
Regards.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
After a new look in the code, I think the problem because is not working in AD is because is searching "cn=userfax,dc=example,dc=com"
If I try to do a ldapsearch with that, ldapsearch return me an error:
"No such object ( 32 )
Matched DN: DC=example,DC=com"
But if I do a ldapsearch with dc=example,dc=com, works without problem. I think the problem is here, I don't tested, but I'm pretty sure OpenLDAP accept a query with "cn=userfax,dc=example,dc=com".
Maybe removing the user in the search makes the code works because the ldap_scope_subtree works.
Last edit: Crises 2019-03-20
Thanks for your input. While I am able to rework the code as needed, I am not able to test it. So, until someone comes along who is wanting to see an improvement or developments in the HylaFAX LDAP authentication and is willing to test things, I can't do much else.
I don't have problems in test your code in my OpenLDAP/Active Directory test environment if you want.
I did a interesting discovery.
The code, in this line:
i = snprintf (sLDAPUserDN, sizeof (sLDAPUserDN), "cn =% s,% s", user, (const char *) ldapBaseDN);
This line is doing a cn = userfax, dc = example, dc = org
But this query does not work in Active Directory, but in Active Directory this query work:
dc = example, dc = com sAMAccountName = userfax
Maybe if we change the code for search this line, the code maybe works.
Please see:
https://sourceforge.net/p/hylafax/HylaFAX+/2499/
If you don't know how to patch the code you can download a new copy of the three altered code files here:
https://sourceforge.net/p/hylafax/HylaFAX+/2499/tree/trunk/hfaxd/HylaFAXServer.c%2B%2B?format=raw
https://sourceforge.net/p/hylafax/HylaFAX+/2499/tree/trunk/hfaxd/HylaFAXServer.h?format=raw
https://sourceforge.net/p/hylafax/HylaFAX+/2499/tree/trunk/hfaxd/Login.c%2B%2B?format=raw
You will need to modify your configuration to something like this:
These changes should make the format of the two queries (ldap_sasl_bind_s and ldap_search_ext_s) configurable-enough for just about anything.
Okey, time for long post. But I think we are near the solution.
First, in my previous post I think I made you fall into error. This execution is from ldapsearch, not the LDAP_test.c++.
Sorry!
Second, I tested your code and che changes are really awesome, because now the search is highly configurable. But again, the code only works with Full BaseDN with Active Directory.
Testing the code I did another interesting discover:
Active Directory accept the bind with user@basedn, so I modified the LDAP_test.c++ with this:
If I try this:
Attempting to connect to LDAP URI: "ldap://192.168.1.5"... Succeeded
Attempting to set LDAP version 3... Succeeded
Attempting to bind to LDAP server with: "userfax@example.com" and "123"... Succeeded
Attempting to search LDAP server with: "userfax@example.org" and "cn=userfax"... Search LDAP error
The problem is this variable: sLDAPUserDN
Is used for bind and after for the search. If we add a new param like:
LDAPServerURI: "ldap://192.168.1.5"
LDAPReqGroup: "CN=Hylafax,CN=Users,DC=example,DC=com"
LDAPBindQuery: %s@example.com
LDAPSearchDN: "dc=example,dc=com sAMAccountName=%s"
LDAPGroupAttribute: "memberOf"
LDAPSearchQuery: "cn=%s"
LDAPVersion: 3
We separate the bind and the search, making the code more configurable.
The problem is this: dc=example,dc=com sAMAccountName=%s
Im not sure if ldap_search_ext_s accept this query, but dc=example,dc=com maybe works with ldap_scope_subtree.
Last edit: Crises 2019-03-26
Finally I changed the code for work in Active Directory.
Im attaching you the result of the code.
I did two things, changed separate the bind and the search.
The problem is, if I test this code works without problem, but if I compile the changes and test, the fax does not send.
I dont know why.
Last edit: Crises 2019-03-26
Admittedly I am a little confused about what you're trying to suggest that we do. I think that you're suggesting that we add an additional configuration parameter in order to allow use of a different UserDN in the bind than in the search.
However, looking at the ldap_sasl_bind_s() man page here:
https://linux.die.net/man/3/ldap_sasl_bind_s
... says that, "For SASL binds the server always ignores any provided DN, so the dn parameter should always be NULL. ldap_sasl_bind_s() sends a single SASL bind request with the given SASL mechanism and credentials in the cred parameter."
In other words, it would seem that LDAPBindQuery is only used in the execution of ldap_search_ext_s(), anyway, in conjunction with LDAPSearchQuery. If LDAPBindQuery is actually being used in ldap_sasl_bind_s() then apparently we should stop providing UserDN to it and set that parameter to NULL. So, there isn't a point of creating an additional parameter because LDAPBindQuery should only being used in the search and not in the bind.
So, I suspect that all that we need to do is to change the name of LDAPBindQuery to something like "LDAPSearchDN" and possibly set the second parameter of ldap_sasl_bind_s() to NULL.
As for the mention about "the fax does not send"... does the fax job get submitted with a jobid number? Or is the job submission being rejected? I need more information about "works without problem" and "does not send".
If you are confused is because my level in English is really bad. Sorry.
For do this simple.
I have a LDAP_test.c++ modified by a coworker (the code that attached you yesterday). This code is working good. When I try to put that modified code into a Login.c++ and compilate, if I try to send a fax, "Login timeout" appears. I'm sure is my bad.
The code has 3 important parts:
i = snprintf(filter, sizeof(filter), "cn=%s", user);
The filter used in the search, works like a "(objectClass=*) in a ldapsearch, in this case "(cn=user)" or (sAMAccountName=user) depends the parameter what you want.
the new ldapSearchQuery is great for this because I can filter for whatever I want.
The second part:
ldap_sasl_bind_s: In my test, only works with user or user@example.com. With cn=user don't work. I think the best option is use only user.
And the last part:
ldap_search_ext_s: Need to be the BaseDN what you want. In my case dc=example, dc=org.
If the code do this, I think works perfectly.
I think its a good idea!
My code only have 3 changes:
Changed uuid= for cn=. Easy.
Here, change the line for only take sLDAPUserDN.
err = ldap_sasl_bind_s(p_LDAPConn, user, LDAP_SASL_SIMPLE, &s_UserPasswd, NULL, NULL, NULL);Changed sLDAPUserDN for th evariable user.
And now my LDAP_test.c++ is working.
Im trying now in the code.
Last edit: Crises 2019-03-27
Please see:
https://sourceforge.net/p/hylafax/HylaFAX+/2500/
This adds an "LDAPSearchDN" option that is similar to the others. You'll probably need to have configured:
With this change I believe that the administrator has full control of all of the LDAP calls from within this configuration.
To download the new files just folow the instructions as before.
The commit is working.
My hfaxd.conf is:
LDAPServerURI: "ldap://192.168.1.5"
LDAPReqGroup: "CN=Hylafax,CN=Users,DC=example,DC=com"
LDAPBindQuery: %s
LDAPSearchDN: "dc=example,dc=com"
LDAPGroupAttribute: "memberOf"
LDAPSearchQuery: "sAMAccountName=%s"
LDAPVersion: 3
This weekend I will test in OpenLDAP for securing is working in OpenLDAP and Active Directory.
Now the code is highly configurable.
A new improvement could be put only the name of the group like "Hylafax" or "CN=Hylafax" not all the DN.
Thank you very much for your pattience.
Last edit: Crises 2019-03-28
Hi,
I added to the code the next option.
The Active Directory in my company is huge, so if this option is not activated, the code does not work.
Maybe can be interesting add this code.
Regards
See: https://sourceforge.net/p/hylafax/HylaFAX+/2502/
Nice.
I'm trying to add a option for enable disable the group in LDAP. Because now my company don't want use specific group for fax users, but maybe in the future they want use a specific group.
But can be interesting add this function.
Regards.
See: https://sourceforge.net/p/hylafax/HylaFAX+/2503/
This makes LDAPReqGroup optional. If you leave it unset (or set it to "") then it is not used for authentication.
I added this option yesterday to my code, before your commit, but gives me this:
Login failed: 530 Access Denied
Yes, I missed one part in my changes. Try this now:
https://sourceforge.net/p/hylafax/HylaFAX+/2504/
I don't know why is not working.
Login failed: 530 Login incorrect.
I tried to put this solution in your LDAP_test.c++ and it's working, but not in the code.
... and this:
https://sourceforge.net/p/hylafax/HylaFAX+/2505/
Now worked. Perfect.
I think at this moment the code is highly configurable for all the needs/platforms.
Great work and thank you very much for your help. It was a pleasure!
If you need contact me for test code or something in the future, you can send me a DM!
Last edit: Crises 2019-04-02