LDAP config dosen't work
Brought to you by:
jberanek
Menu
▾
▴
#934 LDAP config dosen't work
Hi!
I need help for config ldap autentication.
I want to connect to mrbs using ldap. I have another systems like moodle with ldap autentication and it works right but if I use the same config in mrbs I can't connect and no errors are showed.
It's a change bettween both systems, moodle abd mrbs. I created a security group called "USUARIOS-MRBS", I am member of it. I would like to use this group to filter the users that are allowed to login in to mrbs. If I dont use it, it neither works.
I copy here my config.inc.php.
$auth["type"] = "ldap";
$ldap_host = "ldap://example.es";
$ldap_port = 389;
$ldap_v3 = true;
$ldap_tls = false;
$ldap_base_dn = "DC=example,DC=es";
$ldap_user_attrib = "sAMAccountname";
$ldap_dn_search_attrib = "sAMAccountName";
$ldap_dn_search_dn = "CN=usrLdapConector,OU=GENERICS,OU=GENERICS_EXAMPLE,DC=example,DC=es";
$ldap_dn_search_password = "password";
$ldap_filter = "cn=users,dc=example,dc=es";
$ldap_filter_user_attr = "memberuid";
$ldap_filter = "CN=USUARIOS-MRBS,OU=Grupos Necesarios,OU=Unidad Grupos Seguridad Varios,DC=example,DC=es";
The rest of the config is default config.
If I used this config I can't log in and no errors are showed. What can I do?
Thanks for your help.
Magotas
Discussion
You've got configuration there for two ways of configuring LDAP filtering, so it's no surprise it doesn't work. It looks like you're using Active Directory, so it would be:
Thanks John.
I removed the first ldap_filter and used the one you give me but it dosen't work.
I think it is better going step by step and I will not filter by group. Let's see first if we connect and if it's yes I will try with groups. Now I have:
$auth["type"] = "ldap";
$ldap_host = "ldap://example.es";
$ldap_port = 389;
$ldap_v3 = true;
$ldap_tls = false;
$ldap_base_dn = "DC=example,DC=es";
$ldap_user_attrib = "sAMAccountname";
$ldap_dn_search_attrib = "sAMAccountName";
$ldap_dn_search_dn = "CN=usrLdapConector,OU=GENERICS,OU=GENERICS_EXAMPLE,DC=example,DC=es";
$ldap_dn_search_password = "password";
$ldap_filter = "cn=users,dc=example,dc=es";
$ldap_filter_user_attr = "memberuid";
All my users are in cn=users and the same config runs on moodle. Same server, same config but it fails on mrbs. Do you know what I have to do?
You need to not set $ldap_filter_user_attr
Ok. I am missing something...
I didn't set that attribute, it's what I have in systemdefault.inc.php.
Do I have to comment all lines I don't need on systemdefault.inc? I copied each line I need from systemdefault.inc to config.inc and I set it to the new value over there so I don´t modify systemdefault.inc. Do I have to change it?
Actually I have commented it so that attribute is not set but it dosen't work anyway.
Apologies that was a misleading suggestion from me, the configuration variable you need to ensure is not set is actually $ldap_filter_base_dn
Another configuration variable you have set unnecessarily is $ldap_user_attrib but it looks like this shouldn't cause any harm.
Please could you try adding the following to your config.inc.php and then looking at the PHP error log:
John, sorry but I don´t have $ldap_filter_base_dn variable.
I have
$ldap_base_dn = "DC=fhalcorcon,DC=es";
or
$ldap_filter = "cn=users,dc=fhalcorcon,dc=es";
but no $ldap_filter_base_dn.
What variable are you talking about?
;-)
I made changes you said. Thats what I have at PHP error log.
[08-Apr-2016 11:12:38 Europe/Berlin] authLdapAction: Got LDAP connection
[08-Apr-2016 11:12:38 Europe/Berlin] authLdapAction: Result of initial bind is 1
[08-Apr-2016 11:12:38 Europe/Berlin] authLdapAction: Didn't find entry using 'sAMAccountName'
[08-Apr-2016 11:12:38 Europe/Berlin] authLdapAction: base_dn 'DC=example,DC=es' user user1 dn
[08-Apr-2016 11:12:38 Europe/Berlin] authValidateUserCallback: base_dn 'DC=example,DC=es' dn '' user 'user1'
[08-Apr-2016 11:12:38 Europe/Berlin] authValidateUserCallback: Bind to '' failed
it helps you?
I see error at 3er line but I am sure, my AD login is set at sAMAccountName variable.
I am not sure but user1 in 4th line is not bettwen ' ' . Could be that the error?
Thank you very much for your help.
The debug is saying that MRBS successfully connected to the LDAP system with the search DN, and then when it looked for:
sAMAccountName=user1
it didn't find any object. The debug doesn't put the user being searched for within quotes, as it does the other variables. So, the issue is either that the user you've specified isn't actually in the specified "ldap_base_dn" or perhaps that the user you've specified for searching doesn't have permissions on that portion of the LDAP directory.
John, I login right. but there is something extrange at php_error. That's what I see in my last php_error entry and I don't see any error but all lines are repeated 4 time for each login.
[13-Apr-2016 08:55:27 Europe/Madrid] authLdapAction: Got LDAP connection
[13-Apr-2016 08:55:27 Europe/Madrid] authLdapAction: Result of initial bind is 1
[13-Apr-2016 08:55:27 Europe/Madrid] authLdapAction: Found one entry using 'sAMAccountName'
[13-Apr-2016 08:55:27 Europe/Madrid] authLdapAction: base_dn 'cn=users,dc=example,dc=es' user user1 dn CN=usuario1,CN=Users,DC=example,DC=es
[13-Apr-2016 08:55:27 Europe/Madrid] authLdapCheckAdminGroupCallback: base_dn 'cn=users,dc=example,dc=es' dn 'CN=usuario1,CN=Users,DC=example,DC=es' user_search 'distinguishedName=CN=usuario1,CN=Users,DC=example,DC=es' user 'user1'
[13-Apr-2016 08:55:27 Europe/Madrid] authCheckAdminGroupCallback: search successful
All this lines are repeated 4 times for each log in, same lines, same date, same time. Is it normal?
Now I have another issue.. I can't be admin.
I have created 2 groups in my AD. I have:
FHA-USUARIOS-MRBS
FHA-ADMINISTRADORES-MRBS
All mrbs users are in FHA-USUARIOS-MRBS and it works. I am member of both groups and I do login but I can´t be admin.
I have this in config-inc.php:
$ldap_filter = "memberof=CN=FHA-USUARIOS-MRBS,OU=Unidad Grupos Seguridad Varios,DC=example,DC=es";
$ldap_admin_group_dn = 'CN=FHA-ADMINISTRADORES-MRBS,OU=Unidad Grupos Seguridad Varios,DC=example,DC=es';
If anyone who is in FHA-USUARIOS-MRBS tries to log in it works, If he is not in that group he can't. Allright.
But If I log in I am not admin user, nobody is admin, and it is sure that I am in that group. Nobody is admin. We can do reserves but we can´t aprove it. The problem must be in ldap_admin_group_dn variable. Do you know what it is?
Thank you.
Iván
If you have $ldap_admin_group_dn set, you need to also set $ldap_group_member_attrib
Is this set to the default, i.e.:
Your debug suggests it is not finding you as being a member of the group specified in $ldap_admin_group_dn - it should be noted that you have to be a direct member of the group. The LDAP code does not support nested groups, as this would significantly complicate the group membership code.
Last edit: John Beranek 2016-04-13
Dear John, you rock it!
It was just what you said. I set that variable and it works. Now it's ussefull for us.
Now I have more warnings at debug file. I have 2 differents groups of warnings. The first one only appears once, but the second one appears 15 times!!!! In spite of those warnings mrbs works.
If it works I will disable ldap debug but I let here what it shows for what it is worth.
Thats all I get for each login:
FIRST GROUP (only 1 time)
[14-Apr-2016 09:53:30 Europe/Berlin] authLdapAction: Got LDAP connection
[14-Apr-2016 09:53:30 Europe/Berlin] authLdapAction: Result of initial bind is 1
[14-Apr-2016 09:53:30 Europe/Berlin] authLdapAction: Found one entry using 'sAMAccountName'
[14-Apr-2016 09:53:30 Europe/Berlin] authLdapAction: base_dn 'cn=users,dc=example,dc=es' user user1 dn CN=Usuario1,CN=Users,DC=example,DC=es
[14-Apr-2016 09:53:30 Europe/Berlin] authValidateUserCallback: base_dn 'cn=users,dc=example,dc=es' dn 'CN=Usuario1,CN=Users,DC=example,DC=es' user 'user1'
[14-Apr-2016 09:53:30 Europe/Berlin] authValidateUserCallback: Successful authenticated bind checking 'memberof=CN=FHA-USUARIOS-MRBS,OU=Unidad Grupos Seguridad Varios,DC=example,DC=es'
[14-Apr-2016 09:53:30 Europe/Berlin] authValidateUserCallback: Trying filter: (memberof=CN=FHA-USUARIOS-MRBS,OU=Unidad Grupos Seguridad Varios,DC=example,DC=es): dn: CN=Usuario1,CN=Users,DC=example,DC=es: method: ldap_read
[14-Apr-2016 09:53:30 Europe/Berlin] authValidateUserCallback: Found entry with filter
SECOND GROUP (it repeats 15 times)
[14-Apr-2016 09:53:30 Europe/Berlin] authLdapAction: Got LDAP connection
[14-Apr-2016 09:53:30 Europe/Berlin] authLdapAction: Result of initial bind is 1
[14-Apr-2016 09:53:30 Europe/Berlin] authLdapAction: Found one entry using 'sAMAccountName'
[14-Apr-2016 09:53:30 Europe/Berlin] authLdapAction: base_dn 'cn=users,dc=example,dc=es' user user1 dn CN=Usuario1,CN=Users,DC=example,DC=es
[14-Apr-2016 09:53:30 Europe/Berlin] authLdapCheckAdminGroupCallback: base_dn 'cn=users,dc=example,dc=es' dn 'CN=Usuario1,CN=Users,DC=example,DC=es' user_search 'distinguishedName=CN=Usuario1,CN=Users,DC=example,DC=es' user 'user1'
[14-Apr-2016 09:53:30 Europe/Berlin] authCheckAdminGroupCallback: search successful memberof
Thank you very much.
Iván
Last edit: ivan 2016-04-14
OK, you're seeing the performance bug described in [bugs:#335].
This is fixed in the code repository, but has not yet been included in a release. It will be included in 1.5.1, whenever that is released.
Related
DO NOT USE - Bugs: #335
Just a side point: the content in the error log can't really be considered warnings, it's debug output. Once you have LDAP auth working, just put $ldap_debug back to FALSE
Yes, you are right. that's what I did.
Your help was essential to me. Thank you John.
I have a problem with a similar setup.
Do I have to be in the LDAP admin group AND in the LDAP user group to get access?
I got it. I need to also to be in the LDAP user group.
The config looks like that (for other people who may need a clue to solve a similar problem):
$ldap_filter = array("memberof=CN=mrbs.user,ou=some,ou=thing,dc=mywindomain,dc=domainname,dc=topleveldomain","memberof=CN=mrbs.admin,ou=some,ou=thing,dc=mywindomain,dc=domainname,dc=topleveldomain");
Captain Incognito
Hi, i have MRBS 1.7.1 and LDAP debug mode not working. Why? I have alter variable $ldap_debug = TRUE;
The LDAP debug output goes to the PHP error log. Are you getting any messages there?
We are having a similar issue
here's out LDAP code in config.inc.php
$auth["type"] = "ldap";
$ldap_host = "192.168.100.20";
$ldap_v3 = true;
$ldap_tls = false;
$ldap_base_dn = "ou=MSC,dc=moyne,dc=vic,dc=gov,dc=au";
$ldap_user_attrib = "sAMAccountName";
$ldap_debug = true;
in php.ini the extension=ldap has had the semicolon removed
it just doesn’t seem to want to connect to our LDAP AD for authentication. Do we need to setup a group or is there something else I’m missing?
and this is the dbug log
[21-Nov-2018 01:52:31 Europe/Berlin] authLdapAction: Got LDAP connection
[21-Nov-2018 01:52:31 Europe/Berlin] authLdapAction: Constructed dn 'sAMAccountName=testy.mctest,ou=MSC,dc=moyne,dc=vic,dc=gov,dc=au' and user_search 'sAMAccountName=testy.mctest' using 'sAMAccountName'
[21-Nov-2018 01:52:31 Europe/Berlin] authValidateUserCallback: base_dn 'ou=MSC,dc=moyne,dc=vic,dc=gov,dc=au' dn 'sAMAccountName=testy.mctest,ou=MSC,dc=moyne,dc=vic,dc=gov,dc=au' user 'testy.mctest'
[21-Nov-2018 01:52:31 Europe/Berlin] authValidateUserCallback: Bind to 'sAMAccountName=testy.mctest,ou=MSC,dc=moyne,dc=vic,dc=gov,dc=au' failed: Invalid credentials
Signed in now - these were me