User unknown in LDAP

Help
2007-07-02
2013-04-25
  • Brandon Blackmoor

    I am starting a new thread, because I solved the major problem that was the primary topic of the old thread (i.e., a blank loginauth.php screen).

    The new problem is that I attempt to log in and I get an error that says "User unknown in LDAP".

    Here are my ldap settings from OpenIT:

    login_type = ldap
    login_field = text
    server = pmurdegcp01.pmusa.net
    context = "DC=pmusa,DC=net"
    loginfield = cn
    usedummy = true
    truelogin = "distinguishedname"
    dummylogin = pmusa\blackmob
    dummypassword = XXXXXXXX

    I have also tried these contexts (not at the same time, of course):

    context = "O=PMUSA,OU=PMUSA Administrative Group,DC=pmusa,DC=net"
    context = "OU=Users,DC=pmusa,DC=net"

    Here is the output of the UserName command from joeware.net:

    set UN-DN=CN=Blackmoor\, Brandon,OU=Non-Employees,OU=Users,OU=Users and Workstations,OU=PMUSA,DC=pmusa,DC=net
    set UN-SAM=PMUSA\blackmob
    set UN-UniqueID={f35e4550-96e3-4ec4-bdaa-47aa5f185463}
    set UN-UPN=Brandon.Blackmoor@pmusa.net

    I have tried logging in as:

    Blackmoor, Brandon
    blackmob
    pmusa\blackmob
    brandon.blackmoor.contractor@pmusa.com
    brandon.blackmoor@pmusa.com

    Each time, I get this error above the login form:

    User unknown in LDAP

    However, the dummy login appears to working corectly, because if I change it, OpenIT returns an eror saying that the dummy ID login failed. So it appears to be working. Now, if I can just get the non-dummy login to work....

    I have set "Debug = on" in the OpenIT settings file, but I do not see any debug information anywhere. Where should I look for this debug infomation?

     
    • Brandon Blackmoor

      Okay, I have tried using all of these logins:

      Brandon Blackmoor
      Blackmoor, Brandon
      blackmob
      pmusa\blackmob
      brandon.blackmoor.contractor@pmusa.com
      brandon.blackmoor@pmusa.com
      brandon.blackmoor.contractor@pmusa.net
      brandon.blackmoor@pmusa.net
      Brandon.Blackmoor@pmusa.net

      With all of these loginfield values:

      cn
      dn
      upn
      sAMAccountname

      In each case, "User unknown in LDAP" is displayed above the login form.

      Does anyone have any suggestions? How can I enable debug statements in OpenIT?

       
      • Nick Vrtis

        Nick Vrtis - 2007-07-05

        Which version of OpenIT are you using?

        How much PHP do you know?

        Here is some test code that should dump all of the 'cn' in the context from the setup.ini with 'black' in them.  That should help you figure out what to use.

        cut and paste the code part of this and put it in the OpenIT root directory as adtest.php and bring it up in your browser.  The results are really pretty, but should let you find what CN you need to enter.

        Nick

        <?php
        require_once('inc/common.php');

        /* Produces a dump of various user information */

            // Different type of accounts in AD
        define (ADLDAP_NORMAL_ACCOUNT, 805306368);
        define (ADLDAP_DISTRIBUTION_GROUP, 268435457);

        //Since we will be browsing the AD, we WILL need a 'dummy' login
        if (strlen($settings['LDAP']['dummylogin'])== 0 ||
            strlen($settings['LDAP']['dummypassword'])==0) {
                die ('LDAP dummy not configured correctly.');
        }
        //Bind to the dummy account so we can do a search
        $dmyc = ldap_connect($settings['LDAP']['server']) or die("Could not connect to LDAP Server");
        ldap_set_option($dmyc,LDAP_OPT_PROTOCOL_VERSION,3);
        ldap_set_option($dmyc,LDAP_OPT_REFERRALS,0);
        //echo $settings['LDAP']['dummylogin'].$settings['LDAP']['loginid_suffix'],'<br>';
        $dmyb=ldap_bind($dmyc, $settings['LDAP']['dummylogin'].$settings['LDAP']['loginid_suffix'],
        $settings['LDAP']['dummypassword']) or die ('LDAP dummy login failed');
        $dmyx=$settings['LDAP']['context'];
        $alladusers=all_users_info(array('samaccountname','displayname','cn','mail'),
            'samaccountname','*black*');
        //'alladusers' has ALL the normal Active Directory users.
        echo '<pre>';var_dump($alladusers);echo '</pre>';
        /* These functions are borrowed heavily from the AdLDAP open source project */   

            function all_users_info($fields = NULL, $rtnkey=false, $search = "*"){
                global $dmyc,$dmyx;
                //Returns information on all AD users
               
                //Perform the search and grab all their details
                $filter = "(&(objectClass=user)(samaccounttype=". ADLDAP_NORMAL_ACCOUNT .")(objectCategory=person)(cn=$search))";
                if ($fields==NULL) {
                    $fields=array('samaccountname','displayname');
                }
                var_dump($filter);
                var_dump($fields);
                $sr=ldap_search($dmyc, $dmyx, $filter, $fields);
                $entries = ldap_get_entries($dmyc, $sr);
                //LDAP returns an array that is "uggly" for a PHP coder, so we make it easier
                $cnti=$entries['count'];
               
                for ($i=0; $i<$cnti; $i++){
                    $info=array();
                    $cntj=$entries[$i]['count'];
                    for ($j=0; $j<$cntj; $j++) {
                        $key=$entries[$i][$j];
                        $valcnt=$entries[$i][$key]['count'];
                        if ($valcnt>1) {    //See if we have more than 1 value
                            $valinfo=array();
                            for ($k=0; $k<$valcnt; $k++) {
                                if ($key=='memberof') {
                                    $pos=strpos($entries[$i][$key][$k],',');
                                    if ($pos===false) {
                                        //Would not expect to get this.. but just in case.
                                        $valinfo[]=$entries[$i][$key][$k];
                                    } else {
                                        $valinfo[]=substr($entries[$i][$key][$k],3,$pos-3);
                                    }
                                } else {
                                    $valinfo[]=$entries[$i][$key][$k];
                                }
                            }
                            $info[$key]=$valinfo;
                        } else {
                            if ($key=='memberof') {
                                $pos=strpos($entries[$i][$key][0],',');
                                if ($pos===false) {
                                    //Would not expect to get this.. but just in case.
                                    $info[$key]=array($entries[$i][$key][0]);
                                } else {
                                    $info[$key]=array(substr($entries[$i][$key][0],3,$pos-3));
                                }
                            } else {
                                $info[$key]=$entries[$i][$key][0];    //Only 1.. return as a normal value
                            }
                        }
                    }
                    if ($rtnkey===false) {
                        $users_array[]=$info;
                    } else {
                        if (isset($info[$rtnkey])) {
                            $users_array[strtolower($info[$rtnkey])]=$info;
                        } else {
                            $users_array[]=$info;
                        }
                    }
                }
                ldap_free_result($sr);
                return ($users_array);
            }
        ?>

         
    • Brandon Blackmoor

      I found the reason why the Active Directory lookup was not working. There are required statements missing from "ldap_auth.php". I will write up what is needed to make ldap_auth.php work properly and post it in a new thread in the Developers topic under the title "ldap_auth.php changes".

       
    • LucioG

      LucioG - 2007-07-19

      Hi, I've used your ldap_auth.php but it give me an error:
      Warning: Cannot modify header information - headers already sent by (output started at c:\Inetpub\wwwroot\OpenIT\login\ldap_auth.php:172) in c:\Inetpub\wwwroot\OpenIT\inc\common.php on line 110
      Any suggest?

       
      • Brandon Blackmoor

        Make sure that you do not have any blank lines before or after the <?php ... ?> tags.

         

Log in to post a comment.