Page 1 of 3

LDAP Fails To Work

Posted: Wed Oct 17, 2012 6:45 pm
by JEmlay
Active Directory via Windows Server 2012 using phpMyFAQ 2.8.0-alpha2

I already know LDAP works via PHP using a test script (I'll include it at the bottom). I turned on LDAP and created ldap.php:

<?php
// Main LDAP server
$PMF_LDAP['ldap_server'] = '10.10.10.204';
$PMF_LDAP['ldap_port'] = 389;
$PMF_LDAP['ldap_user'] = 'jemlay';
$PMF_LDAP['ldap_password'] = '********';
$PMF_LDAP['ldap_base'] = '??????'; <- what is this?

I don't understand why a username and password are needed. Shouldn't that be provided when the user logs in?

Now, when I attempt to login I get he following error no matter what I specify in the ldap_base (I tried "OU=Admin Users & Computers,DC=domain,DC=com"):

Fatal error: Call to a member function getLdapConfig() on a non-object in G:\KB\inc\Auth\Ldap.php on line 72


Here's my test script:
<?php
$ds = ldap_connect( 'ldap://10.10.10.204/' );
// try anonymous login to test connection
$anon = @ldap_bind( $ds );
if ( !$anon ) {
print("Failed");
}
else {
print("It Worked!");
}
// now try a real login
$login = @ldap_bind( $ds, 'jemlay@domain.com', '********' );
print("<br><br>");
if ( !$login ) {
print("Auth Failed");
}
else {
print("Auth Worked!");
}
?>

Re: LDAP Fails To Work

Posted: Wed Oct 17, 2012 8:50 pm
by cosmin1086
I am having the same problem, I've configured it as per the below:


$PMF_LDAP['ldap_server'] = 'x.x.x.x';
$PMF_LDAP['ldap_port'] = 389;
$PMF_LDAP['ldap_user'] = 'domain\user';
$PMF_LDAP['ldap_password'] = 'password';
$PMF_LDAP['ldap_base'] = 'OU=test,DC=domain,DC=ca';


Any ideas as to what I'm doing wrong??

Re: LDAP Fails To Work

Posted: Wed Oct 17, 2012 11:46 pm
by JEmlay
I tried:

domain\user
user
user@domain.com

I've tried turning on/off the domain required variable in constants_ldap.php.

Nothing I've tried works.

Did you try my test script to make sure LDAP in PHP is working?

Re: LDAP Fails To Work

Posted: Thu Oct 18, 2012 10:46 am
by Thorsten
Hi,

looks like an programming issue in the alpha2, I'll check it.

bye
Thorsten

Re: LDAP Fails To Work

Posted: Thu Oct 18, 2012 10:54 am
by Thorsten

Re: LDAP Fails To Work

Posted: Thu Oct 18, 2012 2:08 pm
by cosmin1086
Perfect, thanks Thorsten!

Re: LDAP Fails To Work

Posted: Thu Oct 18, 2012 6:06 pm
by JEmlay
Thanks very much Thorsen.

Now, users from the OU "Users" can log in. However, I'm noticing a problem. Those are the ONLY users that can login. We have users in other OUs on the same root as Users and none of them can login. It says, "Wrong login name or password.".

Even if I specify those OUs in the ldap_base it still ignores them.

<?php
// Main LDAP server
$PMF_LDAP['ldap_server'] = '10.10.10.204';
$PMF_LDAP['ldap_port'] = 389;
$PMF_LDAP['ldap_user'] = 'DOMAIN\username';
$PMF_LDAP['ldap_password'] = 'password';
$PMF_LDAP['ldap_base'] = 'OU=Admin Users & Computers,DC=domain,DC=com';

If I only specify "$PMF_LDAP['ldap_base'] = 'DC=domain,DC=com';" ....shouldn't that be the entire domain? That works but only users in the USER OU are accepted.

Any ideas? Thanks again!

Re: LDAP Fails To Work

Posted: Thu Oct 18, 2012 7:39 pm
by Thorsten
Hi,

is this DN base working with other systems?

bye
Thorsten

Re: LDAP Fails To Work

Posted: Thu Oct 18, 2012 7:46 pm
by JEmlay
Yes, using the test script I posted above I can login via PHP using LDAP with any user in my domain.

Re: LDAP Fails To Work

Posted: Thu Oct 18, 2012 10:13 pm
by JEmlay
So it all comes down to this. In order for any user to login the "displayName" much match the "sAMAccountName".

cn = thisis atest
name = thisis atest
givenName = thisis
sn = atest
userPrincipalName = hello5555@domain.com
displayName = hello1234
sAMAccountName = hello4321

That user can NOT log in. If you change the displayName to hello4321, then the user can login.

However, that's problematic because Windows auto creates the displayName to be a concatenation of the first and last names so the displayName will never match the login name unless I manually change every single user.

What I can't figure out is why does the PHP code even care about the displayName? I don't see it being used anywhere. You use "cn" to display the users name. ldap_bind certainly doesn't use it.

Thanks again for the chat Thorsten, I appreciate it!

Re: LDAP Fails To Work

Posted: Fri Oct 19, 2012 6:57 am
by Thorsten
Hi,

I'll try to fix the issue with the whitespaces in Windows usernames, should be fixable. Thanks for your help!

bye
Thorsten

Re: LDAP Fails To Work

Posted: Fri Oct 19, 2012 5:23 pm
by JEmlay
Are you sure it's a white space issue? This user can't login:

displayName = hello1234
sAMAccountName = hello4321

There's no space. Those two fields must match each other. If I change either field to match then it works.

Re: LDAP Fails To Work

Posted: Sat Oct 20, 2012 7:38 am
by Thorsten
Hi,

phpMyFAQ checks only the "samAccountName" by default, this is what you can change in config/constants_ldap.php

bye
Thorsten

Re: LDAP Fails To Work

Posted: Sat Oct 20, 2012 8:07 pm
by JEmlay
It has to be checking the displayName somewhere.

can not login:
displayName = hello1234
sAMAccountName = hello4321

can login:
displayName = hello4321
sAMAccountName = hello4321

can not login:
displayName = Justin Emlay
sAMAccountName = jemlay

can login:
displayName = jemlay
sAMAccountName = jemlay

Yes, the sAMAccountName must be used to perform the login however it only works if the those two fields equal each other. Where else would this check be coming from?

One of my buddies agreed to install your faq within his own domain. He's still on on 2008 R2 and he found the same problem. None of his users can login unless the displayName matches the sAMAccountName.

Re: LDAP Fails To Work

Posted: Sun Oct 21, 2012 9:33 am
by Thorsten
Hi,

thanks for checking this out, I'll work on it!

Cheers
Thorsten