LDAP query failed

In this board you can talk about general questions about phpMyFAQ

Moderator: Thorsten

dorian
Posts: 5
Joined: Fri Sep 24, 2021 12:14 pm

LDAP query failed

Post by dorian »

Hi guys,

may I please ask for your help here: version 3.0.9; I have configured LDAP to an AD 2019 server.

I see on a running trace on that AD machine the binding request successful, then the search request when trying to authenticate on the FaQ but then the answer comes with 0 results. Message displayed is "Wrong login name or password."

I am trying also to auth on the FaQ with the service account - no joy.
Tried also with or without adding the user to a group (memberOf) again with no success.

I see in the trace the query is: "Filter: (&(samAccountName=php)(memberOf:1.2.840.113556.1.4.1941:=wiki))"
Bootstrap DEBUG is on I see no error upper screen.

What am I doing wrong?

Many thanks!
Thorsten
Posts: 15559
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: LDAP query failed

Post by Thorsten »

Hi,

can you please post your LDAP configuration here?

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
dorian
Posts: 5
Joined: Fri Sep 24, 2021 12:14 pm

Re: LDAP query failed

Post by dorian »

Hi,

here you go - some values below substituted

// Main LDAP server
$PMF_LDAP['ldap_server'] = 'srv-ip';
$PMF_LDAP['ldap_port'] = 389;
$PMF_LDAP['ldap_user'] = 'netbios\scheduling';
$PMF_LDAP['ldap_password'] = 'mypass';
$PMF_LDAP['ldap_base'] = 'dc=netbios,dc=local';

and
config_name config_value
ldap.ldapSupport true
ldap.ldap_dynamic_login_attribute uid
ldap.ldap_mapping.mail mail
ldap.ldap_mapping.memberOf wiki
ldap.ldap_mapping.name cn
ldap.ldap_mapping.username samAccountName
ldap.ldap_options.LDAP_OPT_PROTOCOL_VERSION 3
ldap.ldap_options.LDAP_OPT_REFERRALS 0
ldap.ldap_use_anonymous_login false
ldap.ldap_use_domain_prefix false
ldap.ldap_use_dynamic_login false
ldap.ldap_use_memberOf true
ldap.ldap_use_multiple_servers false
ldap.ldap_use_sasl false

Thanks!
Thorsten
Posts: 15559
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: LDAP query failed

Post by Thorsten »

Hi,

please try to set ldap.ldap_use_dynamic_login to true.

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
dorian
Posts: 5
Joined: Fri Sep 24, 2021 12:14 pm

Re: LDAP query failed

Post by dorian »

hi

now I get

phpMyFAQ warning [2]: ldap_bind(): Unable to bind to server: Invalid credentials in /var/www/html/src/phpMyFAQ/Ldap.php on line 170

with the above value to false, binding was successful:
LDAP 91 bindRequest(1) "netbios_domain\scheduling" simple

and after the change:
LDAP 113 bindRequest(1) "uid=netbios_domain\scheduling,dc=netbios_domain,dc=local" simple
LDAP 164 bindResponse(1) invalidCredentials (80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563)

thanks
Thorsten
Posts: 15559
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: LDAP query failed

Post by Thorsten »

Hi,

with the change above you now try to bind with the user credentials. Maybe your AD admin can help here.

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
dorian
Posts: 5
Joined: Fri Sep 24, 2021 12:14 pm

Re: LDAP query failed

Post by dorian »

Hi

Thorsten, credentials were not changed. The binding was working when it was set to false, with true not anymore and that was the only change.

This is a lab environment and I am the admin of that AD domain.
With the proposed change the FAQ sends now something that a vanilla ADDS 2019 (one domain, single forest, users in the same OU, functional level for both is 2016) does not accept.

I guess I the question is, is it supposed to be working with Active Directory?
If the answer for the above is yes, can you please share a config that works with Windows Server AD?

Many thanks!
dorian
Posts: 5
Joined: Fri Sep 24, 2021 12:14 pm

Re: LDAP query failed

Post by dorian »

Hi,

the problem could the LDAP query: is there a way this can be customised?


thank you
Thorsten
Posts: 15559
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: LDAP query failed

Post by Thorsten »

Hi,

the queries are in this class: https://github.com/thorsten/phpMyFAQ/bl ... Q/Ldap.php

Thanks in advance!

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
olly
Posts: 15
Joined: Tue Mar 29, 2022 2:01 pm

Re: LDAP query failed

Post by olly »

Hello,

First i want to say that i really love phpmyfaq, thank you for the hard work.
Sadly i do have the same problems like dorian with the binding to my AD via LDAP.

ldap.php seems to be correct, as when i set the password intnetionally wrong i get a error. With the right password there is no error, but users are still not able to login (Invalid user/Password). I am using version 3.1.2

I also have some basic understandig problems: What login-format is meant to be used for the users?
UPN (user@intra.company.com), Email-Address, Netbios-Name (cn) or Netbios Name with Domain (user\domain)?
I also dont understand if a user in phpmyfaq must be created prior he is able to make a LDAP login? If so, with what username?
If not, will the user be created if he successfully can log in? If not, how can i add him to a group?

Sorry for this many questions, but i could not find the information online.

Thank you for your support,
-Olly
Thorsten
Posts: 15559
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: LDAP query failed

Post by Thorsten »

Hi,

looks like we're having a LDAP issue in v3.1, see this thread as well: viewtopic.php?p=81384#p81384

Can you try to turn on the debug mode?

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
olly
Posts: 15
Joined: Tue Mar 29, 2022 2:01 pm

Re: LDAP query failed

Post by olly »

Thank you for your quick reply.

Debug is on, but i cant see any related errors. Just a lot of select statements.

What should i looking for?
Thorsten
Posts: 15559
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: LDAP query failed

Post by Thorsten »

Hi,

well, looks like there's an error in this class: https://github.com/thorsten/phpMyFAQ/bl ... Q/Ldap.php

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
Thorsten
Posts: 15559
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: LDAP query failed

Post by Thorsten »

Hi,

I fixed the LDAP / AD issue.

Please use this code for the LDAP class: https://github.com/thorsten/phpMyFAQ/bl ... Q/Ldap.php

My config/ldap.php file looks like:

Code: Select all

$PMF_LDAP['ldap_server'] = 'ldap://192.168.2.163';
$PMF_LDAP['ldap_port'] = 10389;
$PMF_LDAP['ldap_user'] = 'uid=admin,ou=system';
$PMF_LDAP['ldap_password'] = 'secret';
$PMF_LDAP['ldap_base'] = 'ou=users,dc=wimpi,dc=net';
My LDAP-Configuration:

Code: Select all

ldap.ldapSupport
true

ldap.ldap_dynamic_login_attribute uid

ldap.ldap_mapping.mail
mail

ldap.ldap_mapping.memberOf

ldap.ldap_mapping.name
cn

ldap.ldap_mapping.username
samAccountName

ldap.ldap_options.LDAP_OPT_PROTOCOL_VERSION
3

ldap.ldap_options.LDAP_OPT_REFERRALS
0

ldap.ldap_use_anonymous_login
false

ldap.ldap_use_domain_prefix
false

ldap.ldap_use_dynamic_login
false

ldap.ldap_use_memberOf
false

ldap.ldap_use_multiple_servers
false

ldap.ldap_use_sasl
false
I used this Docker container for testing: https://github.com/dwimberger/ldap-ad-it

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
olly
Posts: 15
Joined: Tue Mar 29, 2022 2:01 pm

Re: LDAP query failed

Post by olly »

Sorry no luck for me.
Same behaviour as before: The connection to the LDAP (AD) is successful, but he can not validate any correct credentials (Invalid User / Password).
Debug is on, but no error message.

-Olly
Post Reply