LDAP Fails To Work

All about webserver configurations, PHP and databases.

Moderator: Thorsten

JEmlay
Posts: 23
Joined: Mon Oct 15, 2012 10:03 pm

LDAP Fails To Work

Post by JEmlay » Wed Oct 17, 2012 6:45 pm

Active Directory via Windows Server 2012 using phpMyFAQ 2.8.0-alpha2

I already know LDAP works via PHP using a test script (I'll include it at the bottom). I turned on LDAP and created ldap.php:

<?php
// Main LDAP server
$PMF_LDAP['ldap_server'] = '10.10.10.204';
$PMF_LDAP['ldap_port'] = 389;
$PMF_LDAP['ldap_user'] = 'jemlay';
$PMF_LDAP['ldap_password'] = '********';
$PMF_LDAP['ldap_base'] = '??????'; <- what is this?

I don't understand why a username and password are needed. Shouldn't that be provided when the user logs in?

Now, when I attempt to login I get he following error no matter what I specify in the ldap_base (I tried "OU=Admin Users & Computers,DC=domain,DC=com"):

Fatal error: Call to a member function getLdapConfig() on a non-object in G:\KB\inc\Auth\Ldap.php on line 72


Here's my test script:
<?php
$ds = ldap_connect( 'ldap://10.10.10.204/' );
// try anonymous login to test connection
$anon = @ldap_bind( $ds );
if ( !$anon ) {
print("Failed");
}
else {
print("It Worked!");
}
// now try a real login
$login = @ldap_bind( $ds, 'jemlay@domain.com', '********' );
print("<br><br>");
if ( !$login ) {
print("Auth Failed");
}
else {
print("Auth Worked!");
}
?>

cosmin1086
Posts: 7
Joined: Wed Oct 17, 2012 5:58 pm

Re: LDAP Fails To Work

Post by cosmin1086 » Wed Oct 17, 2012 8:50 pm

I am having the same problem, I've configured it as per the below:


$PMF_LDAP['ldap_server'] = 'x.x.x.x';
$PMF_LDAP['ldap_port'] = 389;
$PMF_LDAP['ldap_user'] = 'domain\user';
$PMF_LDAP['ldap_password'] = 'password';
$PMF_LDAP['ldap_base'] = 'OU=test,DC=domain,DC=ca';


Any ideas as to what I'm doing wrong??

JEmlay
Posts: 23
Joined: Mon Oct 15, 2012 10:03 pm

Re: LDAP Fails To Work

Post by JEmlay » Wed Oct 17, 2012 11:46 pm

I tried:

domain\user
user
user@domain.com

I've tried turning on/off the domain required variable in constants_ldap.php.

Nothing I've tried works.

Did you try my test script to make sure LDAP in PHP is working?

Thorsten
Posts: 15076
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: LDAP Fails To Work

Post by Thorsten » Thu Oct 18, 2012 10:46 am

Hi,

looks like an programming issue in the alpha2, I'll check it.

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist

Thorsten
Posts: 15076
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: LDAP Fails To Work

Post by Thorsten » Thu Oct 18, 2012 10:54 am

phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist

cosmin1086
Posts: 7
Joined: Wed Oct 17, 2012 5:58 pm

Re: LDAP Fails To Work

Post by cosmin1086 » Thu Oct 18, 2012 2:08 pm

Perfect, thanks Thorsten!

JEmlay
Posts: 23
Joined: Mon Oct 15, 2012 10:03 pm

Re: LDAP Fails To Work

Post by JEmlay » Thu Oct 18, 2012 6:06 pm

Thanks very much Thorsen.

Now, users from the OU "Users" can log in. However, I'm noticing a problem. Those are the ONLY users that can login. We have users in other OUs on the same root as Users and none of them can login. It says, "Wrong login name or password.".

Even if I specify those OUs in the ldap_base it still ignores them.

<?php
// Main LDAP server
$PMF_LDAP['ldap_server'] = '10.10.10.204';
$PMF_LDAP['ldap_port'] = 389;
$PMF_LDAP['ldap_user'] = 'DOMAIN\username';
$PMF_LDAP['ldap_password'] = 'password';
$PMF_LDAP['ldap_base'] = 'OU=Admin Users & Computers,DC=domain,DC=com';

If I only specify "$PMF_LDAP['ldap_base'] = 'DC=domain,DC=com';" ....shouldn't that be the entire domain? That works but only users in the USER OU are accepted.

Any ideas? Thanks again!

Thorsten
Posts: 15076
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: LDAP Fails To Work

Post by Thorsten » Thu Oct 18, 2012 7:39 pm

Hi,

is this DN base working with other systems?

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist

JEmlay
Posts: 23
Joined: Mon Oct 15, 2012 10:03 pm

Re: LDAP Fails To Work

Post by JEmlay » Thu Oct 18, 2012 7:46 pm

Yes, using the test script I posted above I can login via PHP using LDAP with any user in my domain.

JEmlay
Posts: 23
Joined: Mon Oct 15, 2012 10:03 pm

Re: LDAP Fails To Work

Post by JEmlay » Thu Oct 18, 2012 10:13 pm

So it all comes down to this. In order for any user to login the "displayName" much match the "sAMAccountName".

cn = thisis atest
name = thisis atest
givenName = thisis
sn = atest
userPrincipalName = hello5555@domain.com
displayName = hello1234
sAMAccountName = hello4321

That user can NOT log in. If you change the displayName to hello4321, then the user can login.

However, that's problematic because Windows auto creates the displayName to be a concatenation of the first and last names so the displayName will never match the login name unless I manually change every single user.

What I can't figure out is why does the PHP code even care about the displayName? I don't see it being used anywhere. You use "cn" to display the users name. ldap_bind certainly doesn't use it.

Thanks again for the chat Thorsten, I appreciate it!

Thorsten
Posts: 15076
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: LDAP Fails To Work

Post by Thorsten » Fri Oct 19, 2012 6:57 am

Hi,

I'll try to fix the issue with the whitespaces in Windows usernames, should be fixable. Thanks for your help!

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist

JEmlay
Posts: 23
Joined: Mon Oct 15, 2012 10:03 pm

Re: LDAP Fails To Work

Post by JEmlay » Fri Oct 19, 2012 5:23 pm

Are you sure it's a white space issue? This user can't login:

displayName = hello1234
sAMAccountName = hello4321

There's no space. Those two fields must match each other. If I change either field to match then it works.

Thorsten
Posts: 15076
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: LDAP Fails To Work

Post by Thorsten » Sat Oct 20, 2012 7:38 am

Hi,

phpMyFAQ checks only the "samAccountName" by default, this is what you can change in config/constants_ldap.php

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist

JEmlay
Posts: 23
Joined: Mon Oct 15, 2012 10:03 pm

Re: LDAP Fails To Work

Post by JEmlay » Sat Oct 20, 2012 8:07 pm

It has to be checking the displayName somewhere.

can not login:
displayName = hello1234
sAMAccountName = hello4321

can login:
displayName = hello4321
sAMAccountName = hello4321

can not login:
displayName = Justin Emlay
sAMAccountName = jemlay

can login:
displayName = jemlay
sAMAccountName = jemlay

Yes, the sAMAccountName must be used to perform the login however it only works if the those two fields equal each other. Where else would this check be coming from?

One of my buddies agreed to install your faq within his own domain. He's still on on 2008 R2 and he found the same problem. None of his users can login unless the displayName matches the sAMAccountName.

Thorsten
Posts: 15076
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: LDAP Fails To Work

Post by Thorsten » Sun Oct 21, 2012 9:33 am

Hi,

thanks for checking this out, I'll work on it!

Cheers
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist

Post Reply