LDAP + Single Sign On (SSO) errors in 2.7.3

[kh-phpmyfaq]

I'm not sure if this is actually a bug or a misconfiguration on my side.

Scenario: PMF 2.7.3, Active Directory Domain

ldap.php content:

Code: Select all

$PMF_LDAP["ldap_server"] = 'dc.dom.local';
$PMF_LDAP["ldap_port"] = '389';
$PMF_LDAP["ldap_user"] = 'CN=ldapauthuser,CN=Users,DC=dom,DC=local';
$PMF_LDAP["ldap_password"] = 'supersecretpasswordforldapbind';
$PMF_LDAP["ldap_base"] = 'OU=Users,OU=myBusiness,DC=dom,DC=local'

In constant_ldap.php changed setting to false:

Code: Select all

$PMF_LDAP['ldap_use_domain_prefix'] = false;

LDAP Auth is working with this settings. Users can login with their username without using prefix dom\

In apache config following is set to enable Single Sign On on server side:

Code: Select all

        <Directory /var/www2/faq.dom.local/htdocs/>
                AuthName "PHPmyFAQ Authentication"
                NTLMAuth on
                NTLMAuthHelper "usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
                NTLMBasicAuthoritative on
                AuthType NTLM
                require valid-user
                Options Indexes FollowSymLinks -MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>

If I activate SSO in PMF config frontend I get the following warnings (Debug enabled) and PMF does NOT fill out forms with username and email address (works without SSO enabled).

phpMyFAQ warning [2]: ldap_search() [function.ldap-search]: Search: Operations error in /var/www2/faq.dom.local/htdocs/inc/Ldap.php on line 214

phpMyFAQ warning [2]: ldap_first_entry(): supplied argument is not a valid ldap result resource in /var/www2/faq.dom.local/htdocs/inc/Ldap.php on line 223

phpMyFAQ warning [2]: ldap_get_values(): supplied argument is not a valid ldap result entry resource in /var/www2/faq.dom.local/htdocs/inc/Ldap.php on line 231

phpMyFAQ warning [2]: ldap_search() [function.ldap-search]: Search: Operations error in /var/www2/faq.dom.local/htdocs/inc/Ldap.php on line 214

phpMyFAQ warning [2]: ldap_first_entry(): supplied argument is not a valid ldap result resource in /var/www2/faq.dom.local/htdocs/inc/Ldap.php on line 223

phpMyFAQ warning [2]: ldap_get_values(): supplied argument is not a valid ldap result entry resource in /var/www2/faq.dom.local/htdocs/inc/Ldap.php on line 231

phpMyFAQ warning [2]: session_regenerate_id() [function.session-regenerate-id]: Cannot regenerate session id - headers already sent in /var/www2/faq.dom.local/htdocs/inc/PMF_User/CurrentUser.php on line 306

phpMyFAQ notice [8]: Undefined variable: csrfToken in /var/www2/faq.dom.local/htdocs/inc/PMF_User/CurrentUser.php on line 489

phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www2/faq.dom.local/htdocs/inc/functions.php:150) in /var/www2/faq.dom.local/htdocs/index.php on line 172

phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www2/faq.dom.local/htdocs/inc/functions.php:150) in /var/www2/faq.dom.local/htdocs/inc/Session.php on line 390

phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www2/faq.dom.local/htdocs/inc/functions.php:150) in /var/www2/faq.dom.local/htdocs/index.php on line 701

phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www2/faq.dom.local/htdocs/inc/functions.php:150) in /var/www2/faq.dom.local/htdocs/index.php on line 702

phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www2/faq.dom.local/htdocs/inc/functions.php:150) in /var/www2/faq.dom.local/htdocs/index.php on line 703

phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www2/faq.dom.local/htdocs/inc/functions.php:150) in /var/www2/faq.dom.local/htdocs/index.php on line 704

phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www2/faq.dom.local/htdocs/inc/functions.php:150) in /var/www2/faq.dom.local/htdocs/index.php on line 705

phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www2/faq.dom.local/htdocs/inc/functions.php:150) in /var/www2/faq.dom.local/htdocs/index.php on line 706

phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www2/faq.dom.local/htdocs/inc/functions.php:150) in /var/www2/faq.dom.local/htdocs/index.php on line 707

I do now get auth failures in the domain controller event log for users who load the PMF page in their Browser.
After some reloads of the page the user account gets temporarily locked because of too many auth failures.

Strange is PMF logs the user in nonethless.
I can fix the user lockout problem with setting the following back to "true" OR disabling Single Sign On.

Code: Select all

$PMF_LDAP['ldap_use_domain_prefix'] = true;

The problem with PMF not filling out the usernames and email addresses when enabling SSO still exists when changing ldap_use_domain_prefix back to default value. So this seems to be related to some other problem.

[Thorsten]

Hi,

I'll try to figure out what is going wrong here. Why do you need LDAP and SSO?

bye
Thorsten

[Thorsten]

Hi,

I googled theseerrors and it could be solved by adding "CN=Users" the the base DN...

bye
Thorsten

[kh-phpmyfaq]

I need LDAP and SSO for automatic login of our Domain users to PMF.

Your info does not seem to fix it.
The base DN (search path) already seems to be correct because all users who will login to PMF are existing only in the Organizational Unit "OU=Users,OU=myBusiness,DC=dom,DC=local".

Just to be sure i created a testuser in the Container "CN=Users,DC=dom,DC=local" and set the base DN to this container.
Same warnings with this configuration.
I have a feeling it might have something to do with the value of the external resource "$this->ds" in Ldap.php.
I tried to debug with my lousy PHP knowledge and get following values for the ldap_search in line 214 Ldap.php

sr= Resource id #46
base= CN=Users,DC=dom,DC=local
filter= (samAccountName=testuser)
fields= Array ( [0] => cn )

[Thorsten]

Hi,

do you see any errors in your LDAP server?

bye
Thorsten

[kh-phpmyfaq]

There are no errors reported in Domain Controller eventlog.
Just messages that the user got authenticated successfully.

So the login part seems to work, but not the part where the userinfo is looked up in LDAP when SSO is enabled?

[Thorsten]

Hi,

did you checked the LDAP mapping in config/constans_ldap.php?

bye
Thorsten

[kh-phpmyfaq]

Mapping in constants_ldap.php ist default and in my opinion ok
(these values work on a bunch of different appliances and websites here that do ldap auth/SSO, too)

Code: Select all

// Datamapping - in this example for an ADS
$PMF_LDAP['ldap_mapping'] = array (
    'name'     => 'cn',
    'username' => 'samAccountName',
    'mail'     => 'mail'

"cn" contains full name of Person
"samAccountName" contains AD loginaccount
"mail" contains users email address