LDAP Fails To Work

All about webserver configurations, PHP and databases.

Moderator: Thorsten

JEmlay
Posts: 23
Joined: Mon Oct 15, 2012 10:03 pm

LDAP Fails To Work

Post by JEmlay »

Active Directory via Windows Server 2012 using phpMyFAQ 2.8.0-alpha2

I already know LDAP works via PHP using a test script (I'll include it at the bottom). I turned on LDAP and created ldap.php:

<?php
// Main LDAP server
$PMF_LDAP['ldap_server'] = '10.10.10.204';
$PMF_LDAP['ldap_port'] = 389;
$PMF_LDAP['ldap_user'] = 'jemlay';
$PMF_LDAP['ldap_password'] = '********';
$PMF_LDAP['ldap_base'] = '??????'; <- what is this?

I don't understand why a username and password are needed. Shouldn't that be provided when the user logs in?

Now, when I attempt to login I get he following error no matter what I specify in the ldap_base (I tried "OU=Admin Users & Computers,DC=domain,DC=com"):

Fatal error: Call to a member function getLdapConfig() on a non-object in G:\KB\inc\Auth\Ldap.php on line 72


Here's my test script:
<?php
$ds = ldap_connect( 'ldap://10.10.10.204/' );
// try anonymous login to test connection
$anon = @ldap_bind( $ds );
if ( !$anon ) {
print("Failed");
}
else {
print("It Worked!");
}
// now try a real login
$login = @ldap_bind( $ds, 'jemlay@domain.com', '********' );
print("<br><br>");
if ( !$login ) {
print("Auth Failed");
}
else {
print("Auth Worked!");
}
?>
cosmin1086
Posts: 7
Joined: Wed Oct 17, 2012 5:58 pm

Re: LDAP Fails To Work

Post by cosmin1086 »

I am having the same problem, I've configured it as per the below:


$PMF_LDAP['ldap_server'] = 'x.x.x.x';
$PMF_LDAP['ldap_port'] = 389;
$PMF_LDAP['ldap_user'] = 'domain\user';
$PMF_LDAP['ldap_password'] = 'password';
$PMF_LDAP['ldap_base'] = 'OU=test,DC=domain,DC=ca';


Any ideas as to what I'm doing wrong??
JEmlay
Posts: 23
Joined: Mon Oct 15, 2012 10:03 pm

Re: LDAP Fails To Work

Post by JEmlay »

I tried:

domain\user
user
user@domain.com

I've tried turning on/off the domain required variable in constants_ldap.php.

Nothing I've tried works.

Did you try my test script to make sure LDAP in PHP is working?
Thorsten
Posts: 15560
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: LDAP Fails To Work

Post by Thorsten »

Hi,

looks like an programming issue in the alpha2, I'll check it.

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
Thorsten
Posts: 15560
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: LDAP Fails To Work

Post by Thorsten »

phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
cosmin1086
Posts: 7
Joined: Wed Oct 17, 2012 5:58 pm

Re: LDAP Fails To Work

Post by cosmin1086 »

Perfect, thanks Thorsten!
JEmlay
Posts: 23
Joined: Mon Oct 15, 2012 10:03 pm

Re: LDAP Fails To Work

Post by JEmlay »

Thanks very much Thorsen.

Now, users from the OU "Users" can log in. However, I'm noticing a problem. Those are the ONLY users that can login. We have users in other OUs on the same root as Users and none of them can login. It says, "Wrong login name or password.".

Even if I specify those OUs in the ldap_base it still ignores them.

<?php
// Main LDAP server
$PMF_LDAP['ldap_server'] = '10.10.10.204';
$PMF_LDAP['ldap_port'] = 389;
$PMF_LDAP['ldap_user'] = 'DOMAIN\username';
$PMF_LDAP['ldap_password'] = 'password';
$PMF_LDAP['ldap_base'] = 'OU=Admin Users & Computers,DC=domain,DC=com';

If I only specify "$PMF_LDAP['ldap_base'] = 'DC=domain,DC=com';" ....shouldn't that be the entire domain? That works but only users in the USER OU are accepted.

Any ideas? Thanks again!
Thorsten
Posts: 15560
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: LDAP Fails To Work

Post by Thorsten »

Hi,

is this DN base working with other systems?

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
JEmlay
Posts: 23
Joined: Mon Oct 15, 2012 10:03 pm

Re: LDAP Fails To Work

Post by JEmlay »

Yes, using the test script I posted above I can login via PHP using LDAP with any user in my domain.
JEmlay
Posts: 23
Joined: Mon Oct 15, 2012 10:03 pm

Re: LDAP Fails To Work

Post by JEmlay »

So it all comes down to this. In order for any user to login the "displayName" much match the "sAMAccountName".

cn = thisis atest
name = thisis atest
givenName = thisis
sn = atest
userPrincipalName = hello5555@domain.com
displayName = hello1234
sAMAccountName = hello4321

That user can NOT log in. If you change the displayName to hello4321, then the user can login.

However, that's problematic because Windows auto creates the displayName to be a concatenation of the first and last names so the displayName will never match the login name unless I manually change every single user.

What I can't figure out is why does the PHP code even care about the displayName? I don't see it being used anywhere. You use "cn" to display the users name. ldap_bind certainly doesn't use it.

Thanks again for the chat Thorsten, I appreciate it!
Thorsten
Posts: 15560
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: LDAP Fails To Work

Post by Thorsten »

Hi,

I'll try to fix the issue with the whitespaces in Windows usernames, should be fixable. Thanks for your help!

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
JEmlay
Posts: 23
Joined: Mon Oct 15, 2012 10:03 pm

Re: LDAP Fails To Work

Post by JEmlay »

Are you sure it's a white space issue? This user can't login:

displayName = hello1234
sAMAccountName = hello4321

There's no space. Those two fields must match each other. If I change either field to match then it works.
Thorsten
Posts: 15560
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: LDAP Fails To Work

Post by Thorsten »

Hi,

phpMyFAQ checks only the "samAccountName" by default, this is what you can change in config/constants_ldap.php

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
JEmlay
Posts: 23
Joined: Mon Oct 15, 2012 10:03 pm

Re: LDAP Fails To Work

Post by JEmlay »

It has to be checking the displayName somewhere.

can not login:
displayName = hello1234
sAMAccountName = hello4321

can login:
displayName = hello4321
sAMAccountName = hello4321

can not login:
displayName = Justin Emlay
sAMAccountName = jemlay

can login:
displayName = jemlay
sAMAccountName = jemlay

Yes, the sAMAccountName must be used to perform the login however it only works if the those two fields equal each other. Where else would this check be coming from?

One of my buddies agreed to install your faq within his own domain. He's still on on 2008 R2 and he found the same problem. None of his users can login unless the displayName matches the sAMAccountName.
Thorsten
Posts: 15560
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: LDAP Fails To Work

Post by Thorsten »

Hi,

thanks for checking this out, I'll work on it!

Cheers
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
Post Reply