LDAP Authentication in V2 to AD not working - username not found in debug

[csjjpm]

Hi,
  I've configured my LDAP config file looking at many examples on this forum and also based on what I have working in LDAP Browser (free Windows software).  I enabled logging and debug mode.
  I've had an issue like this before with other freeware software.  We have a load of sub OUs with staff ids in and the search routine only searches the 'basedn' and didnt search sub OUs.  How does this one behave?
The webpage error is:

We could not match your username or password

My config is:

Code:

$conf['settings']['host'] = 'ad.mycollege.ac.uk'; // comma separated list of ldap servers such as mydomain1,localhost
$conf['settings']['port'] = '389';      // default ldap port 389 or 636 for ssl.
$conf['settings']['version'] = '3'; // LDAP protocol version
$conf['settings']['starttls'] = 'false'; // TLS is started after connecting
$conf['settings']['binddn'] = 'CN=zz_LDAP,OU=ACS,OU=Resources,DC=ds,DC=mycollege,DC=ac,DC=uk'; // The distinguished name to bind as (username). If you don't supply this, an anonymous bind will be established.
$conf['settings']['bindpw'] = 'mypassword'; // Password for the binddn. If the credentials are wrong, the bind will fail server-side and an anonymous bind will be established instead. An empty bindpw string requests an unauthenticated bind.
$conf['settings']['basedn'] = 'OU=Users,OU=Staff,DC=ds,DC=mycollege,DC=ac,DC=uk'; // LDAP base name
$conf['settings']['filter'] = ''; // Default search filter
$conf['settings']['scope'] = ''; // TLS is started after connecting
$conf['settings']['account.suffix'] = '@mycollege.ac.uk'; // The full account suffix for your domain. Example: @mydomain.local
$conf['settings']['database.auth.when.ldap.user.not.found'] = 'true'; // if ldap auth fails, authenticate against phpScheudleIt database

I have tried it with and without the account.suffix setting.  I've also tried prefixing the AD\username in the logon window.

The DEBUG error is:

Code:

07/11/12 16:14:52,450 [1112] DEBUG default - Trying to connect to LDAP
07/11/12 16:14:52,463 [1112] DEBUG default - Searching ldap for user medjpm
07/11/12 16:14:52,634 [1112] DEBUG default - Could not find user medjpm
07/11/12 16:14:52,635 [1112] DEBUG default - Result of LDAP Authenticate for user medjpm: 0
07/11/12 16:14:52,635 [1112] DEBUG default - Trying to log in as: medjpm
07/11/12 16:14:52,639 [1112] DEBUG default - User: medjpm, was validated: 0

[csjjpm]

Although this system looks nicer I am going to have to give up on it as I cannot get LDAP to work.  I am having a lot more success with MRBS.

Pity.

[Nick]

In 2.2 I separated LDAP and Active Directory. For AD, try changing the plugin to ActiveDirectory and then configuring \plugins\Authentication\ActiveDirectory\ActiveDirectory.config.php (copy from .dist.php)

[csjjpm]

Hi,
  thanks for replying.  I changed the config.php to:

Code:

$conf['settings']['plugins']['Authentication'] = 'ActiveDirectory';

My ActiveDirectory.config.php config is:

Code:

$conf['settings']['domain.controllers'] = 'ad.mycollege.ac.uk'; // comma separated list of ldap servers such as DC=mydomain1,DC=local.
$conf['settings']['port'] = '389';      // default ldap port 389 or 636 for ssl.
$conf['settings']['username'] = 'CN=LDAP-user,OU=System Accounts,OU=ITADMIN,OU=IT,OU=Resources,DC=ds,DC=mycollege,DC=ac,DC=uk';     // admin user - bind to ldap service with an authorized account user/password
$conf['settings']['password'] = 'password';     // admin password - corresponding password
$conf['settings']['basedn'] =  'OU=MEC,OU=Users,OU=MDH,OU=Staff,DC=ds,DC=mycollege,DC=ac,DC=uk';   // 'ou=uidauthent,o=domain.com';
$conf['settings']['version'] = '3'; // LDAP protocol version
$conf['settings']['use.ssl'] = 'false'; // 'true' if 636 was used.
$conf['settings']['account.suffix'] = ''; // The full account suffix for your domain. Example: @mydomain.local
$conf['settings']['database.auth.when.ldap.user.not.found'] = 'false'; // if ldap auth fails, authenticate against phpScheudleIt database

I logon with a known username and password in the 'MEC' OU and get the following error:

Code:

07/19/12 12:05:57,506 [1116] DEBUG default - Result of ActiveDirectory LDAP Authenticate for user medjpm: 0

[ChrisF]

Try putting a @DOMAIN suffix on the username when you login, where DOMAIN is your domain.
if that works, put that suffix here:

Code:

$conf['settings']['account.suffix'] = '';

[csjjpm]

Really weird result with that!

I added it to the username in the box 'username@mycollege.ac.uk' and it logged in successfully.  SO....

I did what you said in ActiveDirectory.config.php:

Code:

$conf['settings']['account.suffix'] = '@mycollege.ac.uk'; // The full account suffix for your domain. Example: @mydomain.local

This time the webpage error as:

Code:

Unknown Error
Return to the last page that you were on

and the log error was:

Code:

07/19/12 13:45:17,966 [1116] ERROR default - exception 'adLDAPException' with message 'Bind to Active Directory failed. Check the login credentials and/or server details. AD said: Invalid credentials' in C:\wamp\www\MyIntranet\booking\plugins\Authentication\ActiveDirectory\adLDAP.php:651
Stack trace:
#0 C:\wamp\www\MyIntranet\booking\plugins\Authentication\ActiveDirectory\adLDAP.php(605): adLDAP->connect()
#1 C:\wamp\www\MyIntranet\booking\plugins\Authentication\ActiveDirectory\AdLdapWrapper.php(56): adLDAP->__construct(Array)
#2 C:\wamp\www\MyIntranet\booking\plugins\Authentication\ActiveDirectory\ActiveDirectory.php(122): AdLdapWrapper->Connect()
#3 C:\wamp\www\MyIntranet\booking\Presenters\LoginPresenter.php(94): ActiveDirectory->Validate('username', 'mypassword')
#4 C:\wamp\www\MyIntranet\booking\Pages\LoginPage.php(193): LoginPresenter->Login()
#5 C:\wamp\www\MyIntranet\booking\Web\index.php(30): LoginPage->Login()
#6 {main}
07/19/12 13:45:17,968 [1116] ERROR default - Uncaught exception: exception 'adLDAPException' with message 'Bind to Active Directory failed. Check the login credentials and/or server details. AD said: Invalid credentials' in C:\wamp\www\MyIntranet\booking\plugins\Authentication\ActiveDirectory\adLDAP.php:651
Stack trace:
#0 C:\wamp\www\MyIntranet\booking\plugins\Authentication\ActiveDirectory\adLDAP.php(605): adLDAP->connect()
#1 C:\wamp\www\MyIntranet\booking\plugins\Authentication\ActiveDirectory\AdLdapWrapper.php(56): adLDAP->__construct(Array)
#2 C:\wamp\www\MyIntranet\booking\plugins\Authentication\ActiveDirectory\ActiveDirectory.php(122): AdLdapWrapper->Connect()
#3 C:\wamp\www\MyIntranet\booking\Presenters\LoginPresenter.php(94): ActiveDirectory->Validate('username', 'mypassword')
#4 C:\wamp\www\MyIntranet\booking\Pages\LoginPage.php(193): LoginPresenter->Login()
#5 C:\wamp\www\MyIntranet\booking\Web\index.php(30): LoginPage->Login()
#6 {main}

Most concerning was the password is in plain text in the log file.  I know I can try port 636 with ssl.  That is next! when I get the AD auth working.

[csjjpm]

Also....

How can I put multiple OUs in an array? e.g.

Code:

$conf['settings']['basedn'] =  ('OU=MEC,OU=Users,OU=MDH,OU=Staff,DC=mycollege,DC=ac,DC=uk','OU=ABC,OU=Users,OU=MDH,OU=Staff,DC=mycollege,DC=ac,DC=uk')

[ChrisF]

I *think* i was getting that when i was specifying an OU in combo with a suffix. Have you tried going from the very top of the domain tree for your basedn?
i'm using o=, e.g. $conf['settings']['basedn'] =  'o=CWN'; which is working
Also, tried anonymous auth by way of removing username and password?
I've seen a mod for 1.x of phpsceduleit to use AD security groups but i don't see where i can port this over to the new ldap/ad plugin.

[csjjpm]

Hi Chris,
  sorry not sure what you mean by o=CWN?

What is my 'o' equal to?
P.

[ChrisF]

lorganisation, probably, in your case, o=mycollege.ac.uk

[csjjpm]

Thanks Chris, I tried that o=mycollege.ac.uk and this is what happened:
This error occurs and quickly redirects to the next page

Code:

Parse error: syntax error, unexpected T_INTERFACE in C:\wamp\www\MyIntranet\booking\Pages\IPage.php on line 25

This is the error on the next page

Code:

Warning: ldap_search() [function.ldap-search]: Search: Operations error in C:\wamp\www\MyIntranet\booking\plugins\Authentication\ActiveDirectory\classes\adLDAPUsers.php on line 238

Warning: ldap_get_entries(): supplied argument is not a valid ldap result resource in C:\wamp\www\MyIntranet\booking\plugins\Authentication\ActiveDirectory\classes\adLDAPUsers.php on line 239

Warning: Cannot modify header information - headers already sent by (output started at C:\wamp\www\MyIntranet\booking\plugins\Authentication\ActiveDirectory\classes\adLDAPUsers.php:238) in C:\wamp\www\MyIntranet\booking\Pages\Page.php on line 97

The log on the server shows that I logged on fine:
This is the log entry when I had the exact OU I am a member of

Code:

07/20/12 15:47:44,839 [1116] DEBUG default - Result of ActiveDirectory LDAP Authenticate for user me-username@mycollege.ac.uk: 1
07/20/12 15:47:44,852 [1116] DEBUG default - Logging in with user: me-username@mycollege.ac.uk
07/20/12 15:47:48,344 [1116] DEBUG default - Logout userId: 3

This is the log entry when I put o=mycollege.ac.uk

Code:

07/20/12 15:48:07,644 [1116] DEBUG default - Result of ActiveDirectory LDAP Authenticate for user me-username@mycollege.ac.uk: 1
07/20/12 15:48:07,658 [1116] DEBUG default - Logging in with user: me-username@mycollege.ac.uk
07/20/12 15:48:34,162 [1116] DEBUG default - Logout userId: 3

[csjjpm]

Hi,
  is anyone able to help me with my multiple OU problem?
Thanks
Paul

[Nick]

Very strange. It looks like it's logging you in then immediately logging you out. Can you send me an email directly? I'd like to try some things.

Nick

[csjjpm]

Hi Nick,
  I've emailed you directly.
Thanks
Paul

[csjjpm]

My basedn/searching multiple OU issue has been fixed by Nick. 

For those interested I've changed my basedn to:

Code:

$conf['settings']['basedn'] =  'DC=ds,DC=mycollege,DC=ac,DC=uk';   // 'ou=uidauthent,o=domain.com';   

Before I tried o=mycollege.ac.uk and that didn't work as well as

Code:

$conf['settings']['basedn'] =  'OU=something,OU=Users,OU=MDH,OU=Staff,DC=ds,DC=mycollege,DC=ac,DC=uk';

 

I should have tried that myself ;-)

Thanks Nick