Cannot authenticate to OpenLDAP (These credentials do not match our records.)

[ArturKami]

• Laravel Version: 5.3
• Adldap2-Laravel Version: 3.0.4
• PHP Version: 5.9

Description:

Hi, im trying to authenticate users to OpenLDAP with your package for about week, im reading all issue's befor mine with no use.

What i manage to accomplish is to connect to LDAP and get users typing this in top of routes : dd(Adldap::search()->where('cn', '=', 'Artur Kamiński')->get()); but when i try auth it retuns "false" : ` $mail = 'a.kaminski'; $password = '**';

dd(Adldap::auth()->attempt($mail, $password)); ` one important thing my email are difrent than my domain i think that matters. I hope u can help me, thank you in advance !!

This is my config

adldap_auth.php

`<?php

return [

/*
|--------------------------------------------------------------------------
| Connection
|--------------------------------------------------------------------------
|
| The LDAP connection to use for laravel authentication.
|
| You must specify connections in your `config/adldap.php` configuration file.
|
| This must be a string.
|
*/

'connection' => env('ADLDAP_CONNECTION', 'default'),

/*
|--------------------------------------------------------------------------
| Provider
|--------------------------------------------------------------------------
|
| The LDAP authentication provider to use depending
| if you require database synchronization.
|
| For synchronizing LDAP users to your local applications database, use the provider:
|
| Adldap\Laravel\Auth\DatabaseUserProvider::class
|
| Otherwise, if you just require LDAP authentication, use the provider:
|
| Adldap\Laravel\Auth\NoDatabaseUserProvider::class
|
*/

'provider' => Adldap\Laravel\Auth\DatabaseUserProvider::class,

/*
|--------------------------------------------------------------------------
| Resolver
|--------------------------------------------------------------------------
|
| The resolver that locates users from your LDAP server.
|
| Custom resolvers must implement the following interface:
|
|   Adldap\Laravel\Auth\ResolverInterface
|
*/

'resolver' => Adldap\Laravel\Auth\Resolver::class,

/*
|--------------------------------------------------------------------------
| Importer
|--------------------------------------------------------------------------
|
| The importer that imports LDAP users into your local database.
|
| Custom importers must implement the following interface:
|
|   Adldap\Laravel\Auth\ImporterInterface
|
*/

'importer' => Adldap\Laravel\Auth\Importer::class,

/*
|--------------------------------------------------------------------------
| Rules
|--------------------------------------------------------------------------
|
| Rules allow you to control user authentication requests depending on scenarios.
|
| You can create your own rules and insert them here.
|
| All rules must extend from the following class:
|
|   Adldap\Laravel\Validation\Rules\Rule
|
*/

'rules' => [

    // Denys deleted users from authenticating.

    Adldap\Laravel\Validation\Rules\DenyTrashed::class,

    // Allows only manually imported users to authenticate.

    // Adldap\Laravel\Validation\Rules\OnlyImported::class,

],

/*
|--------------------------------------------------------------------------
| Scopes
|--------------------------------------------------------------------------
|
| Scopes allow you to restrict the LDAP query that locates
| users upon import and authentication.
|
| All scopes must implement the following interface:
|
|   Adldap\Laravel\Scopes\ScopeInterface
|
*/

'scopes' => [

    // Only allows users with a user principal name to authenticate.

    Adldap\Laravel\Scopes\UpnScope::class,

],

'usernames' => [

    /*
    |--------------------------------------------------------------------------
    | LDAP
    |--------------------------------------------------------------------------
    |
    | This is the LDAP users attribute that you use to authenticate
    | against your LDAP server. This is usually the users
    |'sAMAccountName' / 'userprincipalname' attribute.
    |
    | If you'd like to use their username to login instead, insert `samaccountname`.
    |
    */

    'ldap' => 'uid',

    /*
    |--------------------------------------------------------------------------
    | Eloquent
    |--------------------------------------------------------------------------
    |
    | This is the attribute that is used for locating
    | and storing the LDAP username above.
    |
    | If you're using a `username` field instead, change this to `username`.
    |
    | This option is only applicable to the DatabaseUserProvider.
    |
    */

    'eloquent' => 'username',

],

/*
|--------------------------------------------------------------------------
| Login Fallback
|--------------------------------------------------------------------------
|
| The login fallback option allows you to login as a user located on the
| local database if active directory authentication fails.
|
| Set this to true if you would like to enable it.
|
| This option must be true or false and is only
| applicable to the DatabaseUserProvider.
|
*/

'login_fallback' => env('ADLDAP_LOGIN_FALLBACK', false),

/*
|--------------------------------------------------------------------------
| Password Sync
|--------------------------------------------------------------------------
|
| The password sync option allows you to automatically synchronize
| users AD passwords to your local database. These passwords are
| hashed natively by laravel using the bcrypt() method.
|
| Enabling this option would also allow users to login to their
| accounts using the password last used when an AD connection
| was present.
|
| If this option is disabled, the local user account is applied
| a random 16 character hashed password, and will lose access
| to this account upon loss of AD connectivity.
|
| This option must be true or false and is only applicable
| to the DatabaseUserProvider.
|
*/

'password_sync' => env('ADLDAP_PASSWORD_SYNC', true),

/*
|--------------------------------------------------------------------------
| Windows Auth Attribute
|--------------------------------------------------------------------------
|
| This array represents how a user is found when
| utilizing the Adldap Windows Auth Middleware.
|
| The key of the array represents the attribute that the user is located by.
|
|     For example, if 'samaccountname' is the key, then your LDAP server is
|     queried for a user with the 'samaccountname' equal to the value of
|     $_SERVER['AUTH_USER'].
|
|     If a user is found, they are imported (if using the DatabaseUserProvider)
|     into your local database, then logged in.
|
| The value of the array represents the 'key' of the $_SERVER
| array to pull the users username from.
|
|    For example, $_SERVER['AUTH_USER'].
|
| This must be an array with a key - value pair.
|
*/

'windows_auth_attribute' => ['samaccountname' => 'AUTH_USER'],

/*
|--------------------------------------------------------------------------
| Sync Attributes
|--------------------------------------------------------------------------
|
| Attributes specified here will be added / replaced on the user model
| upon login, automatically synchronizing and keeping the attributes
| up to date.
|
| The array key represents the Laravel model key, and the value
| represents the users LDAP attribute.
|
| This option must be an array and is only applicable
| to the DatabaseUserProvider.
|
*/

'sync_attributes' => [

    // 'username' => 'uid',
    // 'name' => 'cn',

],

];`

login.blade.php

`@extends('layouts.app')

@section('content')

Login

{{ csrf_field() }}

Nazwa domenowa

@if ($errors->has('username')) {{ $errors->first('username') }} @endif

Password

@if ($errors->has('password')) {{ $errors->first('password') }} @endif

Remember Me

Login Forgot Your Password?

@endsection `

adldap.php `<?php

return [

/*
|--------------------------------------------------------------------------
| Connections
|--------------------------------------------------------------------------
|
| This array stores the connections that are added to Adldap. You can add
| as many connections as you like.
|
| The key is the name of the connection you wish to use and the value is
| an array of configuration settings.
|
*/

'connections' => [

    'default' => [

        /*
        |--------------------------------------------------------------------------
        | Auto Connect
        |--------------------------------------------------------------------------
        |
        | If auto connect is true, Adldap will try to automatically connect to
        | your LDAP server in your configuration. This allows you to assume
        | connectivity rather than having to connect manually
        | in your application.
        |
        | If this is set to false, you must connect manually before running
        | LDAP operations.
        |
        */

        'auto_connect' => true,

        /*
        |--------------------------------------------------------------------------
        | Connection
        |--------------------------------------------------------------------------
        |
        | The connection class to use to run raw LDAP operations on.
        |
        | Custom connection classes must implement:
        |  \Adldap\Connections\ConnectionInterface
        |
        */

        'connection' => Adldap\Connections\Ldap::class,

        /*
        |--------------------------------------------------------------------------
        | Schema
        |--------------------------------------------------------------------------
        |
        | The schema class to use for retrieving attributes and generating models.
        |
        | You can also set this option to `null` to use the default schema class.
        |
        | Custom schema classes must implement \Adldap\Schemas\SchemaInterface
        |
        */

        'schema' => Adldap\Schemas\ActiveDirectory::class,

        /*
        |--------------------------------------------------------------------------
        | Connection Settings
        |--------------------------------------------------------------------------
        |
        | This connection settings array is directly passed into the Adldap constructor.
        |
        | Feel free to add or remove settings you don't need.
        |
        */

        'connection_settings' => [

            /*
            |--------------------------------------------------------------------------
            | Account Prefix
            |--------------------------------------------------------------------------
            |
            | The account prefix option is the prefix of your user accounts in AD.
            |
            | This string is prepended to authenticating users usernames.
            |
            */

            'account_prefix' => env('ADLDAP_ACCOUNT_PREFIX', ''),

            /*
            |--------------------------------------------------------------------------
            | Account Suffix
            |--------------------------------------------------------------------------
            |
            | The account suffix option is the suffix of your user accounts in AD.
            |
            | This string is appended to authenticating users usernames.
            |
            */

            'account_suffix' => env('ADLDAP_ACCOUNT_SUFFIX', ''),

            /*
            |--------------------------------------------------------------------------
            | Domain Controllers
            |--------------------------------------------------------------------------
            |
            | The domain controllers option is an array of servers located on your
            | network that serve Active Directory. You can insert as many servers or
            | as little as you'd like depending on your forest (with the
            | minimum of one of course).
            |
            | These can be IP addresses of your server(s), or the host name.
            |
            */

            'domain_controllers' => explode(' ', env('ADLDAP_CONTROLLERS', '')),

            /*
            |--------------------------------------------------------------------------
            | Port
            |--------------------------------------------------------------------------
            |
            | The port option is used for authenticating and binding to your AD server.
            |
            */

            'port' => env('ADLDAP_PORT', 389),

            /*
            |--------------------------------------------------------------------------
            | Timeout
            |--------------------------------------------------------------------------
            |
            | The timeout option allows you to configure the amount of time in
            | seconds that your application waits until a response
            | is received from your LDAP server.
            |
            */

            'timeout' => env('ADLDAP_TIMEOUT', 5),

            /*
            |--------------------------------------------------------------------------
            | Base Distinguished Name
            |--------------------------------------------------------------------------
            |
            | The base distinguished name is the base distinguished name you'd
            | like to perform query operations on. An example base DN would be:
            |
            |        dc=corp,dc=acme,dc=org
            |
            | A correct base DN is required for any query results to be returned.
            |
            */

            'base_dn' => env('ADLDAP_BASEDN', ''),

            /*
            |--------------------------------------------------------------------------
            | Administrator Account Suffix
            |--------------------------------------------------------------------------
            |
            | This option allows you to set a different account suffix for your
            | configured administrator account upon binding.
            |
            | If left empty, your `account_suffix` option will be used.
            |
            */
            'admin_account_prefix' => env('ADLDAP_ADMIN_ACCOUNT_PREFIX', ''),

            'admin_account_suffix' => env('ADLDAP_ADMIN_ACCOUNT_SUFFIX', ''),

            /*
            |--------------------------------------------------------------------------
            | Administrator Username & Password
            |--------------------------------------------------------------------------
            |
            | When connecting to your AD server, a username and password is required
            | to be able to query and run operations on your server(s). You can
            | use any user account that has these permissions. This account
            | does not need to be a domain administrator unless you
            | require changing and resetting user passwords.
            |
            */

            'admin_username' => env('ADLDAP_ADMIN_USERNAME', ''),
            'admin_password' => env('ADLDAP_ADMIN_PASSWORD', ''),

            /*
            |--------------------------------------------------------------------------
            | Follow Referrals
            |--------------------------------------------------------------------------
            |
            | The follow referrals option is a boolean to tell active directory
            | to follow a referral to another server on your network if the
            | server queried knows the information your asking for exists,
            | but does not yet contain a copy of it locally.
            |
            | This option is defaulted to false.
            |
            */

            'follow_referrals' => false,

            /*
            |--------------------------------------------------------------------------
            | SSL & TLS
            |--------------------------------------------------------------------------
            |
            | If you need to be able to change user passwords on your server, then an
            | SSL or TLS connection is required. All other operations are allowed
            | on unsecured protocols.
            |
            | One of these options are definitely recommended if you
            | have the ability to connect to your server securely.
            |
            */

            'use_ssl' => false,
            'use_tls' => false,

        ],

    ],

],

];`

auth.php

`<?php

return [

/*
|--------------------------------------------------------------------------
| Authentication Defaults
|--------------------------------------------------------------------------
|
| This option controls the default authentication "guard" and password
| reset options for your application. You may change these defaults
| as required, but they're a perfect start for most applications.
|
*/

'defaults' => [
    'guard' => 'web',
    'passwords' => 'users',
],

/*
|--------------------------------------------------------------------------
| Authentication Guards
|--------------------------------------------------------------------------
|
| Next, you may define every authentication guard for your application.
| Of course, a great default configuration has been defined for you
| here which uses session storage and the Eloquent user provider.
|
| All authentication drivers have a user provider. This defines how the
| users are actually retrieved out of your database or other storage
| mechanisms used by this application to persist your user's data.
|
| Supported: "session", "token"
|
*/

'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'users',
    ],

    'api' => [
        'driver' => 'token',
        'provider' => 'users',
    ],
],

/*
|--------------------------------------------------------------------------
| User Providers
|--------------------------------------------------------------------------
|
| All authentication drivers have a user provider. This defines how the
| users are actually retrieved out of your database or other storage
| mechanisms used by this application to persist your user's data.
|
| If you have multiple user tables or models you may configure multiple
| sources which represent each model / table. These sources may then
| be assigned to any extra authentication guards you have defined.
|
| Supported: "database", "eloquent"
|
*/

'providers' => [
    'users' => [
        'driver' => 'adldap',
        'model' => App\User::class,
    ],

    // 'users' => [
    //     'driver' => 'database',
    //     'table' => 'users',
    // ],
],

/*
|--------------------------------------------------------------------------
| Resetting Passwords
|--------------------------------------------------------------------------
|
| You may specify multiple password reset configurations if you have more
| than one user table or model in the application and you want to have
| separate password reset settings based on the specific user types.
|
| The expire time is the number of minutes that the reset token should be
| considered valid. This security feature keeps tokens short-lived so
| they have less time to be guessed. You may change this as needed.
|
*/

'passwords' => [
    'users' => [
        'provider' => 'users',
        'table' => 'password_resets',
        'expire' => 60,
    ],
],

];`

.env

ADLDAP_ACCOUNT_PREFIX='uid=' ADLDAP_ACCOUNT_SUFFIX='dc=regio,dc=local' ADLDAP_CONTROLLERS='xx.xx.xx.xx' ADLDAP_BASEDN='dc=regio,dc=local' ADLDAP_ADMIN_ACCOUNT_PREFIX='cn=' ADLDAP_ADMIN_ACCOUNT_SUFFIX='dc=regio,dc=local' ADLDAP_ADMIN_USERNAME='cuser,' ADLDAP_ADMIN_PASSWORD=xxxxxxx

.

[ArturKami]

i managed to get users by : $models = Adldap::search()->all(); dd($models);

i got this :

but when i try $users = Adldap::search()->users()->get(); dd($users); i get empty array :

[ArturKami]

I changed shema in file config/adldap.php from : 'schema' => Adldap\Schemas\ActiveDirectory::class, set this: 'schema' => Adldap\Schemas\OpenLDAP::class,

and searching :

$users = Adldap::search()->users()->get(); dd($users);

works :

[stevebauman]

Hi @ArturKami,

First thing, you need to switch schemas in your configuration from:

'Schema' => Adldap\Schemas\ActiveDirectory::class,

To:

'Schema' => Adldap\Schemas\OpenLDAP::class,

There may be more issues, but I'm currently on my cellphone so I'll take another look in a moment.

[ArturKami]

Thank you for your response !!

I changed shema in file config/adldap.php from : 'schema' => Adldap\Schemas\ActiveDirectory::class, set this: 'schema' => Adldap\Schemas\OpenLDAP::class,

and searching :

$users = Adldap::search()->users()->get(); dd($users);

now works :

But dd(Adldap::auth()->attempt('a.kaminski', '*********')); return false and localhost/login return "These credentials do not match our records."

[strozzascotte]

Try commenting out the scope in your adldap_auth.php. It worked for me with a similar setup.

// Adldap\Laravel\Scopes\UpnScope::class,

[anthonycalderon]

donde busco esto amigo ? $users = Adldap::search()->users()->get(); dd($users);

[ArturKami]

hey @strozzascotte thanks for hint but that didint help solve the problem :(

[ArturKami]

hey @anthonycalderon i dont speak Spanish my friend but thanks to google translate "Where I am loking for this friend" :P

Answer is - i put

$users = Adldap::search()->users()->get(); dd($users);

in routes->web.php to find out if auth is working and it returns