LDAP Query in wrong node

[needgethelp]

• Laravel Version: 5.7
• Adldap2-Laravel Version: 9.1.4
• PHP Version: 7.2.10
• LDAP Type: ActiveDirectory

Description: Hello everybody,

I am quite knew in the topic of laravel and ldap. I installed adldap2 as described in a complete fresh laravel environment and now struggle with the ldap configuration.

• The ldap authentication is not working.
• So far I know that the login into the Active Directory works
• When i do "php artisan adldap:import" the query only gives me users from a very deep directory path (OU=EEE,OU=DDD,OU=CCC,OU=BBB,DC=AAA,DC=local) although I configured a very high path (DC=AAA,DC=local)
• If i specify the BaseDN to another deep path no users are found anymore
• Of course therefore my users are not found in the directory

I also knowledged that when i import the users from this node, I can only sync "cn" or "userprincipalname" but no other attributes from the user.

Does anybody can assume where this behaviour comes from? Or is there any possibility to get shown what exact is queried from the active directory?

Any idea would be helpful! Thanks.

[stevebauman]

Hi @needgethelp, I'd be glad to help you get up and running!

First, your configured base_dn should be set to the base distinguished name of your LDAP directory. For example, if I have user whos distinguished name is equal to:

cn=John Doe,ou=Accounting,dc=corp,dc=acme,dc=org

The base DN of your directory would be exactly:

dc=corp,dc=acme,dc=org

If you performed a standard LDAP search with the above base DN, everything from your directory would be returned, including computers, users, contacts etc.

You want to set your base DN to something that encompasses to all the users who you need to authenticate. So if you have an Organizational Unit named Accounting and you only want users from that OU to authenticate, then you would set your base DN to ou=Accounting,dc=corp,dc=acme,dc=org.

Most of the time however, it's safe to leave your base DN to the true base of your directory.

In regards to your other question about synchronizing other user attributes, you will need to add them into the configured sync_attributes array that is published to your config/ldap_auth.php file. But keep in mind that if you add extra attributes to synchronize, these attributes will need to be added into your database migration file so you can synchronize them into your users database table - otherwise you'll receive an exception upon synchronization because the columns won't exist in your database table.

I hope this answered some of your questions, but feel free to let me know what else you require, or if the above resolves your issue so I can close this out.

Thanks!

[needgethelp]

Hi Steve,

thank you for you answer.

I did set the BaseDN on the lowest level, in your example ou Accounting,dc=corp,dc=acme,dc=org and I don't get any accounts back. The only way to get some users is currently to set it on dc=acme,dc=org, and by this i run into a specific deep node that gives me at least few users.

Is there limit of items that can come from the AD for adldap? And is there a possibility to see what exactly is queried from the AD?

Here is my adldap.php:

`return [ 'connections' => [ 'default' => [ 'auto_connect' => true, 'connection' => Adldap\Connections\Ldap::class, 'schema' => Adldap\Schemas\ActiveDirectory::class,

        'connection_settings' => [

            'account_prefix' => env('ADLDAP_ACCOUNT_PREFIX', ''),
            'account_suffix' => env('ADLDAP_ACCOUNT_SUFFIX',''),

            'domain_controllers' => explode(' ', env('ADLDAP_CONTROLLERS', 'TEST123')),
            'port' => env('ADLDAP_PORT', 389),
            'timeout' => env('ADLDAP_TIMEOUT', 3),
            'base_dn' => env('ADLDAP_BASEDN', 'OU=EEE,OU=DDD,OU=CCC,OU=BBB,DC=AAA,DC=local'),

            'admin_account_suffix' => env('ADLDAP_ADMIN_ACCOUNT_SUFFIX', 'CN=USERCN,OU=XXX,OU=DDD,OU=CCC,OU=BBB,DC=AAA,DC=local'),
            'admin_username' => env('ADLDAP_ADMIN_USERNAME', ''),
            'admin_password' => env('ADLDAP_ADMIN_PASSWORD', 'PASSWORD'),

            'follow_referrals' => false,
            'use_ssl' => false,
            'use_tls' => false,
        ],
    ],
],

];`

[stevebauman]

Is there limit of items that can come from the AD for adldap?

The default limit is 1000 on most ActiveDirectory installs.

And is there a possibility to see what exactly is queried from the AD?

Definitely. You could also check your Laravel log as all login attempts with the Adldap2 auth driver are logged there:

[2018-12-03 12:41:37] local.INFO: User 'Steve Bauman' has been successfully found for authentication.  
[2018-12-03 12:41:37] local.INFO: User 'Steve Bauman' is being synchronized.  
[2018-12-03 12:41:37] local.INFO: User 'Steve Bauman' has been successfully synchronized.  
[2018-12-03 12:41:37] local.INFO: User 'Steve Bauman' is authenticating with username: 'sbauman@acme.org'  
[2018-12-03 12:41:37] local.INFO: User 'Steve Bauman' has successfully passed LDAP authentication.  
[2018-12-03 12:41:37] local.INFO: User 'Steve Bauman' has been successfully logged in. 

You can query your LDAP server via:

use Adldap\Laravel\Facades\Adldap;

$users = Adldap::search()->users()->get();

dd($users);

And you can also see which users are available for import via the import command:

php artisan adldap:import

 Would you like to display the user(s) to be imported / synchronized? (yes/no) [no]:
 > y

+------------------------------+----------------------+----------------------------------------------+
| Name                         | Account Name         | UPN                                          |
+------------------------------+----------------------+----------------------------------------------+
| John Doe                     | johndoe              | johndoe@email.com                            |
| Jane Doe                     | janedoe              | janedoe@email.com                            |
+------------------------------+----------------------+----------------------------------------------+

[needgethelp]

Hi Steve,

thank you. I did a complete fresh installation and followed exact the installation instructions. I don't know what was wrong but now it works. Thank you for your help and of course for boulding this perfect package.

[stevebauman]

Great! I'm glad you were able to resolve your issue.

Also thanks so much for your kind words! :smile: