ActiveDirectory: Resolver returns instances of Entry, not User

[Roemerb]

• Laravel Version: 5.7.28
• Adldap2-Laravel Version: 4.0.x-dev
• PHP Version: 7.3.10
• LDAP Type: ActiveDirectory

Description:

Hi, my implementation of this library has been working fine for a little while, however, it suddenly stopped working. After a lot of debugging I found out that the underlying issue is that the Resolver is returning instances of \Adldap\Models\Entry instead of App\User. Upon discovering this, I double-checked my configuration, which seems to be correct. I'm using the library with ActiveDirectory. Here are the most important snippets of my conf.:

adldap_auth.php

return [
    'provider' => Adldap\Laravel\Auth\DatabaseUserProvider::class,
    'usernames' => [
        'ldap' => [
            'discover' => 'samaccountname',
            'authenticate' => 'dn', // NOTE: Also tried 'distinguishedname' here, same result
        ],
    'eloquent' => 'unumber' // This is the column in the database where the username is stored
    // not using password sync
    'sync_attributes' => [
        'wid'                       => 'uid',
        'email'                     => 'mail',
        'unumber'                   => 'samaccountname',
        'first_name'                => 'givenname',
        'last_name'                 => 'sn',
        'ldap_dn'                   => 'dn', // NOTE also tried 'distinguishedname' here
    ]
];

I have verified that the settings in config/adldap.php are correct. I can see that my admin user successfully logs in to the DC. I have also verified that the resolver is able to retrieve results, which indicates that my base DN is fine. It's just that it is for some reason not able to cast these to User instances? Finally, I've also checked that the object class for my users in the ActiveDirectory DO are 'person' and 'inetorgperson'.

Would appreciate any suggestions on where to look next...

P.S. I know I'm not running the latest version of the library, but I've seen it work before. Due to platform limitations of our production environment, I'd be quite a pain in the backside to update, so if possible I'd like it to work on this version.

[stevebauman]

Hi @Roemerb,

The Resolver will always return Adldap models, not your App\User instance. It's job is to locate the user in your ActiveDirectory.

Default Entry models are returned when Adldap2 cannot detect the proper model instance from the returned LDAP entry's objectclass.

Have you changed your schema in your ldap.php file at all?

The query factory generates a filter on your LDAP server for entry's that contain an objectclass of person and user.

https://github.com/Adldap2/Adldap2/blob/c229325583e93d051f0d343ee356e4836cce8f74/src/Query/Factory.php#L143-L148

Are you able to dump the Entry that is returned from the Resolver and take a peek into its objectclass to ensure it has both person and user?

[stevebauman]

Also, you mentioned it used to work fine and just recently started having issues. Is this only occurring with certain users? Are you able to login with other users just fine?

[Roemerb]

Hey @stevebauman, thanks for the reply. I have edited the schema in adldap.php to use ActiveDirectory, and I believe that's about it. When I dump the Entry instances I can see that I am retrieving results from the ActiveDirectory server, so I suppose that means that the connection itself is not the problem. Unfortunately, I am not able to access this production server until next Thursday, so I can't provide a dump of the objectclass at the moment. It does sound like that should be the problem though. Does the objectclass have to contain both person and user? Or just one of the two?

Thanks anyway, I'll come back to this on Thursday.