Not able to login with LDAPS

[Jumb0Fr4m3]

After the latest install I am not able to login with LDAP(S) anymore. The error message I get is this:

PHP Notice: Undefined variable: authorizedGroups in /var/www/iPSK-Manager/adminportal/login.php on line 135, referer:

To reproduce: From login page: Type username and password and choose the configured LDAPS server as source. Click Sign In.

LDAPS connection is working. When clicking Test on the Connection name (under LDAP servers) it reports success.

[ciesinsn]

Is this a fresh installation or did you overwrite a existing one? I am able to login with LDAP(S) without any issue.

[Jumb0Fr4m3]

This is an existing one I overwrite with git pull.

[ciesinsn]

When is the last time you did a pull? The login.php page you mentioned above hasn't been modified since commit d2abed2 which was a week ago. Are you sure you have your groups configured correctly and are a member of one allowed for admin portal management?

[ciesinsn]

I don't think that error you're seeing and posted in the issue is the crux of your issue. When I look at the code and line 135 you'd only hit that line if you failed a internal user login, not LDAP. Based on the code I'd expect that notice as the pull of authorized groups happens on line 92 but that wouldn't run if you hit line 135. So trying to put that variable in the log is a oversight because it hasn't been initialized.

https://github.com/CiscoDevNet/iPSK-Manager/blob/c33141109e95f29e5c5ef35de2e6ad659b053d87/adminportal/login.php#L90-L140

I'd double check everything in your environment for LDAP(s) as I can't reproduce a issue in my dev deployment as I mentioned.

[Jumb0Fr4m3]

I'll try to do some more testing. The strange thing is that logging intoSponsor Portals are working fine with LDAPS. It's only the Admin Portal that is not working anymore.

[Jumb0Fr4m3]

Did some testing. When using the Login.php from the version "php8 and other fixes" is working. When I try to use the login.php from "SAML Admin Portal Support" I get the error. Not sure if that is helpful. Is there any more logging I can turn on to narrow it down?

[ciesinsn]

It's even more odd that you say the other portals are working as they should have the exact same code when it comes to LDAP login. The only difference is the other portals don't ask you what LDAP directory to login with. Both use the same LDAP class ipsk library code too.

Also, the difference between php8 and other fixes for login.php and SAML should be very minor from my memory but I can take a look just to see if anything stands out to me. The nested group change had more changes if I recall.

When you try and login and it doesn't work what is the URL at the top of the screen?

[Jumb0Fr4m3]

https://x.x.x.x/index.php?error=3

[ciesinsn]

Can you also share a screenshot of the platform configuration general screen (the first one) and then a screenshot the settings table from the DB? For the settings table I'm mostly interested in the ldap-settings and saml-settings.

I did look at there is mimimil code change in login.php between php8 and SAML commits. Also, I did look and code changes are the same between admin portal and sponsor portals for the login.php files.

[ciesinsn]

Oh, and forgot, there is a logging table as well, can you dump out any logs from the time period. Don't think it will be much help for me, but just incase.

[Jumb0Fr4m3]

Well the problem is that the Platform Configuration is also broken after the update. That probably is another error. Only get a blank page when clicking on it The admin-error log says:

[Thu May 02 15:30:34.873628 2024] [php7:error] [pid 5305] [client x.x.x.x:21729] PHP Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting '-' or identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in /var/www/iPSK-Manager/supportfiles/adminportals/modules/sysconfig/general.inc.php on line 97, referer: https://x.x.x.x/adminportal.php

Can you share the sql command to get the neccessary info from the db?

[ciesinsn]

Did you copy your config.php someplace else before you did the git pull and put it back? It almost seems like you are missing files or some files didn't get updated right from a pull.

As for MySQL

Once on the DB CLI after logging in.

use \<db name>; select * from settings;

[Jumb0Fr4m3]

I doesn't look like the config.php has been changed since 2021.

-rw-r--r--. 1 apache apache 1250 Jan 15 2021 config.php

[ciesinsn]

What version of PHP are you running on your setup?

[Jumb0Fr4m3]

seems to be PHP 7.2.34

[ciesinsn]

Any way you can bump that up to 8.x? I am wondering if this is the issue at hand as that above error on the general.inc.php points to a line where I see comments about whats done there not working with PHP 7.2 and wonder if maybe something else with login is PHP version related as well since I'm using PHP 8.x. May have to change what is mentioned as possible PHP versions if that is the case.

[ciesinsn]

Looks like for sure the general.inc.php error is related to PHP version as this comment is what that line is doing where it says PHP less then 7.3 will cause a error. This I can correct but now really have me wondering if the LDAP issue is also related to PHP version.

[Jumb0Fr4m3]

Thanks. I will try to upgrade it to 8 tomorrow. Will let you know the outcome.

[Jumb0Fr4m3]

I have upgraded to php8 but still get an error. But a new error line:

[Fri May 03 12:33:48.507569 2024] [php:warn] [pid 1960] [client 10.251.8.6:33859] PHP Warning: Trying to access array offset on value of type bool in /var/www/iPSK-Manager/adminportal/login.php on line 64, referer: https://x.x.x.x/index.php?error=3 [Fri May 03 12:33:48.520884 2024] [php:warn] [pid 1960] [client x.x.x.x:33859] PHP Warning: Undefined variable $authorizedGroups in /var/www/iPSK-Manager/adminportal/login.php on line 135, referer: https://x.x.x.x/index.php?error=3

Heres the screenshot of the Platform Configuration (probably working again after upgrade to php8)

[ciesinsn]

Can you send me a photo of the groups page as well?

[Jumb0Fr4m3]

[ciesinsn]

And I assume the user you are logging in with is a member of that 2nd group or the last group and your selecting the ldap directory those groups are in when you login, correct? They are the only ones that would allow login to the admin portal as configured.

If the above is true can you go back to the portal configuration page and check the option for enable nested groups and then press update settings. Uncheck the box and then do update settings again. Logout and try and login again.

If you still have an issue do the same thing above but this time check use ldap for admin portal authorization in the SAML area as the item you check and uncheck.

Doing those steps will put some settings in that database table you sent the image of yesterday. Those settings are referenced in the login.php code for all portals.

Everything with the login should work without them and I verified in my setup it did yesterday, I'm curious though if this is what is causing the issue for you.

[Jumb0Fr4m3]

Did what you suggested but still no success: My database got some extra columns added:

[ciesinsn]

Ok, good in a way as I expected it to not be hung up on that.

That line 135 error is time matched to when you try and login via ldap? You're sure of that? Can you tail your error log to make sure it does appear at the time of ldap login failure?

You'd only get to that line if doing a local login, not ldap. The similar line you'd get to from a ldap login is further down in the code.

That entire code block runs when the submitted login form has a value of 0 for the chosen user source in the drop down on the login page.

A error of 3 means unable to authenticate, bad user name or password.

Are you able to post the source html you see on your login screen?

[Jumb0Fr4m3]

The 135 does occur when I try to logon. I have verified that. I have verified that I get to that code both when I try to unsuccessful try to logon local and also when I try to logon through LDAPS

Is this the html you're wanting?

<!doctype html>

iPSK Manager for Cisco ISE

Please Login

Authentication Failed

Username Password Please select an Authentication Source:InternalLDAPSLDAPS#2 Sign in

Copyright © 2024 Cisco and/or its affiliates.

[ciesinsn]

Ok, think I figured it out as I was just staring at the code. Doesn't help that I was using the same password for a local user and LDAP user and didn't think about that. I'll provide a new login.php for you to test in a bit.

[ciesinsn]

If you go to the ui-refresh-sponsor-portal branch and pull the login.php from that branch I think it should work. You can also pull the entire branch if you want.

[Jumb0Fr4m3]

Thanks. Now it's working perfectly again. Thanks for the great help on this.

[ciesinsn]

Glad to hear, wish I wasn't as blind at the beginning :)

[ciesinsn]

@Jumb0Fr4m3 You may want to do a new pull. I noticed in one of your images above a alignment issue but didn't know if it was just your browser window size. I experienced the issue myself and realized there was a alignment issue under certain conditions. I fixed it so if you pull again your admin screens will line up right :)