[Bug] Can't authenticate with fortify?

[zack6849]

Environment (please complete the following information):

• LDAP Server Type: ActiveDirectory
• LdapRecord-Laravel Major Version: 2.4.2
• PHP Version: 7.4

I'm unable to get authentication working, i can see from the logs it's running a search, but it doesn't throw an error or a success, it just says my creds are wrong on the frontend

I don't get much useful back

[2021-04-13 18:24:17] local.INFO: LDAP (ldap://9.9.9.9:389) - Operation: Binding - Username: CN=redacted,CN=Users,DC=redacted,DC=com
[2021-04-13 18:24:17] local.INFO: LDAP (ldap://9.9.9.9:389) - Operation: Bound - Username: CN=redacted,CN=Users,DC=redacted,DC=com
[2021-04-13 18:24:17] local.INFO: LDAP (ldap://9.9.9.9:389) - Operation: Search - Base DN: - Filter: (&(objectclass=top)(objectclass=person)(objectclass=organizationalperson)(objectclass=user)(mail=z-craig@redacted.com)(!(objectclass=computer))) - Selected: (objectguid,*) - Time Elapsed: 4.97

Obviously, address of the ldap server has been changed, as have the user names

Configuration

 Fortify::authenticateUsing(function ($request) {
            $validated = Auth::validate([
                'samaccountname' => $request->username,
                'password' => $request->password
            ]);

            return $validated ? Auth::getLastAttempted() : null;
        });

    'providers' => [
        'users' => [
            'driver' => 'ldap',
            'model' => LdapRecord\Models\ActiveDirectory\User::class,
            'rules' => [],
            'database' => [
                'model' => App\Models\User::class,
                'sync_passwords' => true,
                'sync_attributes' => [
                    'name' => 'cn',
                    'email' => 'mail',
                ],
            ],
        ],

        // 'users' => [
        //     'driver' => 'database',
        //     'table' => 'users',
        // ],
    ],

Any idea what i'm doing wrong here?

FYI: I ran the exact query in AD and I DO get my user back ]

I have:

• Edited the auth config to use the ldap driver, as shown above
• commented out all features from fortify's config
• changed the session table user id column to a uuid

[zack6849]

Furthermore confusing, is that it shows no users to import.

laravel@687a76309fdc:/var/www/html$ php artisan ldap:test
Testing LDAP connection [default]...
+------------+------------+----------------------------------------+-------------------------+---------------+
| Connection | Successful | Username                               | Message                 | Response Time |
+------------+------------+----------------------------------------+-------------------------+---------------+
| default    | ✔ Yes      | CN=redacted,CN=Users,DC=redacted,DC=com | Successfully connected. | 5.25ms        |
+------------+------------+----------------------------------------+-------------------------+---------------+
laravel@687a76309fdc:/var/www/html$ php artisan ldap:import users
There were no users found to import.

[zack6849]

Here's a repo with the code i'm using (well, a copy of it into a barebones laravel project)

https://github.com/zack6849/ldap-bug

[stevebauman]

Hi @zack6849, are you able to retrieve results from your LDAP server using the user you have configured?

You can test this in your application easily by running the ldap:browse command. Using that, you can interactively browse your LDAP server and ensure that the account you have configured is able to access the use you're authenticating with, but also that the base_dn you have configured is correct.

[zack6849]

@stevebauman I can't run ldap:browse, it throws an exception

laravel@c0eff9d0c3a4:/var/www/html$ php artisan ldap:test
Testing LDAP connection [default]...
+------------+------------+----------------------------------------+-------------------------+---------------+
| Connection | Successful | Username                               | Message                 | Response Time |
+------------+------------+----------------------------------------+-------------------------+---------------+
| default    | ✔ Yes      | CN=redacted,CN=Users,DC=redacted,DC=com | Successfully connected. | 59.83ms       |
+------------+------------+----------------------------------------+-------------------------+---------------+
laravel@c0eff9d0c3a4:/var/www/html$ php artisan ldap:browse
Connecting to [default]...
Successfully connected.

   Error

  Class 'LdapRecord\Laravel\Commands\Entry' not found

  at vendor/directorytree/ldaprecord-laravel/src/Commands/BrowseLdapServer.php:260
    256▕      * @return \LdapRecord\Query\Model\Builder
    257▕      */
    258▕     protected function newLdapQuery()
    259▕     {
  ➜ 260▕         return Entry::on($this->argument('connection'));
    261▕     }
    262▕ }
    263▕

      +14 vendor frames
  15  artisan:37
      Illuminate\Foundation\Console\Kernel::handle(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
laravel@c0eff9d0c3a4:/var/www/html$

Am I on an old version of the library or something?

[stevebauman]

🤦 This is my mistake, sorry @zack6849!

I've just pushed a fix for this and have released a new version. Can you run composer update and attempt browsing your directory again using the ldap:browse command?

[zack6849]

I actually got ldap browse to work on my local last night, and it looks like the issue is on my end, I was passing the email address but telling it to validate as samaccountname, i still have to test and confirm but I will probably close this as my own issue

[stevebauman]

Ok sounds good! Thanks for your quick responses @zack6849. Appreciate the update 👍

[zack6849]

I've gotten it working, still having some troubles getting spatie's permissions to work okay with your stuff though

Do you know if manually setting the guard name to web in the user class would have any adverse side effects?

[stevebauman]

Great!

still having some troubles getting spatie's permissions to work okay with your stuff though Do you know if manually setting the guard name to web in the user class would have any adverse side effects?

This is a known issue with Spatie Permission:

https://github.com/spatie/laravel-permission/issues/1511

https://github.com/spatie/laravel-permission/issues?q=is%3Aissue+ldap+is%3Aclosed

Unfortunately, you will have to configure the guard name manually, as it does not offer a way to resolve the model from the guards configured provider.

As long as the web guard contains the same Eloquent model that you have configured in your ldap guard, then I don't see an issue. However, take that with a grain of salt. I've never used Spatie Permission.