[Support] - Githubissues

bennettblack commented 2 years ago

Sponsorship: Sponsoring via Organization "BWI Companies"

Environment:

LDAP Server Type: ActiveDirectory
LdapRecord-Laravel Major Version: v2.5
PHP Version: 8.1

Issue I have a few users that correctly sync to my database with the import command. However, when they try to authenticate, they can’t be found. I’ve ensured that they exist in AD, and I’ve ensured that the email in AD matches what’s in the database. Note that this only affects a few of my users that authenticate with LDAP.

Details

auth.php

FortifyServiceProvider.php

User.php (App\Models\Ldap)

stevebauman commented 2 years ago

Hi @bennettblack! Thanks for posting this on GitHub 👍

Can you post what is printed in the application logs when an affected user has attempted to sign in? Ensure LDAP logging is enabled as well via the LDAP_LOGGING=true env variable.

stevebauman commented 2 years ago

Also, do you have any custom middleware that may be logging these users out? Are you doing any authorization on their group membership, etc.?

bennettblack commented 2 years ago

No custom middleware to un-authenticate anyone. I do set some session variables based on AD Group Membership.

Here's an example of one of the Problem user's auth logs :

[2022-08-08 13:27:35] local.INFO: LDAP (ldap://x.x.x.x) - Operation: Binding - Username: bwionline@bwicompanies.com  
[2022-08-08 13:27:35] local.INFO: LDAP (ldap://x.x.x.x) - Operation: Bound - Username: bwionline@bwicompanies.com  
[2022-08-08 13:27:35] local.INFO: LDAP (ldap://x.x.x.x) - Operation: Search - Base DN: ou=People,dc=bwicompanies,dc=com - Filter: (&(objectclass=\74\6f\70)(objectclass=\70\65\72\73\6f\6e)(objectclass=\6f\72\67\61\6e\69\7a\61\74\69\6f\6e\61\6c\70\65\72\73\6f\6e)(objectclass=\75\73\65\72)(mail=\6d\61\64\69\73\6f\6e\6d\69\6c\6e\65\72\40\62\77\69\63\6f\6d\70\61\6e\69\65\73\2e\63\6f\6d)(!(objectclass=\63\6f\6d\70\75\74\65\72))(mail=*)) - Selected: (objectguid,*) - Time Elapsed: 10.04

And here's my successful auth log:

[2022-08-08 13:23:36] local.INFO: LDAP (ldap://x.x.x.x) - Operation: Binding - Username: bwionline@bwicompanies.com  
[2022-08-08 13:23:36] local.INFO: LDAP (ldap://x.x.x.x) - Operation: Bound - Username: bwionline@bwicompanies.com  
[2022-08-08 13:23:36] local.INFO: LDAP (ldap://x.x.x.x) - Operation: Search - Base DN: ou=People,dc=bwicompanies,dc=com - Filter: (&(objectclass=\74\6f\70)(objectclass=\70\65\72\73\6f\6e)(objectclass=\6f\72\67\61\6e\69\7a\61\74\69\6f\6e\61\6c\70\65\72\73\6f\6e)(objectclass=\75\73\65\72)(mail=\62\65\6e\6e\65\74\74\62\6c\61\63\6b\40\62\77\69\63\6f\6d\70\61\6e\69\65\73\2e\63\6f\6d)(!(objectclass=\63\6f\6d\70\75\74\65\72))(mail=*)) - Selected: (objectguid,*) - Time Elapsed: 33.64  
[2022-08-08 13:23:36] local.INFO: User [Bennett Black] has been successfully discovered for authentication.  
[2022-08-08 13:23:36] local.INFO: Object with name [Bennett Black] is being synchronized.  
[2022-08-08 13:23:36] local.INFO: Object with name [Bennett Black] has been successfully synchronized.  
[2022-08-08 13:23:36] local.INFO: User [Bennett Black] is authenticating.  
[2022-08-08 13:23:36] local.INFO: LDAP (ldap://x.x.x.x) - Operation: Attempting - Username: CN=Bennett Black,OU=People,DC=bwicompanies,DC=com  
[2022-08-08 13:23:36] local.INFO: LDAP (ldap://x.x.x.x) - Operation: Binding - Username: CN=Bennett Black,OU=People,DC=bwicompanies,DC=com  
[2022-08-08 13:23:36] local.INFO: LDAP (ldap://x.x.x.x) - Operation: Bound - Username: CN=Bennett Black,OU=People,DC=bwicompanies,DC=com  
[2022-08-08 13:23:36] local.INFO: LDAP (ldap://x.x.x.x) - Operation: Passed - Username: CN=Bennett Black,OU=People,DC=bwicompanies,DC=com  
[2022-08-08 13:23:36] local.INFO: LDAP (ldap://x.x.x.x) - Operation: Binding - Username: bwionline@bwicompanies.com  
[2022-08-08 13:23:36] local.INFO: LDAP (ldap://x.x.x.x) - Operation: Bound - Username: bwionline@bwicompanies.com  
[2022-08-08 13:23:36] local.INFO: User [Bennett Black] has successfully passed LDAP authentication.  
[2022-08-08 13:23:36] local.INFO: User [Bennett Black] has successfully authenticated.

stevebauman commented 2 years ago

Ok thanks for confirming that @bennettblack!

I see you have a base DN set that is one level above the root (ou=People,dc=bwicompanies,dc=com instead of dc=bwicompanies,dc=com). Are these affected users underneath this base DN?

bennettblack commented 2 years ago

@stevebauman Yes, just confirmed the affected user is in the base DN "People"

stevebauman commented 2 years ago

Thanks @bennettblack.

What database are you using for your Laravel application?
Can you confirm that the user's email address in your Active Directory server matches the same casing identically as the imported user record in your Laravel application's database?

bennettblack commented 2 years ago

We use DB2 for IBM iSeries
Yes, I've confirmed that the users email in AD matches exact casing in the users table.

I've also tried to delete the user from the users table, then re-sync, with no luck.

stevebauman commented 2 years ago

Ok -- can you attempt to lookup the user via their email address with LdapRecord manually with tinker, or by pasting this somewhere accessible in your application?

use App\Modes\Ldap\User;

$user = User::where('mail', '=', 'affected-user@email.com')->first();

dd($user);

Does a user get returned?

bennettblack commented 2 years ago

@stevebauman No user returned - just null

stevebauman commented 2 years ago

Ok, can you attempt to locate them using a different attribute? Maybe a user ID (samaccountname)?

$user = User::where('samaccountname', '=', 'affecteduser')->first();

bennettblack commented 2 years ago

@stevebauman Since the App\Models\Ldap\User model represents the AD User, does the GUUID column on the App\Models\User model reference the App\Models\Ldap\User ID?

If so, could I use that as the ID?

stevebauman commented 2 years ago

Yes that's correct -- you could locate the user in your AD via guid like so:

use App\Modes\Ldap\User;

$user = User::findByGuid('xxxx-xxxx...');

bennettblack commented 2 years ago

@stevebauman Interestingly enough, I was able to find the user with User::findByGuid.

Taking a cursory glance at the returned model, I noticed the mail array value actually has a space. Think this could be the issue? Not sure if the LDAP Package does any trimming when doing these comparisons.

stevebauman commented 2 years ago

Taking a cursory glance at the returned model, I noticed the mail array value actually has a space. Think this could be the issue? Not sure if the LDAP Package does any trimming when doing these comparisons.

Yes that will definitely affect the query. LdapRecord doesn't perform any trimming. It sends a query asking for a match on the credentials sent via the Auth::validate()/Auth::attempt() methods via an LDAP filter. Can you update the users email to trim the excess spaces and try again?

Also, LdapRecord asks for an exact match via an equals (mail=foo@example.com) operator, not a contains (mail=*foo@example.com*), which will prevent the user from being returned if they contain leading or trailing spaces in your LDAP server.

bennettblack commented 2 years ago

@stevebauman that solved it! Thanks for your patience and the quick resolution!

stevebauman commented 2 years ago

Excellent! 🎉 Happy to help @bennettblack. Glad you're up and running

DirectoryTree / LdapRecord-Laravel

[Support] #461