Closed bennettblack closed 2 years ago
Hi @bennettblack! Thanks for posting this on GitHub 👍
Can you post what is printed in the application logs when an affected user has attempted to sign in? Ensure LDAP logging is enabled as well via the LDAP_LOGGING=true
env variable.
Also, do you have any custom middleware that may be logging these users out? Are you doing any authorization on their group membership, etc.?
No custom middleware to un-authenticate anyone. I do set some session variables based on AD Group Membership.
Here's an example of one of the Problem user's auth logs :
[2022-08-08 13:27:35] local.INFO: LDAP (ldap://x.x.x.x) - Operation: Binding - Username: bwionline@bwicompanies.com
[2022-08-08 13:27:35] local.INFO: LDAP (ldap://x.x.x.x) - Operation: Bound - Username: bwionline@bwicompanies.com
[2022-08-08 13:27:35] local.INFO: LDAP (ldap://x.x.x.x) - Operation: Search - Base DN: ou=People,dc=bwicompanies,dc=com - Filter: (&(objectclass=\74\6f\70)(objectclass=\70\65\72\73\6f\6e)(objectclass=\6f\72\67\61\6e\69\7a\61\74\69\6f\6e\61\6c\70\65\72\73\6f\6e)(objectclass=\75\73\65\72)(mail=\6d\61\64\69\73\6f\6e\6d\69\6c\6e\65\72\40\62\77\69\63\6f\6d\70\61\6e\69\65\73\2e\63\6f\6d)(!(objectclass=\63\6f\6d\70\75\74\65\72))(mail=*)) - Selected: (objectguid,*) - Time Elapsed: 10.04
And here's my successful auth log:
[2022-08-08 13:23:36] local.INFO: LDAP (ldap://x.x.x.x) - Operation: Binding - Username: bwionline@bwicompanies.com
[2022-08-08 13:23:36] local.INFO: LDAP (ldap://x.x.x.x) - Operation: Bound - Username: bwionline@bwicompanies.com
[2022-08-08 13:23:36] local.INFO: LDAP (ldap://x.x.x.x) - Operation: Search - Base DN: ou=People,dc=bwicompanies,dc=com - Filter: (&(objectclass=\74\6f\70)(objectclass=\70\65\72\73\6f\6e)(objectclass=\6f\72\67\61\6e\69\7a\61\74\69\6f\6e\61\6c\70\65\72\73\6f\6e)(objectclass=\75\73\65\72)(mail=\62\65\6e\6e\65\74\74\62\6c\61\63\6b\40\62\77\69\63\6f\6d\70\61\6e\69\65\73\2e\63\6f\6d)(!(objectclass=\63\6f\6d\70\75\74\65\72))(mail=*)) - Selected: (objectguid,*) - Time Elapsed: 33.64
[2022-08-08 13:23:36] local.INFO: User [Bennett Black] has been successfully discovered for authentication.
[2022-08-08 13:23:36] local.INFO: Object with name [Bennett Black] is being synchronized.
[2022-08-08 13:23:36] local.INFO: Object with name [Bennett Black] has been successfully synchronized.
[2022-08-08 13:23:36] local.INFO: User [Bennett Black] is authenticating.
[2022-08-08 13:23:36] local.INFO: LDAP (ldap://x.x.x.x) - Operation: Attempting - Username: CN=Bennett Black,OU=People,DC=bwicompanies,DC=com
[2022-08-08 13:23:36] local.INFO: LDAP (ldap://x.x.x.x) - Operation: Binding - Username: CN=Bennett Black,OU=People,DC=bwicompanies,DC=com
[2022-08-08 13:23:36] local.INFO: LDAP (ldap://x.x.x.x) - Operation: Bound - Username: CN=Bennett Black,OU=People,DC=bwicompanies,DC=com
[2022-08-08 13:23:36] local.INFO: LDAP (ldap://x.x.x.x) - Operation: Passed - Username: CN=Bennett Black,OU=People,DC=bwicompanies,DC=com
[2022-08-08 13:23:36] local.INFO: LDAP (ldap://x.x.x.x) - Operation: Binding - Username: bwionline@bwicompanies.com
[2022-08-08 13:23:36] local.INFO: LDAP (ldap://x.x.x.x) - Operation: Bound - Username: bwionline@bwicompanies.com
[2022-08-08 13:23:36] local.INFO: User [Bennett Black] has successfully passed LDAP authentication.
[2022-08-08 13:23:36] local.INFO: User [Bennett Black] has successfully authenticated.
Ok thanks for confirming that @bennettblack!
I see you have a base DN set that is one level above the root (ou=People,dc=bwicompanies,dc=com
instead of dc=bwicompanies,dc=com
). Are these affected users underneath this base DN?
@stevebauman Yes, just confirmed the affected user is in the base DN "People"
Thanks @bennettblack.
I've also tried to delete the user from the users table, then re-sync, with no luck.
Ok -- can you attempt to lookup the user via their email address with LdapRecord manually with tinker, or by pasting this somewhere accessible in your application?
use App\Modes\Ldap\User;
$user = User::where('mail', '=', 'affected-user@email.com')->first();
dd($user);
Does a user get returned?
@stevebauman No user returned - just null
Ok, can you attempt to locate them using a different attribute? Maybe a user ID (samaccountname
)?
$user = User::where('samaccountname', '=', 'affecteduser')->first();
@stevebauman Since the App\Models\Ldap\User
model represents the AD User, does the GUUID column on the App\Models\User
model reference the App\Models\Ldap\User
ID?
If so, could I use that as the ID?
Yes that's correct -- you could locate the user in your AD via guid like so:
use App\Modes\Ldap\User;
$user = User::findByGuid('xxxx-xxxx...');
@stevebauman Interestingly enough, I was able to find the user with User::findByGuid
.
Taking a cursory glance at the returned model, I noticed the mail
array value actually has a space. Think this could be the issue? Not sure if the LDAP Package does any trimming when doing these comparisons.
Taking a cursory glance at the returned model, I noticed the mail array value actually has a space. Think this could be the issue? Not sure if the LDAP Package does any trimming when doing these comparisons.
Yes that will definitely affect the query. LdapRecord doesn't perform any trimming. It sends a query asking for a match on the credentials sent via the Auth::validate()
/Auth::attempt()
methods via an LDAP filter. Can you update the users email to trim the excess spaces and try again?
Also, LdapRecord asks for an exact match via an equals (mail=foo@example.com
) operator, not a contains (mail=*foo@example.com*
), which will prevent the user from being returned if they contain leading or trailing spaces in your LDAP server.
@stevebauman that solved it! Thanks for your patience and the quick resolution!
Excellent! 🎉 Happy to help @bennettblack. Glad you're up and running
Sponsorship: Sponsoring via Organization "BWI Companies"
Environment:
Issue I have a few users that correctly sync to my database with the import command. However, when they try to authenticate, they can’t be found. I’ve ensured that they exist in AD, and I’ve ensured that the email in AD matches what’s in the database. Note that this only affects a few of my users that authenticate with LDAP.
Details