Closed lravelo closed 5 months ago
WillyXJ
commented
1 year ago I think your DN is missing the
Distinguished Name (DN): uid=<username>,ou=Users,o=[jumpcloud_org_id],dc=jumpcloud,dc=com
<username> will be automatically replaced with the username entered at the login page.
lravelo
commented
1 year ago Hi @WillyXJ this was actually an error on my part. For some reason I forgot to add <username> when opening the issue but yet that placeholder is there and it does not work:
WillyXJ
commented
1 year ago I don't think the issue is your DN at this point. Have you tried using "memberOf" for the Group Member Attribute? That is the supported attribute according to https://jumpcloud.com/blog/how-to-connect-your-application-to-ldap.
You could also try authenticating without a required group membership to help isolate where the problem is at.
lravelo
commented
1 year ago ok so removing the require group membership restriction does allow me to log in. Doing an ldapsearch of this group shows the following:
it uses the member attribute. Not sure if what's going on here is that the query is run against the uid to see what groups the account is a member of. In that case it would be memberOf. Despite that, neither option works when using requiring group membership.
WillyXJ
commented
1 year ago I've opened an account with JumpCloud and am able to reproduce the issue. I've also found using ldap_compare() is not working quite right with JumpCloud. I did find a working solution for you though.
Set the Group Member Attribute to "memberof" (case-sensitive) and replace class_logins.php line 575 with
$ldap_group_response = $this->checkGroupMembership($ldap_connect, $ldap_dn, $ldap_group_dn, $ldap_group_attribute);
More research and testing needs to be done to ensure this change does not break authentication with other LDAP servers before it's included in the next release.
lravelo
commented
1 year ago I tried this fix but no dice. Still the same outcome. Any sort of debug logging I can enable to see more details?
WillyXJ
commented
1 year ago Unfortunately there isn't any debug logging with fM for LDAP auth. However, I created another test user and it was unable to authenticate until I gave it bind permissions within JumpCloud (under User Security Settings and Permissions for the user).
Please ensure this option is checked for your users if you want to require the group membership.
I'll have to consider changing the LDAP auth implementation within fM to utilize a bind account to perform the lookups with instead of relying on the authenticating account to do that.
Please prefix your issue title with one of the following: [BUG], [ISSUE], [FEATURE REQUEST], [MODULE REQUEST], [OTHER].
Replace everything between stars with current version of your facileManager and module installations:
fM Version : 4.5.0 fmDNSVersion : 5.3.3
In raising this issue, I confirm the following (please check boxes, eg [X]):
(BUG | ISSUE) Expected Behavior: Expecting that LDAP users in JumpCloud can authenticate (JumpCloud uses an OpenLDAP type backend)
(BUG | ISSUE) Actual Behavior: Does not authenticate. The server doesn't even make an attempt to communicate with JumpCloud. I can see errors in
/var/log/php-fpm/www-error.logwhich says the following:PHP Notice: Undefined property: fmdb::$last_result in /var/www/html/facileManager/fm-modules/facileManager/classes/class_logins.php on line 265(BUG | ISSUE) Steps to reproduce:
This config is pretty typical and I have comparable config on other sources and works just fine.