bgame-hunter / cpassman

Automatically exported from code.google.com/p/cpassman
0 stars 0 forks source link

Problems with LDAP / LDAPs #49

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
Hello Nils,

thank you for your most recent cPassMan. I tested the LDAP authentication 
feature and found 2 bugs.

1. If you authenticate via LDAP cPassMan wants you to change your password. Is 
it possible to deactivate password change for LDAP users?

2. If you want to use LDAPs (via SSL) authentication won't work. Using tcpdump 
I found out, that cPassMan does not even try to query the domain controllers 
via LDAPs. If you deactivate LDAPs everything works fine. Are there any other 
users experiencing the same problems or might have a solution for us?

Thank you in advance.
Christoph

Original issue reported on code.google.com by Marker...@gmail.com on 5 Apr 2011 at 1:41

GoogleCodeExporter commented 8 years ago
Hi Christophe,

I've corrected point n°1

Concerning point n°2, I must say that I don't really know.
Is it possible for you to check 
http://adldap.sourceforge.net/wiki/doku.php?id=ldap_over_ssl and tell me if 
your LDAPS is set as expected?

Thanks

Nils

Original comment by nils.lau...@gmail.com on 9 Apr 2011 at 8:06

GoogleCodeExporter commented 8 years ago
Hello Nils,

thank you for your response. I'm not in the office right now. I will look into 
it next week and give you feedback.

Christoph

Original comment by Marker...@gmail.com on 12 Apr 2011 at 3:17

GoogleCodeExporter commented 8 years ago
Hello Nils,

we checked the settings displayed in the link you gave us. Everything should be 
correct. Checking the LDAPS connection with ldapsearch  was successfull, but 
cPassMan still doesn't try to establish any connections vis LDAPs (checked via 
sniffer).

Christoph

Original comment by Marker...@gmail.com on 19 Apr 2011 at 11:00

GoogleCodeExporter commented 8 years ago
Hello Christoph,

I'll do a check on ldap library in order to see if cpassman is really ok.

Nils

Original comment by nils.lau...@gmail.com on 19 Apr 2011 at 4:55

GoogleCodeExporter commented 8 years ago
Hi Nils,

do you have any news for me?

Christoph

Original comment by Marker...@gmail.com on 10 May 2011 at 9:28

GoogleCodeExporter commented 8 years ago
Hi Christoph,

Yes I've worked on that topic a couple of hours without any success for the 
moment.
It's a subject that I don't master actually ... but I've done some interesting 
progress recently

I will hopefully implement something this month

Nils

Original comment by nils.cpa...@gmail.com on 10 May 2011 at 7:24

GoogleCodeExporter commented 8 years ago
Hi Nils,

sorry to ask again. Do you hvae any news for me? Can I help you with anything 
(maybe tests)?

Christoph

Original comment by Marker...@gmail.com on 21 Jun 2011 at 7:11

GoogleCodeExporter commented 8 years ago
Hi Christoph,

which distribution do you use and what LDAPS server are you asking (AD? 
OpenLDAP?)?

I've got it running with Debian Squeeze (Client and Server), OpenLDAP and 
cpassman_2.0b5_patch1.zip. The only thing was to set: "TLS_REQCERT never" in 
"/etc/ldap/ldap.conf" because I'm using selfsigned certificates. 

@Nils: I can verify it works with LDAPS and the patch from issue 42.

Michael

Original comment by m.mu...@gmail.com on 24 Aug 2011 at 9:45

GoogleCodeExporter commented 8 years ago
Hello Michael,

thank you for your answer. We are using AD, cpassman is installed on Debian. 
TLS_REQCERT is set to never. HTTPS only.

What packages did you install on your Debian? Are there any more configurations 
I have to do first?

When I'm trying to establish an ldaps connection via ldapsearch 

ldapsearch -H "ldaps://fisdc01.fis-gmbh.de" -b "" -s base -Omaxssf=0 

I get the following Message:

SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
        additional info: SASL(-4): no mechanism available:

I have googled a lot but didn't find anything helpful.

Thank you!

Christoph

Original comment by Marker...@gmail.com on 24 Aug 2011 at 10:01

GoogleCodeExporter commented 8 years ago
Hi Christoph,

why are you using SASL? Can you show me your ldap.conf please?

root@apps01:/var/www# dpkg -l | grep php
ii  libapache2-mod-php5                 5.3.3-7+squeeze3             
server-side, HTML-embedded scripting language (Apache 2 module)
ii  php5-cli                            5.3.3-7+squeeze3             
command-line interpreter for the php5 scripting language
ii  php5-common                         5.3.3-7+squeeze3             Common 
files for packages built from the php5 source
ii  php5-gd                             5.3.3-7+squeeze3             GD module 
for php5
ii  php5-ldap                           5.3.3-7+squeeze3             LDAP 
module for php5
ii  php5-mcrypt                         5.3.3-7+squeeze3             MCrypt 
module for php5
ii  php5-mysql                          5.3.3-7+squeeze3             MySQL 
module for php5
ii  php5-suhosin                        0.9.32.1-1                   advanced 
protection module for php5
ii  phpmyadmin                          4:3.3.7-6                    MySQL web 
administration tool
root@apps01:/var/www# dpkg -l | grep ldap
ii  libaprutil1-ldap                    1.3.9+dfsg-5                 The Apache 
Portable Runtime Utility Library - LDAP Driver
ii  libldap-2.4-2                       2.4.23-7.2                   OpenLDAP 
libraries
ii  php5-ldap                           5.3.3-7+squeeze3             LDAP 
module for php5

Original comment by m.mu...@gmail.com on 24 Aug 2011 at 10:24

GoogleCodeExporter commented 8 years ago
Hi Michael,

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

TLS_REQCERT never
ssl yes
tls_checkpeer no
----------------------

php5-gd, php5-suhosin, libaprutil1-ldap and libldap-2.4.2 are not installed. Do 
we need them for AD-authentication?

Christoph

Original comment by Marker...@gmail.com on 24 Aug 2011 at 11:05

GoogleCodeExporter commented 8 years ago
Hm ... you should enable debugging in PHP and check apache's error_log.
And check:
root@apps01:/var/www# dpkg -l | grep ssl
ii  libssl0.9.8                         0.9.8o-4squeeze1             SSL shared 
libraries
ii  openssl                             0.9.8o-4squeeze1             Secure 
Socket Layer (SSL) binary and related cryptographic tools
ii  ssl-cert                            1.0.28                       simple 
debconf wrapper for OpenSSL

Original comment by m.mu...@gmail.com on 24 Aug 2011 at 11:34

GoogleCodeExporter commented 8 years ago
Hi all,

this issue can be closed. A collegue of mine managed to make it work.

Christoph

Original comment by Marker...@gmail.com on 9 Nov 2011 at 12:11

GoogleCodeExporter commented 8 years ago
Could you post the details on what the root cause and resolution of your issue 
was, for the benefit of all?

Original comment by SeanNien...@gmail.com on 12 Dec 2011 at 3:07

GoogleCodeExporter commented 8 years ago
Hello Sean,

I'm not fully aware of all the changes my colleague made but as far as I know 
we had to "hardcode" the adldap.php additionally to the settings on the 
webinterface. We also had to choose one Domaincontroller instead of an array of 
Domaincontroller.

I hope this helps you.

Christoph

Original comment by Marker...@gmail.com on 12 Dec 2011 at 4:06

GoogleCodeExporter commented 8 years ago
Ldaps and windows servers! (my config: windows 2008r2 DC with php 5.3.8)
php OpenLdap doesn't work out of the box with self signed windows certificates.
You need to tell the LDAP plugin that it may accept self signed certificates.
This is done in the file ldap.conf
Create this file in c:\
Put in this file:
TLS_REQCERT never 

REBOOT (complete) SERVER.

now it should work with ssl on en tls off.
If it doesn't work install microsoft process monitor and filter on ldap.conf
Some installs require a different path. (So process monitor will tell you the 
right path)

More reference: http://www.php.net/manual/en/ref.ldap.php#77553

Cheers Christian

Original comment by christia...@gmail.com on 12 Dec 2011 at 4:48

GoogleCodeExporter commented 8 years ago
to be complete here is the file ldap.conf

Original comment by christia...@gmail.com on 12 Dec 2011 at 4:49

Attachments:

GoogleCodeExporter commented 8 years ago
hi, as i also stumbled over this issue, i just wanted to add as comment:

for windows 2008R2 domains, this also works fine with specific trusted cert's 
BUT only if one DC is put into the configuration. with an array or just the 
domain name, it does not work.

****** /etc/ldap/ldap.conf :

#TLS_REQCERT never

LDAPTrustedCAType    BASE64_FILE
TLS_CACERT  /etc/apache2/pki/COMPANY-Basic-Root-CA-cacert.crt

Original comment by lukas.ju...@gmail.com on 31 Jul 2012 at 11:31

GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
I can't get LDAP to work with active directory over SSL or TLS, only plain LDAP 
seems to work. I have read through this thread and tried the suggestions here 
to no avail.

Original comment by star2...@gmail.com on 2 Oct 2012 at 3:17

GoogleCodeExporter commented 8 years ago
Check with tcpdump on the LDAP server if the connection comes over the correct 
port and if there are cert issues (tcpdump -X -s 0 -n port 636)

Original comment by m.mu...@gmail.com on 4 Oct 2012 at 8:32