search

glpi-project / glpi

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing.
https://glpi-project.org
GNU General Public License v3.0
4.24k stars 1.29k forks source link

LDAP sync & login error 10.0.5 #13542

Closed kofe88 closed 1 year ago

kofe88 commented 1 year ago

Code of Conduct

Is there an existing issue for this?

Version

10.0.5

Bug description

After upgrading to version 10.0.5, it is not possible to log in with a domain account. Also, synchronization of users from AD does not work. When logging in from the main page, an empty page simply opens. Also, when you try to manually synchronize the user, an empty page opens. There are errors in the apache and GLPI logs. The domain connection test is successful. The list of users to import from AD is received successfully, but it cannot import anyone, as well as a white screen when importing and errors in the logs. AD Windows Server 2012

Relevant log output

php-errors.log glpi

[2022-12-07 10:33:14] glpiphplog.WARNING:   *** PHP Warning (2): ldap_search(): Search: Bad search filter in /var/www/html/glpi/src/User.php at line 2012
  Backtrace :
  src/User.php:2012                                  ldap_search()
  src/User.php:1704                                  User->ldap_get_user_groups()
  src/User.php:1856                                  User->getFromLDAPGroupDiscret()
  src/AuthLDAP.php:2784                              User->getFromLDAP()
  src/AuthLDAP.php:2695                              AuthLDAP::ldapImportUserByServerId()
  src/User.php:3397                                  AuthLDAP::forceOneUserSynchronization()
  src/MassiveAction.php:1408                         User::processMassiveActionsForOneItemtype()
  src/MassiveAction.php:1386                         MassiveAction->processForSeveralItemtypes()
  front/massiveaction.php:59                         MassiveAction->process()

[2022-12-07 10:33:14] glpiphplog.CRITICAL:   *** Uncaught Exception TypeError: ldap_get_entries(): Argument #2 ($result) must be of type LDAP\Result, bool given in /var/www/html/glpi/src/AuthLDAP.php at line 4226
  Backtrace :
  src/AuthLDAP.php:4226                              ldap_get_entries()
  src/User.php:2015                                  AuthLDAP::get_entries_clean()
  src/User.php:1704                                  User->ldap_get_user_groups()
  src/User.php:1856                                  User->getFromLDAPGroupDiscret()
  src/AuthLDAP.php:2784                              User->getFromLDAP()
  src/AuthLDAP.php:2695                              AuthLDAP::ldapImportUserByServerId()
  src/User.php:3397                                  AuthLDAP::forceOneUserSynchronization()
  src/MassiveAction.php:1408                         User::processMassiveActionsForOneItemtype()
  src/MassiveAction.php:1386                         MassiveAction->processForSeveralItemtypes()
  front/massiveaction.php:59                         MassiveAction->process()

[2022-12-07 10:36:46] glpiphplog.WARNING:   *** PHP Warning (2): ldap_search(): Search: Bad search filter in /var/www/html/glpi/src/User.php at line 2012
  Backtrace :
  src/User.php:2012                                  ldap_search()
  src/User.php:1704                                  User->ldap_get_user_groups()
  src/User.php:1856                                  User->getFromLDAPGroupDiscret()
  src/AuthLDAP.php:2784                              User->getFromLDAP()
  src/AuthLDAP.php:2695                              AuthLDAP::ldapImportUserByServerId()
  src/User.php:3397                                  AuthLDAP::forceOneUserSynchronization()
  src/MassiveAction.php:1408                         User::processMassiveActionsForOneItemtype()
  src/MassiveAction.php:1386                         MassiveAction->processForSeveralItemtypes()
  front/massiveaction.php:59                         MassiveAction->process()

[2022-12-07 10:36:46] glpiphplog.CRITICAL:   *** Uncaught Exception TypeError: ldap_get_entries(): Argument #2 ($result) must be of type LDAP\Result, bool given in /var/www/html/glpi/src/AuthLDAP.php at line 4226
  Backtrace :
  src/AuthLDAP.php:4226                              ldap_get_entries()
  src/User.php:2015                                  AuthLDAP::get_entries_clean()
  src/User.php:1704                                  User->ldap_get_user_groups()
  src/User.php:1856                                  User->getFromLDAPGroupDiscret()
  src/AuthLDAP.php:2784                              User->getFromLDAP()
  src/AuthLDAP.php:2695                              AuthLDAP::ldapImportUserByServerId()
  src/User.php:3397                                  AuthLDAP::forceOneUserSynchronization()
  src/MassiveAction.php:1408                         User::processMassiveActionsForOneItemtype()
  src/MassiveAction.php:1386                         MassiveAction->processForSeveralItemtypes()
  front/massiveaction.php:59                         MassiveAction->process()

[2022-12-07 10:37:46] glpiphplog.WARNING:   *** PHP Warning (2): ldap_search(): Search: Bad search filter in /var/www/html/glpi/src/User.php at line 2012
  Backtrace :
  src/User.php:2012                                  ldap_search()
  src/User.php:1704                                  User->ldap_get_user_groups()
  src/User.php:1856                                  User->getFromLDAPGroupDiscret()
  src/AuthLDAP.php:3211                              User->getFromLDAP()
  src/AuthLDAP.php:3295                              AuthLDAP::ldapAuth()
  src/Auth.php:909                                   AuthLDAP::tryLdapAuth()
  front/login.php:89                                 Auth->login()

[2022-12-07 10:37:46] glpiphplog.CRITICAL:   *** Uncaught Exception TypeError: ldap_get_entries(): Argument #2 ($result) must be of type LDAP\Result, bool given in /var/www/html/glpi/src/AuthLDAP.php at line 4226
  Backtrace :
  src/AuthLDAP.php:4226                              ldap_get_entries()
  src/User.php:2015                                  AuthLDAP::get_entries_clean()
  src/User.php:1704                                  User->ldap_get_user_groups()
  src/User.php:1856                                  User->getFromLDAPGroupDiscret()
  src/AuthLDAP.php:3211                              User->getFromLDAP()
  src/AuthLDAP.php:3295                              AuthLDAP::ldapAuth()
  src/Auth.php:909                                   AuthLDAP::tryLdapAuth()
  front/login.php:89                                 Auth->login()

error.log apache2

[Wed Dec 07 10:33:14.815249 2022] [php:warn] [pid 104] [client 172.19.0.2:51612] PHP Warning:  ldap_search(): Search: Bad search filter in /var/www/html/glpi/src/User.php on line 2012, referer: https://support-test.domain.ru/front/user.form.php?id=567
[Wed Dec 07 10:36:46.340432 2022] [php:warn] [pid 100] [client 172.19.0.2:51928] PHP Warning:  ldap_search(): Search: Bad search filter in /var/www/html/glpi/src/User.php on line 2012, referer: https://support-test.domain.ru/front/user.form.php?id=930
[Wed Dec 07 10:37:46.714408 2022] [php:warn] [pid 125] [client 172.19.0.2:52102] PHP Warning:  ldap_search(): Search: Bad search filter in /var/www/html/glpi/src/User.php on line 2012, referer: https://support-test.domain.ru/index.php

Page URL

No response

Steps To reproduce

  1. Update to 10.0.5 from 9.5.9
  2. Connect to AD (WIndows Server 2012)

1 2 3 4 5 6 7

Your GLPI setup information

Information about system installation and configuration
GLPI 10.0.5 ( => /var/www/html/glpi)
Installation mode: TARBALL
Current language:en_GB
Server
 
Operating system: Linux 2ae7d874a39b 5.15.0-43-generic #46-Ubuntu SMP Tue Jul 12 10:30:17 UTC 2022 x86_64
PHP 8.1.2-1ubuntu2.9 apache2handler (Core, FFI, PDO, Phar, Reflection, SPL, SimpleXML, Zend OPcache, apache2handler, apcu, bz2,
    calendar, ctype, curl, date, dom, exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, imap, intl, json, ldap, libxml,
    mbstring, mysqli, mysqlnd, openssl, pcre, pdo_mysql, posix, readline, session, shmop, sockets, sodium, standard, sysvmsg,
    sysvsem, sysvshm, tokenizer, xml, xmlreader, xmlrpc, xmlwriter, xsl, zip, zlib)
Setup: max_execution_time="600" memory_limit="64M" post_max_size="8M" safe_mode="" session.save_handler="files"
    upload_max_filesize="2M" 
Software: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 ()
    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 YaBrowser/22.11.0.2424 Yowser/2.5 Safari/537.36
Server Software: mariadb.org binary distribution
    Server Version: 10.6.11-MariaDB-1:10.6.11+maria~ubu2004
    Server SQL Mode: STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
    Parameters: user@mariadb/user
    Host info: mariadb via TCP/IP

PHP version (8.1.2-1ubuntu2.9) is supported.
Sessions configuration is OK.
Allocated memory is sufficient.
mysqli extension is installed.
Following extensions are installed: dom, fileinfo, json, simplexml.
curl extension is installed.
gd extension is installed.
intl extension is installed.
libxml extension is installed.
zlib extension is installed.
The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present.
Database engine version (10.6.11) is supported.
No files from previous GLPI version detected.
The log file has been created successfully.
Write access to /var/www/html/glpi/files/_cache has been validated.
Write access to /var/www/html/glpi/config has been validated.
Write access to /var/www/html/glpi/files/_cron has been validated.
Write access to /var/www/html/glpi/files has been validated.
Write access to /var/www/html/glpi/files/_dumps has been validated.
Write access to /var/www/html/glpi/files/_graphs has been validated.
Write access to /var/www/html/glpi/files/_lock has been validated.
Write access to /var/www/html/glpi/files/_pictures has been validated.
Write access to /var/www/html/glpi/files/_plugins has been validated.
Write access to /var/www/html/glpi/files/_rss has been validated.
Write access to /var/www/html/glpi/files/_sessions has been validated.
Write access to /var/www/html/glpi/files/_tmp has been validated.
Write access to /var/www/html/glpi/files/_uploads has been validated.
The following directories should be placed outside "/var/www/html/glpi":
‣ "/var/www/html/glpi/files" ("GLPI_VAR_DIR")
‣ "/var/www/html/glpi/config" ("GLPI_CONFIG_DIR")
You can ignore this suggestion if you are certain that these directories are not accessible through your web server.
Sessions configuration is secured.
exif extension is installed.
ldap extension is installed.
openssl extension is installed.
zip extension is installed.
bz2 extension is installed.
Zend OPcache extension is installed.
Following extensions are installed: ctype, iconv, mbstring, sodium.
Write access to /var/www/html/glpi/marketplace has been validated.
Access to timezone database (mysql) is not allowed.
GLPI constants
 
GLPI_ROOT: "/var/www/html/glpi"
GLPI_CONFIG_DIR: "/var/www/html/glpi/config"
GLPI_VAR_DIR: "/var/www/html/glpi/files"
GLPI_MARKETPLACE_DIR: "/var/www/html/glpi/marketplace"
GLPI_USE_CSRF_CHECK: "1"
GLPI_CSRF_EXPIRES: "7200"
GLPI_CSRF_MAX_TOKENS: "100"
GLPI_USE_IDOR_CHECK: "1"
GLPI_IDOR_EXPIRES: "7200"
GLPI_ALLOW_IFRAME_IN_RICH_TEXT: false
GLPI_SERVERSIDE_URL_ALLOWLIST: ["/^(https?|feed):\\/\\/[^@:]+(\\/.*)?$/"]
GLPI_TELEMETRY_URI: "https://telemetry.glpi-project.org"
GLPI_INSTALL_MODE: "TARBALL"
GLPI_NETWORK_MAIL: "glpi@teclib.com"
GLPI_NETWORK_SERVICES: "https://services.glpi-network.com"
GLPI_MARKETPLACE_ALLOW_OVERRIDE: true
GLPI_MARKETPLACE_MANUAL_DOWNLOADS: true
GLPI_USER_AGENT_EXTRA_COMMENTS: ""
GLPI_DISABLE_ONLY_FULL_GROUP_BY_SQL_MODE: "1"
GLPI_AJAX_DASHBOARD: "1"
GLPI_CALDAV_IMPORT_STATE: 0
GLPI_DEMO_MODE: "0"
GLPI_CENTRAL_WARNINGS: "1"
GLPI_DOC_DIR: "/var/www/html/glpi/files"
GLPI_CACHE_DIR: "/var/www/html/glpi/files/_cache"
GLPI_CRON_DIR: "/var/www/html/glpi/files/_cron"
GLPI_DUMP_DIR: "/var/www/html/glpi/files/_dumps"
GLPI_GRAPH_DIR: "/var/www/html/glpi/files/_graphs"
GLPI_LOCAL_I18N_DIR: "/var/www/html/glpi/files/_locales"
GLPI_LOCK_DIR: "/var/www/html/glpi/files/_lock"
GLPI_LOG_DIR: "/var/www/html/glpi/files/_log"
GLPI_PICTURE_DIR: "/var/www/html/glpi/files/_pictures"
GLPI_PLUGIN_DOC_DIR: "/var/www/html/glpi/files/_plugins"
GLPI_RSS_DIR: "/var/www/html/glpi/files/_rss"
GLPI_SESSION_DIR: "/var/www/html/glpi/files/_sessions"
GLPI_TMP_DIR: "/var/www/html/glpi/files/_tmp"
GLPI_UPLOAD_DIR: "/var/www/html/glpi/files/_uploads"
GLPI_INVENTORY_DIR: "/var/www/html/glpi/files/_inventories"
GLPI_NETWORK_REGISTRATION_API_URL: "https://services.glpi-network.com/api/registration/"
GLPI_MARKETPLACE_PLUGINS_API_URI: "https://services.glpi-network.com/api/glpi-plugins/"
GLPI_I18N_DIR: "/var/www/html/glpi/locales"
GLPI_VERSION: "10.0.5"
GLPI_SCHEMA_VERSION: "10.0.5@628dbfbb91eb4caf10c35969d9162b9300b141e0"
GLPI_MARKETPLACE_PRERELEASES: false
GLPI_MIN_PHP: "7.4.0"
GLPI_MAX_PHP: "8.3.0"
GLPI_YEAR: "2022"
Libraries
 
htmlawed/htmlawed version 1.2.9 in (/var/www/html/glpi/vendor/htmlawed/htmlawed)
phpmailer/phpmailer version 6.6.0 in (/var/www/html/glpi/vendor/phpmailer/phpmailer/src)
simplepie/simplepie version 1.5.8 in (/var/www/html/glpi/vendor/simplepie/simplepie/library)
tecnickcom/tcpdf version 6.5.0 in (/var/www/html/glpi/vendor/tecnickcom/tcpdf)
michelf/php-markdown in (/var/www/html/glpi/vendor/michelf/php-markdown/Michelf)
true/punycode in (/var/www/html/glpi/vendor/true/punycode/src)
iamcal/lib_autolink in (/var/www/html/glpi/vendor/iamcal/lib_autolink)
sabre/dav in (/var/www/html/glpi/vendor/sabre/dav/lib/DAV)
sabre/http in (/var/www/html/glpi/vendor/sabre/http/lib)
sabre/uri in (/var/www/html/glpi/vendor/sabre/uri/lib)
sabre/vobject in (/var/www/html/glpi/vendor/sabre/vobject/lib)
laminas/laminas-i18n in (/var/www/html/glpi/vendor/laminas/laminas-i18n/src)
laminas/laminas-servicemanager in (/var/www/html/glpi/vendor/laminas/laminas-servicemanager/src)
monolog/monolog in (/var/www/html/glpi/vendor/monolog/monolog/src/Monolog)
sebastian/diff in (/var/www/html/glpi/vendor/sebastian/diff/src)
donatj/phpuseragentparser in (/var/www/html/glpi/vendor/donatj/phpuseragentparser/src/UserAgent)
elvanto/litemoji in (/var/www/html/glpi/vendor/elvanto/litemoji/src)
symfony/console in (/var/www/html/glpi/vendor/symfony/console)
scssphp/scssphp in (/var/www/html/glpi/vendor/scssphp/scssphp/src)
laminas/laminas-mail in (/var/www/html/glpi/vendor/laminas/laminas-mail/src/Protocol)
laminas/laminas-mime in (/var/www/html/glpi/vendor/laminas/laminas-mime/src)
rlanvin/php-rrule in (/var/www/html/glpi/vendor/rlanvin/php-rrule/src)
blueimp/jquery-file-upload in (/var/www/html/glpi/vendor/blueimp/jquery-file-upload/server/php)
ramsey/uuid in (/var/www/html/glpi/vendor/ramsey/uuid/src)
psr/log in (/var/www/html/glpi/vendor/psr/log/Psr/Log)
psr/simple-cache in (/var/www/html/glpi/vendor/psr/simple-cache/src)
psr/cache in (/var/www/html/glpi/vendor/psr/cache/src)
league/csv in (/var/www/html/glpi/vendor/league/csv/src)
mexitek/phpcolors in (/var/www/html/glpi/vendor/mexitek/phpcolors/src/Mexitek/PHPColors)
guzzlehttp/guzzle in (/var/www/html/glpi/vendor/guzzlehttp/guzzle/src)
guzzlehttp/psr7 in (/var/www/html/glpi/vendor/guzzlehttp/psr7/src)
glpi-project/inventory_format in (/var/www/html/glpi/vendor/glpi-project/inventory_format/lib/php)
wapmorgan/unified-archive in (/var/www/html/glpi/vendor/wapmorgan/unified-archive/src)
paragonie/sodium_compat in (/var/www/html/glpi/vendor/paragonie/sodium_compat/src)
symfony/cache in (/var/www/html/glpi/vendor/symfony/cache)
html2text/html2text in (/var/www/html/glpi/vendor/html2text/html2text/src)
symfony/css-selector in (/var/www/html/glpi/vendor/symfony/css-selector)
symfony/dom-crawler in (/var/www/html/glpi/vendor/symfony/dom-crawler)
twig/twig in (/var/www/html/glpi/vendor/twig/twig/src)
twig/string-extra in (/var/www/html/glpi/vendor/twig/string-extra)
symfony/polyfill-ctype not found
symfony/polyfill-iconv not found
symfony/polyfill-mbstring not found
symfony/polyfill-php80 not found
symfony/polyfill-php81 not found
symfony/polyfill-php82 in (/var/www/html/glpi/vendor/symfony/polyfill-php82)
LDAP directories
 
Server: 'domain.ru', Port: '389', BaseDN: 'DC=domain,DC=ru', Connection filter:
        '(&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))', RootDN: 'user', Use TLS: none
SQL replicas
 
Not active
Notifications
 
Way of sending emails: SMTP (anonymous@mail.domain.ru)
Plugins list
 
    barcode              Name: Barcode                        Version: 2.7.1      State: Enabled                                 
        Install Method: Marketplace
    formcreator          Name: Form Creator                   Version: 2.13.3     State: Enabled                                 
        Install Method: Manual
    fusioninventory      Name: FusionInventory                Version: 9.5+4.2    State: Installed / not activated               
        Install Method: Manual
    gappessentials       Name: Gapp Essentials                Version: 2.1.1      State: Enabled                                 
        Install Method: Marketplace
    taskdrop             Name: TaskDrop                       Version: 2.0.0      State: Enabled                                 
        Install Method: Marketplace
    telegrambot          Name: TelegramBot                    Version: 3.0        State: Installed / not activated               
        Install Method: Manual
    useditemsexport      Name: Used items export              Version: 2.4.0      State: Installed / not activated               
        Install Method: Marketplace
    yagp                 Name: yagp                           Version: 2.1.1      State: Enabled                                 
        Install Method: Marketplace
    itilcategorygroups   Name: Группы ITIL Категории     Version: 2.5.1      State: To update                       
                Install Method: Marketplace
    news                 Name: Оповещения                     Version: 1.10.5     State: Enabled                         
                Install Method: Marketplace
    dashboard            Name: Панель отчетов              Version: 1.0.2      State: Installed / not activated       
                Install Method: Manual
    escalade             Name: Переназначение             Version: 2.8.1      State: Enabled                         
                Install Method: Marketplace
    pdf                  Name: Печать в PDF                   Version: 2.0.0      State: Not installed                      
             Install Method: Manual
    screenshot           Name: Сделать и приложить снимок экр Version: 2.0.2      State: Enabled         
                                Install Method: Marketplace
    tasklists            Name: Список задач                  Version: 2.0.3      State: Enabled                         
                Install Method: Marketplace
    treeview             Name: Список по местонахождению Version: 1.10.0     State: Not installed           
                        Install Method: Marketplace
    tag                  Name: Управление тегами        Version: 2.10.0     State: Installed / not activated       
                Install Method: Marketplace

Anything else?

No response

kofe88 commented 1 year ago

I found what the problem is. In the group filter in the AD communication settings, it is specified "(objectClass = group)", and correctly specify "(objectCategory=group)". Strangely, on version 9.5.9, this filter did not cause problems.

8 9

It would be nice to somehow handle an incorrect response from the server so that everything does not fall into a white screen.

cedric-anne commented 1 year ago

Hi,

I close this issue as it was due to a bad value in LDAP filters. LDAP configuration can indeed be improved.

I close this issue as it is not a bug.