search

hydrian / TTRSS-Auth-LDAP

GitHub repository for Tiny Tiny RSS's auth_ldap plugin
https://github.com/hydrian/TTRSS-Auth-LDAP/wiki
Other
28 stars 21 forks source link

Incorrect user name and password #19

Closed posledov closed 8 years ago

posledov commented 8 years ago 
define('LDAP_AUTH_SERVER_URI', 'ldaps://ldap.example.net:636/');
define('LDAP_AUTH_USETLS', FALSE); // Enable TLS Support for ldaps://
define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', FALSE); // Allows untrusted certificate
define('LDAP_AUTH_BASEDN', 'ou=accounts,dc=example');
define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE);
// ??? will be replaced with the entered username(escaped) at login
define('LDAP_AUTH_SEARCHFILTER', '(&(objectclass=inetOrgPerson)(memberof=cn=rss,ou=services,dc=example)(uid=???))');
// Optional configuration
define('LDAP_AUTH_BINDDN', 'cn=rss,ou=services,dc=example');
define('LDAP_AUTH_BINDPW', 'yoow534oshuxXeki');
define('LDAP_AUTH_LOGIN_ATTRIB', 'uid');
define('LDAP_AUTH_LOG_ATTEMPTS', TRUE);
// Enable Debug Logging
define('LDAP_AUTH_DEBUG', TRUE);
...
...
define('PLUGINS', 'auth_ldap, auth_internal, note');

ldapsearch works as it should be from the same machine where is ttrss:

# ldapsearch -H ldaps://ldap.example.net -D "cn=rss,ou=services,dc=example" -W -b "ou=accounts,dc=example" "(&(objectclass=inetOrgPerson)(memberof=cn=rss,ou=services,dc=example)(uid=igor))" | grep uid:
Enter LDAP Password: 
uid: igor

but the webui returns "incorrect user name and password"

logs http://pastebin.com/ArVFBXQa

# git show origin/master 
commit 6eed9a7463443d206bb9f9369b77be70ac84d9de
Merge: a956648 33d131d
Author: Andrew Dolgov <noreply@fakecake.org>
Date:   Mon Dec 7 20:07:37 2015 +0300

    Merge branch 'master' of git.tt-rss.org:fox/tt-rss
# dpkg -l | grep php5-ldap
ii  php5-ldap                         5.6.14+dfsg-0+deb8u1          amd64        LDAP module for php5
hydrian commented 8 years ago

Looks like the search filter is incorrect. You're searching for the service account and not the membership group.

posledov commented 8 years ago

first of all look at output of ldapsearch :) the filter is 100% correct.

and let me explain you...

define('LDAP_AUTH_BINDDN', 'cn=rss,ou=services,dc=example');

cn=rss,ou=services,dc=example — it's service account in my openldap, and it has objectClass "groupOfNames", so it's absolutely normal for:

  1. bind (LDAP_AUTH_BINDDN)
  2. filter (memberof=cn=rss,ou=services,dc=example)
dn: cn=rss,ou=services,dc=example
objectClass: simpleSecurityObject
objectClass: top
objectClass: groupOfNames
cn: rss
member: uid=oleg,dc=example.net,ou=accounts,dc=example
member: uid=igor,dc=example.net,ou=accounts,dc=example
userPassword:: eW2vdzLQaG3zaHRwVWWraQ==
posledov commented 8 years ago

the problem is fixed by using ldap:389+starttls, but appear a new one... exactly like this https://tt-rss.org/forum/viewtopic.php?t=1968&p=21507#p21507 (fixed by migrating to https://github.com/corux/TTRSS-Auth-LDAP/ )