Active Directory / Samba Config für auth_ldap

[emtie]

Hi all,

I've installed tiny tiny rss on ubuntu 18.04 with lamp stack and php7.2-ldap. I want to authenticate against Samba 4 Active Directory domain but I'm facing this error message:

E_USER_ERROR (256) | :0 | LDAP bind(): Bind failed ()with DN CN=ttrss,OU=serviceaccounts,DC=ad,DC=domain,DC=org

This is my config file:

        define('LDAP_AUTH_SERVER_URI', 'ldaps://samba.ad.domain.org:636/');
        define('LDAP_AUTH_USETLS', FALSE); // Enable StartTLS Support for ldap://
        define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', TRUE); // Allows untrusted certificate
        define('LDAP_AUTH_BASEDN', 'DC=ad,DC=domain,DC=org');
        define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE);
        // ??? will be replaced with the entered username(escaped) at login
        define('LDAP_AUTH_SEARCHFILTER', '(&(objectClass=person)(sAMAccountName=???))');

        // Optional configuration
        define('LDAP_AUTH_BINDDN', 'CN=ttrss,OU=serviceaccounts,DC=ad,DC=domain,DC=org');
        define('LDAP_AUTH_BINDPW', 'password');
//      define('LDAP_AUTH_LOGIN_ATTRIB', 'uid');
        define('LDAP_AUTH_LOG_ATTEMPTS', FALSE);

        // Enable Debug Logging
        define('LDAP_AUTH_DEBUG', TRUE);

What further information shall I provide to help solving this problem?

thanks in advance

emtie

[hydrian]

What are you setting for your login attribute ( LDAP_AUTH_LOGIN_ATTRIB)? You commented out 'uid' but you didn't set anther login attribute? If you want to use the standard AD short name, use 'sAMAccountName'.

[hydrian]

Nevermind that, you're not even getting that far. It looks like the service account bind is failing. Not much to go wrong here. Double check the Bind DN. I usually make sure to copy and paste it out the AD attribute editor to make sure there are no typos. Also, verify the password with the bind service account.

Another thing that can often look like an authentication issue is a non-allowed TLS connection.

[emtie]

Hi hydrian,

thanks for your feedback. I did try LDAP_AUTH_LOGON_ATTRIB = sAMAccountName with 'LDAP_AUTH_BINDDN', 'ttrss'. Then I tried it with LDAP_AUTH_LOGON_ATTRIB = distinguishedName and 'LDAP_AUTH_BINDDN', 'CN=ttrss,OU=serviceaccounts,DC=ad,DC=domain,DC=org'. I copied and pasted the password and the bind DN and verified that logon using that password is possible. I additionally tried port 389 without TLS and I even tried it with anonymous bind (although I am pretty sure that anonymous bind is disallowed in active directory domains). I do not know what else to try?

cu emtie

[jeschero]

I have the same error. I use the docker image from linuxserver/tt-rss and add the php7-ldap modul. The image use PHP 7.2.18. The LDAP-Server is ActiveDirectory and i use the notifying data in gitlab. In gitlab i have no problem with it.

Error Message:

E_USER_ERROR (256) | :0 | LDAP bind(): Bind failed ()with DN CN=ldapsearch,CN=Users,DC=int,DC=example,DC=net

The config file:

define('LDAP_AUTH_SERVER_URI', 'ldaps://hn-dc01.int.example.net');
define('LDAP_AUTH_USETLS', FALSE); // Enable StartTLS Support for ldap://
define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', TRUE); // Allows untrusted certificate
define('LDAP_AUTH_BASEDN', 'CN=Users,DC=int,DC=tecin,DC=net');
define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE);
// ??? will be replaced with the entered username(escaped) at login
define('LDAP_AUTH_SEARCHFILTER', '(&(|(objectclass=user))(|(|(memberof=CN=Humans,CN=Users,DC=int,DC=example,DC=net))))');
// Optional configuration
define('LDAP_AUTH_BINDDN', 'CN=ldapsearch,CN=Users,DC=int,DC=example,DC=net');
define('LDAP_AUTH_BINDPW', '<password>');
define('LDAP_AUTH_LOGIN_ATTRIB', 'sAMAccountName');
define('LDAP_AUTH_LOG_ATTEMPTS', FALSE);
// Enable Debug Logging
define('LDAP_AUTH_DEBUG', TRUE);