search

jotaelesalinas / laravel-adminless-ldap-auth

Authenticate users in Laravel against an adminless LDAP server
MIT License
210 stars 33 forks source link

ldap_search() and ldap_get_entries() error when attempting an Auth #40

Open cre0n opened 4 years ago

cre0n commented 4 years ago

Hello, I just started trying to get your repo to work on my laravel7 project (on Ubuntu 18.04 with Apache2 and PHP7.4 I think - is there a quick way to find out the PHP version in laravel? without having to create a php.ini and a route towards it in the web.php?) But unfortunately, I keep getting PHP Warning: ldap_search(): Search: Bad search filter in /var/www/html/zert/vendor/adldap2/adldap2/src/Connections/Ldap.php on line 286 PHP Warning: ldap_get_entries() expects parameter 2 to be resource, bool given in /var/www/html/zert/vendor/adldap2/adldap2/src/Connections/Ldap.php on line 143

when trying to attempt a login in tinker: Auth::attempt(['username' => 'einstein', 'password' => ''])

After some googling I found out, that I was somehow able to make the Auth via the adldap2::attempt() command I think it was - I cannot remember, have been trying to troubleshoot this problem for over 3 days now and can't find it.

I'm trying to connect to an Active Directory and the connection does work using a GUI ("Ldapadmin").

Can you help me out, or let me know what other information you need/where else I can try my luck?

Best regards

github-actions[bot] commented 4 years ago

Hi #! Welcome to this repo.

jotaelesalinas commented 4 years ago

Hi @cre0n ! If you are able to connect to your LDAP server using Ldapadmin, that means that you have an admin username and password in your LDAP server... isn't it? In that case, this package is not for you. That is why it is named adminless. Let me know if my assumption is wrong.

cre0n commented 4 years ago

Heyo, no, I do not have an admin username and password for our (companies) LDAP server, I am just using my normal user credentials which are the same as my Windows login credentials. I think it is exactly for me, because I'm not planning on using administrative actions on my laravel webpage like resetting passwords, I am just trying to get the Auth method set up with our AD, so I do not have to create 100 users manually, but rather have them created on their first AD-Login attempt. Or did I misunderstood something here, and am indeed trying to use it the wrong way?

jotaelesalinas commented 4 years ago

Are you sure that you are using the proper field names in .env? I mean LDAP_SCHEMA, LDAP_USER_SEARCH_ATTRIBUTE, LDAP_USER_BIND_ATTRIBUTE, etc.

alehawk commented 4 years ago

I got the same issue... I made a raw php file to check conenction, binding and search and I can do it but I cant using this bundle...

alehawk commented 4 years ago

I think it has something to do with the bind function

When I edit the search function it would work

public function search($dn, $filter, array $fields, $onlyAttributes = false, $size = 0, $time = 0)
{
    $srch = array('givenname','sn','mail');
    $username = 'myuser';
    $password = 'mypwd';
    ldap_set_option($this->connection, LDAP_OPT_PROTOCOL_VERSION, 3);
    ldap_set_option($this->connection, LDAP_OPT_REFERRALS, 0);
    $dn = "OU=users,OU=myou,DC=something,DC=net"; //very important: in which part of your database are you looking
    $domain = '@something.net';
    $bind = @ldap_bind($this->connection, $username.$domain, $password);
    return ldap_search($this->connection, $dn, $filter, $srch, $onlyAttributes, $size, $time);
}

ldap_get_entries will bring data but it will return another error:

PHP Notice: Undefined index: username in /var/www/html/crm/vendor/laravel/framework/src/Illuminate/Auth/GenericUser.php on line 96

I dont know how to fix this :/

May be what I did helps.

Tnx

jotaelesalinas commented 4 years ago

You have to convert whatever ldap_search() returns into an instance of LdapUser and return that.

alehawk commented 4 years ago

Fist I want to say thank you for sharing your work.

If I follow the instructions and use:

Auth::attempt(['username' => 'einstein', 'password' => 'qwerty'])

I will get this error:

PHP Warning: ldap_search(): Search: Operations error in /var/www/html/crm/vendor/adldap2/adldap2/src/Connections/Ldap.php on line 286 PHP Warning: ldap_get_entries() expects parameter 2 to be resource, boolean given in /var/www/html/crm/vendor/adldap2/adldap2/src/Connections/Ldap.php on line 143

To avoid the error I did the modifications to the vendor ldap.php If I edit ldap.php search function as I did above it will work but it will give me the username error and I dont know why.... maybe something its wrong or maybe I'm missing something here...

I'm connecting to AD and the parameters I used works because I managed to authenticate myself and reterived the givenname,sn and mail of the logged user just using plain PHP code. I just wanted to use laravels authentication service and that's why I installed your library.

Thank you

jotaelesalinas commented 4 years ago

I’m really sorry, but I don’t have access to an ActiveDirectory to test the package, only OpenLDAP. In theory, the underlying library (Adldap2) should do the work. To debug, try providing different values in the .env variables and echoing the values in the search() function until you get it right, as if you hardcoded the values inside the function.

jotaelesalinas commented 4 years ago

Also, in the .env file, try providing the name of the LDAP attributes in lowercase.

jotaelesalinas commented 4 years ago

Hi @cre0n and @alehawk . Have you been able to solve this issue?

chimeng62 commented 4 years ago

I'm having the same problem. I went into public function bind($username, $password, $sasl = false) function and tried to dd($username, $password) and got empty variables instead.

Are the id and password from Auth::attempt(['id' => 'myid', 'password' => 'mypassword']) suppose to be passed to the bind function?

When I tried to place the entered id and password inside the bind function,

$username =  'myid';
$password' = 'mypassword';

It works.

So I think it is because the bind function is not called?

jotaelesalinas commented 4 years ago

See this lines: https://github.com/jotaelesalinas/laravel-adminless-ldap-auth/blob/030af485113ad53dfa03213c4759596226c19ac7/src/LdapHelper.php#L109-L112

chimeng62 commented 3 years ago

Thanks for the quick reply!

However, I'm not sure where to call that function you referred to.

In the Login Controller, I created a login function and placed the following code in it $provider = \Adldap::getDefaultProvider(); $provider->auth()->bind($creds['username'], $creds['password']); $provider->auth()->attempt($creds['username'], $creds['password'], true);

and it returns true which means my credentials are correct, but I'm not sure how the binding here will sync to the Auth:: instance. I also tired redirecting to the home index page but I stuck in the login page. return redirect()->route('home');

Or am I doing the wrong thing? Thanks.

jotaelesalinas commented 3 years ago

That is the old way I did it. You check the credentials yourself and call $this->guard()->login($user, true); if successful. See https://github.com/jotaelesalinas/laravel-adminless-ldap-auth/blob/d26ea52ddcc9a1336eb49a9c01469f51f8c83165/README.md.

I think you should uncomment the line 111 in laravel-adminless-ldap-auth/src/LdapHelper.php.

I will add a config option to call Adldap::auth()->bind() before Adldap::auth()->attempt().

chimeng62 commented 3 years ago

Thanks for the advice. I did what you recommended and had a thorough read as well. I have not had a database for user yet and will try tomorrow.

But just a quick question, what does $this->guard()->login($user, true); do? From my understanding, you pass the $user to login function and it will sync the attributes to Auth:: instance?

Does it allow me to do authentication like 

if (Auth::check()) {
    // The user is logged in...
}

or

Auth::id()

to get logged in user id? Thanks for helping me so far. I'm using Laravel 7 by the way.

jotaelesalinas commented 3 years ago

Hi @chimeng62 . That is the old way. The new one is preferred. Have you followed the installation instructions? What errors do you get when trying to authenticate inside Tinker?

chimeng62 commented 3 years ago

I did follow the installation instructions and adjusted it to fit the active directory. I got the same error as @cre0n did. This is the error when running Auth::attempt(['id' =>'myid', 'password' => 'mypassword'])

PHP Warning:  ldap_search(): Search: Operations error in C:/Users/Chimeng62/Desktop/adminless_ldap/vendor/adldap2/adldap2/src/Connections/Ldap.php on line 286
PHP Warning:  ldap_get_entries() expects parameter 2 to be resource, bool given in C:/Users/Chimeng62/Desktop/adminless_ldap/vendor/adldap2/adldap2/src/Connections/Ldap.php on line 143

Log file:

[2020-09-07 00:25:45] local.INFO: LDAP (ldap://ad.server.au:389) - Connection: default - Operation: Binding - Username:   
[2020-09-07 00:25:45] local.INFO: LDAP (ldap://ad.server.au:389) - Connection: default - Operation: Bound - Username:   
[2020-09-07 00:25:45] local.INFO: LDAP (ldap://ad.server.au:389) - Connection: default - Operation: Search - Base DN: ou=people,dc=ad,dc=server,dc=au - Filter: (samaccountname=123456789) - Selected: (*) - Time Elapsed: 17.23