search

meeting-room-booking-system / mrbs-code

MRBS application code
Other
129 stars 64 forks source link

Cannot get LDAP Auth to work #2748

Open jberanek opened 4 years ago

jberanek commented 4 years ago

[Transferred from the general mailing list]

Hi Everyone,

For the life of me, cannot get the LDAP Authentication to work.

No matter what I change, I keep getting the same debug error: 

[11-May-2020 04:23:06 UTC] MRBS\authLdapAction: got LDAP connection
[11-May-2020 04:23:06 UTC] MRBS\authLdapAction: binding with search_dn and search_password
[11-May-2020 14:23:06 Australia/Brisbane]
E_USER_WARNING in /var/www/html/auth/auth_ldap.inc at line 935
Can't contact LDAP server
MRBS GET: Array
(
)
MRBS POST: Array
(
    [csrf_token] => ce308cf2df835bf5efc9a034411d721826c2e81866c793c6e8518d2611ddd6fa
    [returl] =>
    [target_url] => help.php?view=week&page_date=2020-05-11
    [action] => SetName
    [username] => ****
    [password] => ****
)
MRBS SESSION: Array
(
    [csrf_token] => ce308cf2df835bf5efc9a034411d721826c2e81866c793c6e8518d2611ddd6fa
)

[11-May-2020 14:23:06 Australia/Brisbane] MRBS\authLdapAction: initial bind failed: Can't contact LDAP server
[11-May-2020 14:23:06 Australia/Brisbane] MRBS\authLdapAction: no DN determined, not calling callback

This is my configuration: 

$auth["type"] = "ldap";
$auth["session"] = "php";
$ldap_host = "ldap.sheldoncollege.com";
$ldap_port = 389;
$ldap_v3 = true;
$ldap_tls = false;
$ldap_base_dn = "DC=sheldoncollege,DC=com";
$ldap_dn_search_attrib = "sAMAccountName";
$ldap_dn_search_dn = "CN=svc_MRBS,OU=Service Accounts,OU=User Accounts,OU=1 Sheldon College,DC=sheldoncollege,DC=com";
$ldap_dn_search_password = "nottherealpassword";
$ldap_filter_user_attr = "memberuid";
$ldap_get_user_email = true;
$ldap_email_attrib = 'mail';
$ldap_group_member_attrib = 'memberof';
$ldap_unbind_between_attempts = false;
$ldap_suppress_invalid_credentials = true;
$ldap_debug = true;

MRBS Version: 1.8.0 OS: Centos 8 PHP Version: 7.2.11

Appreciate any help with tackling this.

Cheers, Kris

Reported by: campbell-m

Original Ticket: mrbs/support-requests/2053

jberanek commented 4 years ago

Are you sure "ldap.sheldoncollege.com" is correct?

Original comment by: campbell-m

jberanek commented 4 years ago

Hey Kris,

It seems that your LDAP Server is incorrect??

Are you sure that is the correct hostname?

Original comment by: *anonymous

jberanek commented 4 years ago

Hey Kris,

I stated above can you please confirm your LDAP Server. I work in a school in Australia and this LDAP query worked for our Domain Controller.

$ldap_host = "ROSEBMS-DC1"; //$ldap_port = 389; $ldap_v3 = false; $ldap_tls = false; $ldap_base_dn = array("OU=SchoolAdmins,OU=Users,OU=palmcsch,OU=GovernmentSchools,DC=ntschools,DC=net","OU=Teachers,OU=Users,OU=palmcsch,OU=GovernmentSchools,DC=ntschools,DC=net"); $ldap_user_attrib = 'uid'; $ldap_dn_search_attrib = 'SamAccountName'; //$ldap_dn_search_attrib = "name"; $ldap_dn_search_dn = "CN=svc_palmcsch_sw,OU=ServiceAccounts,OU=Service,DC=ntschools,DC=net"; $ldap_dn_search_password = "REDACTED";

Original comment by: bradleypc

jberanek commented 4 years ago

Hi All,

Hostname is correct. It's my round robin DNS record for my DC's.

Pinging ldap.sheldoncollege.com [10.40.0.12] with 32 bytes of data: Reply from 10.40.0.12: bytes=32 time<1ms TTL=127

If I change $ldap_host to by my main DC hostname, I still get the same error.

Kris

Original comment by: *anonymous

jberanek commented 4 years ago

Are you pinging from the same machine as the MRBS server? It maybe that you can reach the LDAP server but for some reason the MRBS server can't.

Original comment by: campbell-m

jberanek commented 4 years ago

Could you try flushing your DNS Cache on your MRBS Server?

Also as Campbell said, try to do a ping via the MRBS server to your DC or do a ping trace to see where it fallsover

Original comment by: bradleypc

jberanek commented 4 years ago

Maybe try LDAPS on port 636 or 3269 (global catalog server)

Original comment by: *anonymous

jberanek commented 4 years ago

Flushed DNS.

Pings OK. PING ldap.sheldoncollege.com (10.40.0.12) 56(84) bytes of data. 64 bytes from slcdc08.sheldoncollege.com (10.40.0.12): icmp_seq=1 ttl=128 time=0.613 ms

Route OK.

[root@svr-mrbs-01 ~]# tracepath ldap.sheldoncollege.com 1?: [LOCALHOST] pmtu 1500 1: slcdc08.sheldoncollege.com 0.708ms reached 1: slcdc08.sheldoncollege.com 0.509ms reached Resume: pmtu 1500 hops 1 back 1

Have tried LDAPS(636) too with same result :(

Original comment by: *anonymous

jberanek commented 4 years ago

Just tried using the IP of the DC with similar results too.

Original comment by: *anonymous

jberanek commented 4 years ago

Have you tried using the configured user via an LDAP browser such as Softerra's? Just wondering if the users rights are correct.

Original comment by: *anonymous

jberanek commented 4 years ago

Credentials checked out OK with Softerra.

Original comment by: *anonymous

jberanek commented 4 years ago

Hm, may be best to review your fireweall rules when querying via the LDAP port on both your client and serverside machine

Original comment by: bradleypc

jberanek commented 4 years ago

Do your domain controllers have SSL certificates? If so it may be that they are doing implicit TLS, which means your PHP installation has to trust the issuer of those certs, typically by adding the intermediate/root certs to the CA certs directory used by PHP

Original comment by: jberanek

jberanek commented 4 years ago

One thing you could try to get more information from PHP is to add the following just above the trigger_error() call on line 935 of auth_ldap.inc:

ldap_get_option($link_identifier, LDAP_OPT_DIAGNOSTIC_MESSAGE, $err);
error_log("LDAP diagnostic: $err");

Original comment by: jberanek