search

meeting-room-booking-system / mrbs-code

MRBS application code
Other
121 stars 59 forks source link

Authentication Issue in MRBS #3135

Closed jberanek closed 11 months ago

jberanek commented 2 years ago

Hi I am hoping that I might get a little help here in MRBS, we noticed this in in the 1.9.3 code and also in 1.9.4 and for us it seems a little weird it first finds the entry in our ldaps then discards that and rebuilds the entry and it fails to find the user

Reported by: *anonymous

Original Ticket: mrbs/support-requests/2450

Attachments: https://sourceforge.net/p/mrbs/support-requests/2450/attachment/mrbs_ldap_user_issue.txt

jberanek commented 2 years ago

What have you got $ldap_dn_search_attrib set to? If it is not set, try

$ldap_dn_search_attrib = 'uid';

Original comment by: campbell-m

jberanek commented 2 years ago

Thank You I did not have $ldap_dn_search_attrib = 'uid'; set at all I have added that and it has changed the output I am now seeing user unknown Here are the relevant lines from the log

[Tue Oct 26 07:30:42.185396 2021] [php7:notice] [pid 22683] [client 10.25.27.154:15640] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(737): got LDAP connection using ldaps://appldap.its.uow.edu.au:636, referer: https://kooloobong.uow.edu.au/mrbs/web/index.php
[Tue Oct 26 07:30:42.185454 2021] [php7:notice] [pid 22683] [client 10.25.27.154:15640] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(755): binding anonymously, referer: https://kooloobong.uow.edu.au/mrbs/web/index.php
[Tue Oct 26 07:30:42.340460 2021] [php7:notice] [pid 22683] [client 10.25.27.154:15640] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(765): initial bind was successful, referer: https://kooloobong.uow.edu.au/mrbs/web/index.php
[Tue Oct 26 07:30:42.340508 2021] [php7:notice] [pid 22683] [client 10.25.27.154:15640] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(770): searching using base_dn 'ou=people,dc=uow,dc=edu,dc=au' and filter '(uid=be577)', referer: https://kooloobong.uow.edu.au/mrbs/web/index.php
[Tue Oct 26 07:30:42.341147 2021] [php7:notice] [pid 22683] [client 10.25.27.154:15640] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(788): 0 entries found, no unique dn, referer: https://kooloobong.uow.edu.au/mrbs/web/index.php
[Tue Oct 26 07:30:42.341174 2021] [php7:notice] [pid 22683] [client 10.25.27.154:15640] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(818): no DN determined, not calling callback, referer: https://kooloobong.uow.edu.au/mrbs/web/index.php

Excerpt from config.inc.php

$ldap_host = "ldaps://appldap.its.uow.edu.au";
$ldap_port = 636;
$ldap_v3 = true;
$ldap_debug = TRUE;
$ldap_base_dn = "ou=people,dc=uow,dc=edu,dc=au";
$ldap_dn_search_attrib = "uid";
$ldap_user_attrib = "uid";

It works for staff just not for students I am still able to log in here is the successful log

[Tue Oct 26 07:38:29.632397 2021] [php7:notice] [pid 22684] [client 10.25.27.154:23816] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(737): got LDAP connection using ldaps://appldap.its.uow.edu.au:636, referer: https://kooloobong.uow.edu.au/mrbs/web/index.php
[Tue Oct 26 07:38:29.632442 2021] [php7:notice] [pid 22684] [client 10.25.27.154:23816] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(755): binding anonymously, referer: https://kooloobong.uow.edu.au/mrbs/web/index.php
[Tue Oct 26 07:38:29.637029 2021] [php7:notice] [pid 22684] [client 10.25.27.154:23816] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(765): initial bind was successful, referer: https://kooloobong.uow.edu.au/mrbs/web/index.php
[Tue Oct 26 07:38:29.637058 2021] [php7:notice] [pid 22684] [client 10.25.27.154:23816] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(770): searching using base_dn 'ou=people,dc=uow,dc=edu,dc=au' and filter '(uid=lls)', referer: https://kooloobong.uow.edu.au/mrbs/web/index.php
[Tue Oct 26 07:38:29.637770 2021] [php7:notice] [pid 22684] [client 10.25.27.154:23816] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(784): found one entry dn 'uid=lls,ou=People,dc=uow,dc=edu,dc=au', referer: https://kooloobong.uow.edu.au/mrbs/web/index.php
[Tue Oct 26 07:38:29.637793 2021] [php7:notice] [pid 22684] [client 10.25.27.154:23816] [MRBS DEBUG] MRBS\\Auth\\AuthLdap::validateUserCallback(237): base_dn 'ou=people,dc=uow,dc=edu,dc=au' dn 'uid=lls,ou=People,dc=uow,dc=edu,dc=au' user 'lls', referer: https://kooloobong.uow.edu.au/mrbs/web/index.php
[Tue Oct 26 07:38:29.642768 2021] [php7:notice] [pid 22684] [client 10.25.27.154:23816] [MRBS DEBUG] MRBS\\Auth\\AuthLdap::validateUserCallback(249): successful authenticated bind with no $ldap_filter, referer: https://kooloobong.uow.edu.au/mrbs/web/index.php
[Tue Oct 26 07:38:29.642987 2021] [php7:notice] [pid 22684] [client 10.25.27.154:23816] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(737): got LDAP connection using ldaps://appldap.its.uow.edu.au:636, referer: https://kooloobong.uow.edu.au/mrbs/web/index.php
[Tue Oct 26 07:38:29.643030 2021] [php7:notice] [pid 22684] [client 10.25.27.154:23816] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(755): binding anonymously, referer: https://kooloobong.uow.edu.au/mrbs/web/index.php
[Tue Oct 26 07:38:29.647022 2021] [php7:notice] [pid 22684] [client 10.25.27.154:23816] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(765): initial bind was successful, referer: https://kooloobong.uow.edu.au/mrbs/web/index.php
[Tue Oct 26 07:38:29.647045 2021] [php7:notice] [pid 22684] [client 10.25.27.154:23816] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(770): searching using base_dn 'ou=people,dc=uow,dc=edu,dc=au' and filter '(uid=lls)', referer: https://kooloobong.uow.edu.au/mrbs/web/index.php
[Tue Oct 26 07:38:29.648044 2021] [php7:notice] [pid 22684] [client 10.25.27.154:23816] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(784): found one entry dn 'uid=lls,ou=People,dc=uow,dc=edu,dc=au', referer: https://kooloobong.uow.edu.au/mrbs/web/index.php
[Tue Oct 26 07:38:29.648130 2021] [php7:notice] [pid 22684] [client 10.25.27.154:23816] [MRBS DEBUG] MRBS\\Auth\\AuthLdap::getUserCallback(386): base_dn 'ou=people,dc=uow,dc=edu,dc=au' dn 'uid=lls,ou=People,dc=uow,dc=edu,dc=au' user_search 'distinguishedName=uid=lls,ou=People,dc=uow,dc=edu,dc=au' user 'lls', referer: https://kooloobong.uow.edu.au/mrbs/web/index.php
[Tue Oct 26 07:38:29.648985 2021] [php7:notice] [pid 22684] [client 10.25.27.154:23816] [MRBS DEBUG] MRBS\\Auth\\AuthLdap::getUserCallback(442): 1 entries found, referer: https://kooloobong.uow.edu.au/mrbs/web/index.php
[Tue Oct 26 07:38:29.649031 2021] [php7:notice] [pid 22684] [client 10.25.27.154:23816] [MRBS DEBUG] MRBS\\Auth\\AuthLdap::getUserCallback(449): ldap_read() succeeded, taking 0.00072002410888672 seconds, referer: https://kooloobong.uow.edu.au/mrbs/web/index.php
[Tue Oct 26 07:38:29.649121 2021] [php7:notice] [pid 22684] [client 10.25.27.154:23816] [MRBS DEBUG] MRBS\\Auth\\AuthLdap::getUserCallback(492): User 'lls' found, referer: https://kooloobong.uow.edu.au/mrbs/web/index.php

Original comment by: *anonymous

jberanek commented 2 years ago 
ldapsearch -x -b "uid=be577,ou=people,dc=uow,dc=edu,dc=au" -H ldaps://appldap.its.uow.edu.au -D "uid=be577,ou=people,dc=uow,dc=edu,dc=au" -W

ldapsearch -x -b "uid=be577,ou=people,dc=uow,dc=edu,dc=au" -H ldaps://appldap.its.uow.edu.au -D "uid=be577,ou=people,dc=uow,dc=edu,dc=au" -W
Enter LDAP Password:
**# extended LDIF
**# LDAPv3**
**# base <uid=be577,ou=people,dc=uow,dc=edu,dc=au> with scope subtree**
**# filter: (objectclass=*)**
**# requesting: ALL**
**## #**

**### be577, People, uow.edu.au**
dn: uid=be577,ou=People,dc=uow,dc=edu,dc=au
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: adobeConnectPerson
objectClass: uowUser
uid: be577
shadowMax: 366
mail: be577@uow.edu.au
mailAlternateAddress: be577@uow.edu.au
cn: Brian Eddy
sn: Eddy
givenName: Brian
adobeConnectGivenName: Brian
employeeType: student
gidNumber: 12000
shadowLastChange: 18771
departmentNumber: 300000003223052 - Student

**# search result**
search: 2
result: 0 Success

**# numResponses: 2**
**# numEntries: 1**

Original comment by: *anonymous

jberanek commented 2 years ago

Is your setting of $ldap_filter filtering out the students?

Original comment by: campbell-m

jberanek commented 2 years ago

I don't think ldap_filter is even set

Original comment by: *anonymous

jberanek commented 2 years ago

I suspect the student accounts don't have sufficient permissions for searches. Try setting $ldap_dn_search_dn and $ldap_dn_search_password

// If you need to bind as a particular user to do the search described
// above, specify the DN and password in the variables below
// These two parameters can be arrays.
// $ldap_dn_search_dn = "cn=Search User,ou=Users,dc=example,dc=com"; // Any compliant LDAP
// $ldap_dn_search_dn = "searchuser@example.com"; // A form which could work for AD LDAP
// $ldap_dn_search_password = "some-password";

Original comment by: campbell-m

jberanek commented 2 years ago

Thanks Campbell, I will have a play with that I think you could be correct as students will have the rights to search for themselves and limited attributes for staff

Original comment by: *anonymous