ldap no longer working after upgrade from 1.71 to 1.1.4

[iainmsi]

Hi I can no longer login via ldap i'm seeing this Auth\AuthLdap->action(811): no DN determined, not calling callback, referer: initial bind failed: Inappropriate authentication [Anonymous Simple Bind Disabled.],

in my config.inc.php

$ldap_host = "xxxxxxxxx";
$ldap_v3 = false;
$ldap_base_dn[] = "ou=xxx, o=xxx";
$ldap_base_dn[] = "ou=xxx, o=xxx";
$ldap_user_attrib = "cn";

thanks

[campbell-m]

Could you post the full (redacted) debug output please when you have $ldap_debug = true;?

[iainmsi]

I've reverted the server back to working so can go back into the logs but I did take this before doing so

[Wed Feb 21 20:29:23.569022 2024] [php:notice] [pid 8845] [client 130.209.17.62:62992] \nE_USER_WARNING in /var/www/bookings/rooms/lib/MRBS/Auth/AuthLdap.php at line 855\nInappropriate authentication\nMRBS GET: Array\n(\n)\nMRBS POST: Array\n(\n    [csrf_token] => ee13b327d929663667ac3e2d6e5f258d61b1c51ad1efb7786f83e926c021fee2\n    [target_url] => index.php\n    [action] => SetName\n    [username] => ****\n    [password] => ****\n)\nMRBS SESSION: Array\n(\n    [last_page] => /rooms/admin.php\n    [this_page] => /rooms/admin.php\n    [csrf_token] => ee13b327d929663667ac3e2d6e5f258d61b1c51ad1efb7786f83e926c021fee2\n    [user] => \n)\n\n, referer: https://xxxxxxxxx/rooms/admin.php
[Wed Feb 21 20:29:23.569050 2024] [php:notice] [pid 8845] [client 130.209.17.62:62992] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(754): initial bind failed: Inappropriate authentication [Anonymous Simple Bind Disabled.], referer: https:/xxxxxxxxx/rooms/admin.php
[Wed Feb 21 20:29:23.569067 2024] [php:notice] [pid 8845] [client 130.209.17.62:62992] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(811): no DN determined, not calling callback, referer: https://xxxxxxxxx/rooms/admin.php
root@bookings:/var/www/bookings/rooms#
root@bookings:/var/www/bookings/rooms# [Wed Feb 21 20:29:23.569050 2024] [php:notice] [pid 8845] [client 130.209.17.62:62992] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(754): initial bind failed: Inappropriate authentication [Anonymous Simple Bind Disabled.], referer: https://xxxxxxx/rooms/admin.php
bash: syntax error near unexpected token `('
root@bookings:/var/www/bookings/rooms# [Wed Feb 21 20:29:23.569067 2024] [php:notice] [pid 8845] [client 130.209.17.62:62992] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(811): no DN determined, not calling callback, referer: https://xxxxxxxx/rooms/admin.php

[campbell-m]

Thanks. I suspect it's because you haven't got $ldap_dn_search_dn and $ldap_dn_search_password set. These are now needed because MRBS now retrieves users' details such as display name and email address. See

// If you need to search the directory to find the user's DN to bind
// with, set the following to the attribute that holds the user's
// "username". In Microsoft AD directories this is "sAMAccountName"
// This can be an array.
//$ldap_dn_search_attrib = "sAMAccountName";

// If you need to bind as a particular user to do the search described
// above, specify the DN and password in the variables below
// These two parameters can be arrays.
// $ldap_dn_search_dn = "cn=Search User,ou=Users,dc=example,dc=com"; // Any compliant LDAP
// $ldap_dn_search_dn = "searchuser@example.com"; // A form which could work for AD LDAP
// $ldap_dn_search_password = "some-password";

[iainmsi]

hi it's eDirectory not AD we use would $ldap_dn_search_attrib = "sAMAccountName"; not be $ldap_dn_search_attrib = "uid"; and would i still need to use some stored credentials to bind or i'd still get anonymous bind error?

[campbell-m]

I'm not familiar with eDirectory, but yes probably 'uid'. And yes, you'd need to use some stored credentials.

[iainmsi]

ok got the login sorted by creating a service account and adding $ldap_dn_search_attrib = "uid"; $ldap_dn_search_dn = "cn=xxxx,ou=Service,o=xxxxx"; $ldap_dn_search_password = "xxxxxxx"; however I can login fine I see the calendar entries when I try and add an entry edit_entry.php some times I can start adding information but usually it crashes aww Error code: RESULT_CODE_HUNG

any ideas?

[campbell-m]

I haven't met this one before. A search for "RESULT_CODE_HUNG" suggests trying a different browser or disabling Chrome extensions.

[iainmsi]

Unfortunately other users testing find the same the its hanging and crashing when you try to add an entry - I might add it crashes chrome and edge but works in firefox?

[campbell-m]

Can you try two things:

1. Setting $debug = true; in your config file and see if you get any error messages in yoiur browser?
2. Looking in Chrome's Developoment Tools and seeing if you get any error messages in the browser console?

[iainmsi]

[client xxx.xxx.xx.xx:53219] \nE_USER_NOTICE in /var/www/bookings/rooms/lib/MRBS/Form/Form.php at line 90\nPossible CSRF attack from IP address xxx.xxx.xx.xx\n#0 MRBS\generate_backtrace() called at [/var/www/bookings/rooms/functions_error.inc:219]\n#1 MRBS\output_error() called at [/var/www/bookings/rooms/functions_error.inc:249]\n#2 MRBS\error_handler(1024, Possible CSRF attack from IP address xxx.xxx.xxx.xxx, /var/www/bookings/rooms/lib/MRBS/Form/Form.php, 90)\n#3 trigger_error(Possible CSRF attack from IP address xxx,xxx xxxxx1024) called at [/var/www/bookings/rooms/lib/MRBS/Form/Form.php:90]\n#4 MRBS\Form\Form::checkToken() called at [/var/www/bookings/rooms/edit_entry_handler.php:77]\n, referer: https://xxxxx.xxxxx.xxx /rooms/edit_entry.php?view=day&year=2024&month=2&day=26&area=2&room=16&hour=12&minute=3

[campbell-m]

Thanks. That wouldn't cause a crash though - it would just cause you to be logged out.

Have you got email notifications turned on? If so, what happens if you turn them off by setting $mail_settings['disabled'] = true;?

[iainmsi]

chrome says A form field element has neither an id nor a name attribute. This might prevent the browser from correctly autofilling the form. To fix this issue, add a unique id or name attribute to a form field. This is not strictly needed, but still recommended even if you have an autocomplete attribute on the same element.

[iainmsi]

I've disabled mailed settings but no difference.

[campbell-m]

A form field element has neither an id nor a name attribute

Strange. I wonder whether this has been inserted by a Chrome extension? Can you identify the form field element?

Another thing to try is install Chrome Canary (without any extensions) and see if you get the error then.

[iainmsi]

just the same with chrome canary

[campbell-m]

Can you identify the form field element?

[iainmsi]

i'm seeing this in chrome Deprecated feature used Unload event listeners are deprecated and will be removed. 1 source onloadwff.js:71

[campbell-m]

What happens if you run MRBS from an incognito tab in Chrome?

[iainmsi]

still the same freezes

[iainmsi]

Incorrect use of The label's for attribute doesn't match any element id. This might prevent the browser from correctly autofilling the form and accessibility tools from working correctly. To fix this issue, make sure the label's for attribute references the correct id of a form field.

JQMIGRATE: Migrate is installed with logging active, version 3.4.0 jquery-migrate-3.4.0.js:135 JQMIGRATE: jQuery.isArray is deprecated; use Array.isArray

[iainmsi]

No label associated with a form field A isn't associated with a form field. To fix this issue, nest the in the or provide a for attribute on the that matches a form field id.

[campbell-m]

I can only think of two things to try:

1. Trying to eliminate LDAP as the cause, by changing $auth['type'] to 'db' - just for testing.
2. If your site is on the internet and you're prepared to give me a test login, you can contact me at cimorrison at users dot sourceforge dot net. If not, I completely understand.

[iainmsi]

its working with $auth['type'] to 'db'

[campbell-m]

Ah, progress! In which case can you go back to 'ldap', set $ldap_debug = true; and post the (redacted) debug log when you try and save a booking.

[iainmsi]

thats all i'm seeing in the apache log

[Mon Feb 26 11:43:01.224292 2024] [php:notice] [pid 125119] [client xxx.xxx.xx.xxx:57543] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(741): binding with search_dn and search_password, referer: https://xxx.xxx.xx.xxx/rooms/edit_entry.php?view=day&year=2024&month=3&day=20&area=2&                                                 room=7&hour=18&minute=0
[Mon Feb 26 11:43:01.234116 2024] [php:notice] [pid 125119] [client xxx.xxx.xx.xxx:57543] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(758): initial bind was successful, referer: https://xxx.xxx.xx.xxx/rooms/edit_entry.php?view=day&year=2024&month=3&day=20&area=2&room=7&hour=18&                                                 minute=0
[Mon Feb 26 11:43:01.234163 2024] [php:notice] [pid 125119] [client xxx.xxx.xx.xxx:57543] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(763): searching using base_dn 'ou=student, o=gla' and filter '(uid=xxx)', referer: https://xxx.xxx.xx.xxx/rooms/edit_entry.php?view=day&year=20                                                 24&month=3&day=20&area=2&room=7&hour=18&minute=0
[Mon Feb 26 11:43:01.235753 2024] [php:notice] [pid 125119] [client xxx.xxx.xx.xxx:57543] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(781): 0 entries found, no unique dn, referer: https://xxx.xxx.xx.xxx/rooms/edit_entry.php?view=day&year=2024&month=3&day=20&area=2&room=7&hour=1                                                 8&minute=0
[Mon Feb 26 11:43:01.235800 2024] [php:notice] [pid 125119] [client xxx.xxx.xx.xxx:57543] [MRBS DEBUG] MRBS\\Auth\\AuthLdap::getUsernamesCallback(525): base_dn 'ou=student, o=gla', referer: https://xxx.xxx.xx.xxx/rooms/edit_entry.php?view=day&year=2024&month=3&day=20&area=2&r                                                 oom=7&hour=18&minute=0
[Mon Feb 26 11:43:01.235825 2024] [php:notice] [pid 125119] [client xxx.xxx.xx.xxx:57543] [MRBS DEBUG] MRBS\\Auth\\AuthLdap::getUsernamesCallback(554): searching with base_dn 'ou=student, o=gla' and filter '(objectclass=*)', referer: https://xxx.xxx.xx.xxx/rooms/edit_entry.ph                                                 p?view=day&year=2024&month=3&day=20&area=2&room=7&hour=18&minute=0
[Mon Feb 26 11:43:04.394362 2024] [php:notice] [pid 125119] [client xxx.xxx.xx.xxx:57543] [MRBS DEBUG] MRBS\\Auth\\AuthLdap::getUsernamesCallback(565): 68151 entries found in 3.1541790962219 seconds, referer: https://xxx.xxx.xx.xxx/rooms/edit_entry.php?view=day&year=2024&mont                                                 h=3&day=20&area=2&room=7&hour=18&minute=0

[campbell-m]

Ah, the problem may be that your LDAP directory is very large and MRBS isn't good at handling these (it needs to do paged searches, but doesn't yet). Can you try setting

$get_display_names_all_at_once = false;

[iainmsi]

$get_display_names_all_at_once = false; just in the config.inc.php doesn't seem to make a difference

[iainmsi]

although i'd like to get this working the end goal would be to move to a single sign on

[campbell-m]

What's the LDAP debug output when you have $get_display_names_all_at_once = false;?

[iainmsi]

[Mon Feb 26 12:01:38.363419 2024] [php:notice] [pid 125658] [client xxx.xxx.xx.xxx:57821] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(730): got LDAP connection using ldap://xxxxxxxxxxxxxxxxx:389, referer: https://bookings.xxx.xxxx.
[Mon Feb 26 12:01:38.363465 2024] [php:notice] [pid 125658] [client xxx.xxx.xx.xxx:57821] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(741): binding with search_dn and search_password, referer: https://bookings.xxx.xxx.xx.xxx/rooms/edit_entr
[Mon Feb 26 12:01:38.377396 2024] [php:notice] [pid 125658] [client xxx.xxx.xx.xxx:57821] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(758): initial bind was successful, referer: https://bookings.xxx.xxx.xx.xxx/rooms/edit_entry.php?view=day&
[Mon Feb 26 12:01:38.377449 2024] [php:notice] [pid 125658] [client xxx.xxx.xx.xxx:57821] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(763): searching using base_dn 'ou=staff, o=xxxx' and filter '(uid=xxxxx)', referer: https://bookings.mvls.gl
[Mon Feb 26 12:01:38.381913 2024] [php:notice] [pid 125658] [client xxx.xxx.xx.xxx:57821] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(777): found one entry dn 'cn=xxxx,ou=staff,o=xxxx', referer: https://bookings.xxx.xxx.xx.xxx/rooms/edit_ent
[Mon Feb 26 12:01:38.381962 2024] [php:notice] [pid 125658] [client xxx.xxx.xx.xxx:57821] [MRBS DEBUG] MRBS\\Auth\\AuthLdap::getUsernamesCallback(525): base_dn 'ou=staff, o=xxxx', referer: https://bookings.xxx.xxx.xx.xxx/rooms/edit_entry.p
[Mon Feb 26 12:01:38.381985 2024] [php:notice] [pid 125658] [client xxx.xxx.xx.xxx:57821] [MRBS DEBUG] MRBS\\Auth\\AuthLdap::getUsernamesCallback(554): searching with base_dn 'ou=staff, o=xxxx' and filter '(objectclass=*)', referer: https:hour=18&minute=0
[Mon Feb 26 12:01:39.763489 2024] [php:notice] [pid 125658] [client xxx.xxx.xx.xxx:57821] [MRBS DEBUG] MRBS\\Auth\\AuthLdap::getUsernamesCallback(565): 22763 entries found in 1.3802211284637 seconds, referer: https://bookings.mvls.xxxx.ac.
[Mon Feb 26 12:01:39.815544 2024] [php:notice] [pid 125658] [client xxx.xxx.xx.xxx:57821] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(730): got LDAP connection using ldap://xxxxxxxxxxxxxxxxx389, referer: https://bookings.mvls.xxxx.a
[Mon Feb 26 12:01:39.815592 2024] [php:notice] [pid 125658] [client xxx.xxx.xx.xxx:57821] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(741): binding with search_dn and search_password, referer: https://bookings.xxx.xxx.xx.xxx/rooms/edit_entr
[Mon Feb 26 12:01:39.826212 2024] [php:notice] [pid 125658] [client xxx.xxx.xx.xxx:57821] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(758): initial bind was successful, referer: https://bookings.xxx.xxx.xx.xxx/rooms/edit_entry.php?view=day&
[Mon Feb 26 12:01:39.826286 2024] [php:notice] [pid 125658] [client xxx.xxx.xx.xxx:57821] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(763): searching using base_dn 'ou=student, o=xxxx' and filter '(uid=xxx)', referer: https://bookingsxxxxx
[Mon Feb 26 12:01:39.828668 2024] [php:notice] [pid 125658] [client xxx.xxx.xx.xxx:57821] [MRBS DEBUG] MRBS\\Auth\\AuthLdap->action(781): 0 entries found, no unique dn, referer: https://bookings.xxx.xxx.xx.xxx/rooms/edit_entry.php?view=da
[Mon Feb 26 12:01:39.828772 2024] [php:notice] [pid 125658] [client xxx.xxx.xx.xxx:57821] [MRBS DEBUG] MRBS\\Auth\\AuthLdap::getUsernamesCallback(525): base_dn 'ou=student, o=xxxx', referer: https://bookings.xxx.xxx.xx.xxx/rooms/edit_entry
[Mon Feb 26 12:01:39.828818 2024] [php:notice] [pid 125658] [client xxx.xxx.xx.xxx:57821] [MRBS DEBUG] MRBS\\Auth\\AuthLdap::getUsernamesCallback(554): searching with base_dn 'ou=student, o=xxxx' and filter '(objectclass=*)', referer: http3&hour=18&minute=0

[iainmsi]

is strange it works in firefox and also its the edit entry page that crashes not the initial login

[campbell-m]

Yes, I don't understand why it works in Firefox and not Chrome. What exactly does the crash look like? Where do you see the RESULT_CODE_HUNG message?

[iainmsi]

you get a page unresponsive message with wait or exit if you exit you get a AW, SNAP! something went wrong displaying this web page. Error code: RESULT_CODE_HUNG

[campbell-m]

One more thing to try. Can you set

$auth['admin_can_only_book_for_self'] = true;

This stops admins being presented with a select drop-down of all available users on the edit_entry page. On your site there are lots of them and it could be causing Chrome to run out of memory.

[iainmsi]

that's it working thankyou

[campbell-m]

Good. You can now undo $get_display_names_all_at_once = false;. Retrieving display names all at once will improve performance for things like reports.

[iainmsi]

great thankyou for your time on resolving this