[3.0.0.2] LDAP is not working

[reginfo]

### Steps to reproduce 1.Login to Admin 2. Try to setup LDAP ### Expected behaviour Setting saves ### Actual behavior After page refresh or page changing, setting are not saved. Also is there all fields? On v2.7 there is field "LDAP domain controller(s)" where we specify LDAP servers. ### Server configuration **Operating system**: Ubuntu 18.04 **Web server:** Apache/2.4.29 **Database:** mariadb Ver 15.1 Distrib 10.1.47-MariaDB **PHP version:** PHP 7.2.24 **Teampass version:** 3.0.0.2 **Updated from an older Teampass or fresh install:** Fresh Install ### Client configuration **Browser:** EDGE **Operating system:** Windows 10 20H2

[nilsteampassnet]

Has fixed the issue regarding selection not saved. I didn't test yet the ability to log through LDAP but it should work.

[reginfo]

I will try it, but I need to test in production environment. I will let you know.

[reginfo]

So I`ve tested LDAP. So What I have discovered. When you open LDAP settings, I see this picture: So I enable LDAP authentication and select Windows/Active directory. I could not see where to enter LDAP domain controllers IP. So if I jump to another page and then back, LDAP search base field replaces:

So everything is set (settings like on 2.7.x version). Trying to test and It`s not working. In Progress pop-up ring spinning and in console I get an error:

index.php?page=ldap:1980 ldap-test-config
jquery.min.js:2 POST http://192.168.xx.xx/teampass/sources/ldap.queries.php 500 (Internal Server Error)
send @ jquery.min.js:2
ajax @ jquery.min.js:2
S.<computed> @ jquery.min.js:2
(anonymous) @ index.php?page=ldap:1990
dispatch @ jquery.min.js:2
v.handle @ jquery.min.js:2

Also some errors in appache2 error log:

[Wed Nov 11 18:23:10.292596 2020] [php7:notice] [pid 27156] [client 192.168.xx.xx:1368] PHP Notice:  Undefined index: ldap_ssl_input in /var/www/html/teampass/sources/ldap.queries.php on line 224, referer: http://192.168.xx.xx/teampass/index.php?page=ldap
[Wed Nov 11 18:23:10.302868 2020] [php7:notice] [pid 27156] [client 192.168.xx.xx:1368] PHP Notice:  Undefined index: ldap_ssl_input in /var/www/html/teampass/sources/ldap.queries.php on line 242, referer: http://192.168.xx.xx/teampass/index.php?page=ldap
[Wed Nov 11 18:23:10.304469 2020] [php7:notice] [pid 27156] [client 192.168.xx.xx:1368] PHP Notice:  Undefined index: username_pwd in /var/www/html/teampass/sources/ldap.queries.php on line 257, referer: http://192.168.xx.xx/teampass/index.php?page=ldap
[Wed Nov 11 18:23:10.304591 2020] [php7:error] [pid 27156] [client 192.168.xx.xx:1368] PHP Fatal error:  Uncaught Error: Class 'voku\\helper\\UTF8' not found in /var/www/html/teampass/includes/libraries/voku/helper/AntiXSS.php:588\nStack trace:\n#0 /var/www/html/teampass/includes/libraries/voku/helper/AntiXSS.php(1766): voku\\helper\\AntiXSS->_do('Get all ldap pa...')\n#1 /var/www/html/teampass/sources/ldap.queries.php(270): voku\\helper\\AntiXSS->xss_clean('Get all ldap pa...')\n#2 {main}\n  thrown in /var/www/html/teampass/includes/libraries/voku/helper/AntiXSS.php on line 588, referer: http://192.168.xx.xx/teampass/index.php?page=ldap

[Domekologe]

Hi,

we are facing the same issue. Is there a possibility to enable the Debug Mode? The old way, which is provided in Documentation, is not working.

Thank you

[Domekologe]

Hello, after the update you provide, I am able to see the "Output"

I also tried it with Port 389 and without SSL/TLS (which will be disabled in a few weeks in the environment). I also tried it with a wrong password, to see if the user will be locked out, but nothing happens.

If you need more information, logs, or something else, please tell me

[reginfo]

I have the same error

ldap status : Not possible to get connected with this user

[nilsteampassnet]

I decided to switch to a standard PHP library. I'm currently implementing ldaprecord. Facing some illogical issues but I'm wondering if it is related to my quick and dirty ldap server I have on my synology. Finally understood how it works ... so work in progress ;)

[reginfo]

Finally understood how it works ... so work in progress ;)

Great news.

[dmotelica]

Finally understood how it works ... so work in progress ;)

Great news.

Hello, you should modify your files as follows:

---

file /sources/ldap.queries.php :

line 127: if (strpos(html_entity_decode($dataReceived['username']), '\') === true) {

with : if (strpos(html_entity_decode($dataReceived['username']), '\') == true) {

line 144 : if ($SETTINGS['ldap_ssl']) { with : if ($SETTINGS['ldap_tls']) {

line 224,225: ' - use_ssl : ' . $SETTINGS['ldap_ssl_input'] . '
' . ' - use_tls : ' . $SETTINGS['ldap_ssl'] . '
*****
';

with: ' - use_ssl : ' . $SETTINGS['ldap_ssl'] . '
' . ' - use_tls : ' . $SETTINGS['ldap_tls'] . '
*****
';

line 242, 243: 'use_ssl' => $SETTINGS['ldap_ssl_input'], 'use_tls' => $SETTINGS['ldap_ssl'],

with: 'use_ssl' => $SETTINGS['ldap_ssl'], 'use_tls' => $SETTINGS['ldap_tls'],

line 257: if ($adldap->authenticate($auth_username, html_entity_decode($dataReceived['username_pwd']))) {

with: if ($adldap->authenticate($auth_username, html_entity_decode($dataReceived['password']))) {

---

in file /pages/ldap.php:

line 207: <div class='row mb-2 tr-ldap tr-posix-search<?php echo (isset($ldap_type) === true && $ldap_type === 'windows') ? '' : ' hidden'; ?>'>

with: <div class='row mb-2 tr-ldap tr-windows<?php echo (isset($ldap_type) === true && $ldap_type === 'windows') ? '' : ' hidden'; ?>'>

line 219: <div class='row mb-2 tr-ldap tr-posix-search<?php echo (isset($ldap_type) === true && $ldap_type === 'windows') ? '' : ' hidden'; ?>'>

with: <div class='row mb-2 tr-ldap tr-windows<?php echo (isset($ldap_type) === true && $ldap_type === 'windows') ? '' : ' hidden'; ?>'>

After that, your bug with LDAP page would be fixed and LDAP Test connection should work. But if you use LDAP type Windows, you should not be able to login with a domain user. Nils has to work on it.

[Domekologe]

In my case it is a WIndows Active Directory Authentication which we are using.

[nilsteampassnet]

I have implemented LDAPRecord library. As a first step, I have implemented it this way.

Users existing in AD must be synchronized by an admin inside Teampass. Once this is done, the AD user will be able to log inside Teampass using his AD password.

Remember now that the user authentication password is used to encrypt his private key (as explained in next picture)

That means that if user changes his password in AD, then he will have to provide his previous password to decrypt the private key. It will then be encrypted with the current password.

[reginfo]

Tried latest build. Could not get it to work. I`m getting :

Caution
Error : -1 - Can't contact LDAP server

[Sun Nov 22 20:31:11.791593 2020] [php7:notice] [pid 99723] [client 192.168.xx.xx:1873] PHP Notice:  Undefined index: ldap_bind_passwd in /var/www/html/teampass/sources/ldap.queries.php on line 125, referer: http://192.168.xx.xx/teampass/index.php?page=ldap

No errors in Console

Settings:

[nilsteampassnet]

Found the reason of your message. I did change some parameters name and mixed them up in the code. Also here is how I have set it up in my case

[whositwhatnow]

Ive updated my instance and its still not working for me. I am using Active directory for login:

[whositwhatnow]

Undefined index: ldap_bind_passwd in /var/www/html/sources/users.queries.php on line 2285

[reginfo]

Yep, tried also, Not working. The same error

Caution
Error : -1 - Can't contact LDAP server

[dmotelica]

Undefined index: ldap_bind_passwd in /var/www/html/sources/users.queries.php on line 2285

That's because the variable "ldap_bind_passwd" is used file in /var/www/html/sources/users.queries.php on line 2285. But in config tp.config.file and DB table _misc there is anothr varibale used: "ldap_password".

I have checked and found out that the variable "ldap_bind_passwd" is used in other php files... So now I'm trying to change all this uncorrected errors.

[dmotelica]

I have implemented LDAPRecord library. As a first step, I have implemented it this way.

Users existing in AD must be synchronized by an admin inside Teampass. Once this is done, the AD user will be able to log inside Teampass using his AD password.

Remember now that the user authentication password is used to encrypt his private key (as explained in next picture)

That means that if user changes his password in AD, then he will have to provide his previous password to decrypt the private key. It will then be encrypted with the current password.

Hello Nils,

The desired mode to configure LDAP in TeamPass would be "Windows/ActiveDirectory" mode because there is no username and password stored in clear in tp.config.php file.

The other options you try to add like Posix-Search or OpenLDAP stores "ldap_bind_password" in clear which is not securely.

Thank you.

[nilsteampassnet]

I have pushed a fix for those variables name change.

Also you may look at the documentation of the used library to see how to set up the ldap configuration https://ldaprecord.com/docs/core/v2/configuration/

[reginfo]

Tried multiple variations of settings. Didn`t get it to work.

[dmotelica]

Tried also..... LDAP test Config : Result "Great", but when trying to authenticate with an AD user, I have "Login credentials do not correspond" message.

[reginfo]

@dmotelica , are you using AD or another LDAP? What setting are you using to get LDAP test - Result Great?

[dmotelica]

@dmotelica , are you using AD or another LDAP? What setting are you using to get LDAP test - Result Great?

I'm using ActiveDirectory. I made some modifications to /sources/ldap.queries.php, /sources/users.queries.php, /pages/ldap.php to have the result GREAT. And this was only if using LDAP:389. It doesn't work using LDAPS:636

As I wrote in a previous comment to Nils, I would like to use "Windows/ActiveDirectory" and adLDAP library because the config file doesn't store the credentials at all. Using LDAPRecord needs credentials to search in AD, and these credentials are saved in the config file in clear mode.

[dmotelica]

I found why LDAP authentication does not work for all of us:

file identify.php:

function authenticateThroughAD($username, $userInfo, $passwordClear, $SETTINGS) { // Build ldap configuration array $config = [ // Mandatory Configuration Options 'hosts' => [$SETTINGS['ldap_domain_controler']], 'base_dn' => $SETTINGS['ldap_searchbase'], 'username' => $SETTINGS['ldap_user_attribute']."=".$username.",cn=users,".$SETTINGS['ldap_bdn'],_ 'password' => $passwordClear,

the "username" is hardcoded with "cn=users" wich is not the case for my AD.

[nilsteampassnet]

Oops yes you are right, I missed this one. I have added a new field called Distinguished Names suffix (if needed). Is this enough precise?

[tiredofit]

Instead of username it should actually be a distinguished name field. For example:

DSA (Read Only Accounts) typically look like this cn=readonlyadccount,ou=whatever,dc=your,dc=org User Accounts typically look like this uid=username,ou=probablysomethingdifferent,dc=your,dc=org

In most environments it is referenced as the "Bind DN"

[nilsteampassnet]

@tiredofit OK so according to you, field called username should be renamed Bind DN, correct? But for example in Jira administration, it is really called Username

[nilsteampassnet]

Here is the setting form. It is inspired from JIRA documentation

[tiredofit]

OK I see how that can be confusing. If you wanted to keep the "username" field it would be helpful to leave an example on the screen as many users would get confused wondering if they just need to put in a username, a distinguished name. Where it gets interesting is that since you have a Username attribute already of uid this could also add to their confusion for that field.

I'm not entirely sure the use personally of the additional user DN option, it would be typically handled via the baseDN. What would be very useful is to allow the use of filters. With a filter one could only allow specific users to connect based on their group membership or by matching an attribute. Here's a very basic example:

(&(memberOf=CN=app-teampass,OU=groups,OU=Access,DC=example,DC=org)(!(disabled=TRUE)))

That is a combination filter that only allows users to login if they have a group membership to app-teampass AND they don't have the attribute of disabled=TRUE set.

It would still use your BaseDN setting to search the directory, but only return results that matched on that filter. LDAP can be incredibly complex and frustrating with all of its settings, let me know if you have any questions and I'll try to answer for you.

[tiredofit]

Sorry to add to this - if you are using LDAP Record (successor to ADLDAP2 - cool!) you have some real benefits of being able to auto populate some fields. If you were to have a few fields for a users First Name (typically givenName), Last Name (typically sn) you could autopopulate some of those values. Also, auto populating their mail address (typically mail, but should be customizable). You could even take it a step further and query their Groups! Then you could create sections in Teampass that were only visisble to users that were members of the group essentially auto provisioning the users to the correct sections.

Last but not least, was a feature that was in your 2.x branch which would be very beneficial as well and is part of the LdapRecord package I believe, is the inclusion of being able to automatically login using servers headers. BY passing $_SERVER_REMOTE_USER or something configured by the admin this would allow someone already logged into an enterprise authentication system to login to Teampass. Commonjly known as Windows Authentication, but there are other words for it as well. Often it is written about as AUTH_USER REMOTE_USER REMOTE_PASSWORD etc.

Hope this helps ;)

[reginfo]

@nilsteampassnet , in latest zip, there is no Install folder.

[dmotelica]

I also found that since v3 there is no sk.php file, only secret-key txt file. Is that OK?

On Nov 28, 2020, at 14:57, Deniss notifications@github.com wrote:

 @nilsteampassnet , in latest zip, there is no Install folder.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

[nilsteampassnet]

@tiredofit Thank you for your explanations. Regarding the possibility to use such filters with ldapRecord, it seems not possible. It needs to be decompossed. What criteria are expected? I believe allowed groups, locked, disable, orgnizational units Do you see some other?

@reginfo corrected

@dmotelica yes it is

[reginfo]

Really can get it connected to our AD server. =(

Trying to test it with ldapsearch I receive success

ldapsearch -H ldap://ldap.example.com:389 -b "DC=example,DC=com" -D "CN=Test User,OU=O365_Enabled,OU=Actual,OU=TEST Users,DC=example,DC=com" -W '(sAMAccountName=test)'

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3

trying this setting in TeamPass, and nothing

[ghost]

Hi all,

I'm facing the same issue to get Teampass to work with LDAP. I use a fresh Debian 10 + LAMP Stack (PHP 7.3). Teampass is 3.0.0.7 fresh install too.

My LDAP server is based on OpenLDAP . It's working I can do ldapsearch and so commands sucessfully.

I tried to debug by setting : DEBUGLDAP to true in the file /includes/config/include.php. It generates a logfile in files/ldap.debug.txt ... but this file is empty. Anyway to make it more verbose ?

Regards,

[gruffatremi]

Hello, I have freshly installed 3.0.0.7 with php 7.4 and apache2.4.41 and I am facing the same issues "Error : -1 - Can't contact LDAP server" Trying with a Windows AD which is working for sure. I also don't have files folder when I unzipped the tar.gz hence I can't find the ldap.debug.txt. Any help appreciated ! Regards,

[jutler]

Same issue for me, fresh install of 3.0.0.7, php7. No matter what i try, i keep getting "Error: 1 - Can't contact LDAP server". Any help would be really appreciated. Having to work on a deadline to push this out to users.

[IgorRedaelli]

I am experiencing the same problem. There is something wrong in LDAP Teampass integration. If I enter the port number (389 in my case) Teampass always responds with "Error: 1 - Can't contact LDAP server" and if I leave it empty the port instead responds with an error 500 in the console.

[NetscalerLover]

Does anyone solved this issue?. Same Thing here, Error: 1 - Can't contact LDAP server. fresh install of 3.0.0.7. Tried a couple of things but none solved this issue. Its a really cool Product, but without LDAP functionality we cant use it.

[jtreen]

I have the same issue on a fresh install. No matter the combination of settings, I get "Error: 1 - Can't contact LDAP server". Ldapsearch with same settings works correctly.

[rlabellasfr]

I have the same issue on a fresh install. I get "Error: 1 - Can't contact LDAP server".

[KOTOXJle6]

Got the same problem. Version 3.0.0.7 . If i write 389 port, i get error "Error: 1 - Can't contact LDAP server". There is text "Only insert a port if your LDAP server uses a unique port." - but if i leave it blank, i get another error:

Fatal error: Uncaught LdapRecord\Configuration\ConfigurationException: Option port must be an integer. in /var/www/teampass/includes/libraries/LdapRecord/Configuration/Validators/IntegerValidator.php:15 Stack trace: #0 /var/www/teampass/includes/libraries/LdapRecord/Configuration/DomainConfiguration.php(176): LdapRecord\Configuration\Validators\IntegerValidator->validate() #1 /var/www/teampass/includes/libraries/LdapRecord/Configuration/DomainConfiguration.php(117): LdapRecord\Configuration\DomainConfiguration->validate('port', '') #2 /var/www/teampass/includes/libraries/LdapRecord/Configuration/DomainConfiguration.php(70): LdapRecord\Configuration\DomainConfiguration->set('port', '') #3 /var/www/teampass/includes/libraries/LdapRecord/Connection.php(68): LdapRecord\Configuration\DomainConfiguration->construct(Array) #4 /var/www/teampass/sources/ldap.queries.php(150): LdapRecord\Connection->construct(Array) #5 {main} thrown in /var/www/teampass/includes/libraries/LdapRecord/Configuration/Validators/IntegerValidator.php on line 15

[dmotelica]

Found the reason of your message. I did change some parameters name and mixed them up in the code. Also here is how I have set it up in my case

@nilsteampassnet : Don't waste you time to integrate it with LDAP. It would be better to integrate it with Azure AD SSO. You have 2 options: SimpleSAMLphp or php module openidc. using these options, you will have to map the session for the authenticated user. And with Azure AD SSO you will also have the MFA.

[cciuleanu]

Hi,

Any updates on this issue? Regards, Calin

[whositwhatnow]

@cciuleanu I just rolled back to most recent v2 until this is resolved, maybe just do that.

[cciuleanu]

@cciuleanu I just rolled back to most recent v2 until this is resolved, maybe just do that.

I tried also latest v2 version but it does not work for me either. Tested 3.0.0.7 and latest v2 on CentOS 7 , 8 and several PHP versions including the lastest 8.0.2

Regards, Calin

[TSJasonH]

I have implemented LDAPRecord library. As a first step, I have implemented it this way.

Users existing in AD must be synchronized by an admin inside Teampass. Once this is done, the AD user will be able to log inside Teampass using his AD password.

Remember now that the user authentication password is used to encrypt his private key (as explained in next picture)

That means that if user changes his password in AD, then he will have to provide his previous password to decrypt the private key. It will then be encrypted with the current password.

Most security-minded AD/LDAP admins force user password changes (expirations) on a schedule. This implementation forcing a user to essentially remember their previous password and change it twice seems cumbersome and prone to data loss since users will inevitably not remember their old passwords.

[turekg]

Installed version 3.0.0.7 today on Ubuntu 20.04. The ldap test fails saying that it cannot connect to ldap (OpenLDAP in my case). Apache log reports:

[Mon Mar 08 12:13:11.930853 2021] [php7:notice] [pid 300075] [client 172.16.254.147:51294] PHP Notice:  Undefined index: ldap_username in /data/vhosts/teampass/sources/ldap.queries.php on line 124, referer: https://teampass.mercator-ocean.fr/index.php?page=ldap
[Mon Mar 08 12:13:11.930890 2021] [php7:notice] [pid 300075] [client 172.16.254.147:51294] PHP Notice:  Undefined index: ldap_password in /data/vhosts/teampass/sources/ldap.queries.php on line 125, referer: https://teampass.mercator-ocean.fr/index.php?page=ldap

Is there a workaround? Ta.

[snumsdisagithub]

Same problem ("Error: 1 - Can't contact LDAP server") with ldaps port (636) or ldap port (389). I'm running the last version.

tcpdump don't show a trace to an ldap port while testing the connectivity from the web UI.

With an ldapsearch from the server, that's work fine.

[nisfero]

Hello, discovering the product and facing exactly the same issue on RHEL 8 with v 3.0.0.7; ldapsearch works like a charm but not in the interrface.

I don't know is this can help but i've seen some kind of duplicates in the tp.config.php file about ldap configuration :

On lines 29 > 39 you can find

'ldap_mode' => '0', 'ldap_type' => 'ActiveDirectory', 'ldap_suffix' => '0', 'ldap_domain_dn' => '0', 'ldap_domain_controler' => '0', 'ldap_user_attribute' => 'sAMAccountName', 'ldap_ssl' => '0', 'ldap_tls' => '0', 'ldap_elusers' => '0', 'ldap_search_base' => '0', 'ldap_port' => '389',

then going to the end of the configuration file you find the values you are currently setting up on the web interface;

'ldap_bdn' => 'DC=domain,DC=local', 'ldap_username' => 'CN=readeraccountusername,OU=accounts,DC=domain,DC=local', 'ldap_password' => 'TheSuperCoolPassword ;)', 'ldap_new_user_role' => '1', 'ldap-test-config-username' => 'somedummyuserfortest', 'ldap-test-config-pwd' => 'blankpassword...', 'ldap_dn_additional_user_dn' => '',

Could there be some kind of conflicts ? I'm absolutely not expert at all in all thos things, just trying to help a bit :)

Steven