LDAP (ActiveDirectory) testing successfully, no users listed in sync

[thomask220]

Steps to reproduce

1. Login as admin to fresh installation
2. Activate LDAP in ActiveDirectory mode with correct configuration
3. Verify that LDAP config works by using "Test current configuration" -> OK
4. In module "Users" click button LDAP synchronization -> empty user list, as well the user group suggestion list is empty

Expected behaviour

The AD users should be listed

Actual behaviour

LDAP config is working, proven by the "Test current configuration" but list of users cannot be retrieved.

Server configuration

Operating system: Debian 11 Web server: Apache2 Database: mysql 5.7 PHP version: 8.1 Teampass version: 3.0.0.17 (tried as well with applied #3118

Updated from an older Teampass or fresh install: Complete fresh installation

Client configuration

Browser: tested chrome, firefox, edge Operating system: windows 10

Logs

Web server error log

no errors given

Log from the web-browser developer console (CTRL + SHIFT + i)

after click "List users" button:

Object { error: false, entries: [], ldap_groups: [], teampass_groups: (1) […] }

Additional Info

we use a very standard, basic ActiveDirectory, we use LDAP authentication with several other products successfully.

LDAP ist no using SSL or TLS. Filled host, port (389), BaseDN, username and password like standard.

User Distinguished Name: distinguishedname User name attribute: samaccountname Additional User DN: empty User Object Filter: (&(objectCategory=Person)(sAMAccountName=*)) LDAP server type: ActiveDirectory all switches: OFF

[nilsteampassnet]

@thomask220 Please update to latest commit. Several changes were performed on ldap.

[jim-ccit]

@nilsteampassnet Same issue using the latest commits.

The query is hitting the AD server correctly and not producing an error but the user list is never populated.

I suspect (but haven't had a chance to confirm yet) that there may be a logic error here

 if (isset($adUser[$SETTINGS['ldap_user_attribute']]) === false) continue;
                // Build the list of all groups in AD
                if (isset($adUser['memberof']) === true) {
                    foreach($adUser['memberof'] as $j => $adUserGroup) {
                        if (empty($adUserGroup) === false && $j !== "count") {
                            $adGroup = substr($adUserGroup, 3, strpos($adUserGroup, ',') - 3);
                            if (in_array($adGroup, $adRoles) === false && empty($adGroup) === false) {
                                array_push($adRoles, $adGroup);
                            }
                        }
                    }
                }

                // Is user in Teampass ?
                $userLogin = $adUser[$SETTINGS['ldap_user_attribute']][0];
                if (null !== $userLogin) {

since in the limited testing I've had time to do the second part of the loop (after //is user in Teampass) never seems to execute.

[dsnt02518]

Are you using the DN of a valid AD user for directory access, or the short username? I.e. something like CN=teampass,CN=Users,DC=example,DC=domain,DC=com? I have users pulling from AD via the LDAP sync (albeit via the global catalog, port 3268) with similar settings (but #3118 definitely required for user filter to be effective).

I had issues initially due to aliased/upercased attribute names (dn and sAMAccountName instead of distinguishedname and samaccountname) but once fixed (as you have already) and with correct bind credentials the user listing was at least working for me and our AD forest. I believe (but not 100% certain) that the 'test' on the LDAP settings page will try a direct bind using the test credentials, whereas the user listing will need to use the provided directory access credentials.

You may also want to consider adding (!(userAccountControl:1.2.840.113556.1.4.803:=2)) to prevent inactive users being listed.

[Arash9703]

Hello,I have the same issue here in version 3.0.10.66 installed on a Debian server.I can't get sync my AD users in Teampass.