DaveWebb2
commented
3 months ago @nilsteampassnet do you have any suggestions for how to fix this please?
Closed DaveWebb2 closed 2 months ago
DaveWebb2
commented
3 months ago @nilsteampassnet do you have any suggestions for how to fix this please?
DaveWebb2
commented
3 months ago I have just tried again using the latest version, 3.1.2.29 and the error remains. When testing the LDAP configuration this message is returned: "An error occurred while opening connection to AD server".
I've also noticed that version 3 differs from version 2 as the config page now includes username and password fields for the LDAP connection, and the password is stored in clear text in the tp.config.php - is that really a good idea??
@nilsteampassnet can you please help me get past this LDAP error? I've been trying to upgrade from version 2 for over two months now.
DaveWebb2
commented
2 months ago @nilsteampassnet I notice that in my working 2.1.27.36 version there are files in /includes/libraries/LDAP/adLDAP but this folder does not exist in my 3.1.2.29 version. Is that correct? Are these files required for the new version or does it use different files for AD LDAP now? I notice that this version of the ADLDAP files is now deprecated, so maybe it needs a newer version?
I tried copying them exactly from my old installation to the new and it didn't work, but hope this may be related to the cause.
I'd really appreciate some help to get this working please.
nilsteampassnet
commented
2 months ago @DaveWebb2 In v3, LDAP relies on an external library and requires to change the setup from v2. Have you read https://documentation.teampass.net/#/features/authentication?id=ldap-authentication I've written down what I believe is interesting and also a link to the external library.
When testing LDAP the admin sees this error: "An error occurred while opening connection to AD server"
You should have in the server log an input starting by TEAMPASS Error - ldap - that provides the error from the library.
When this error occurs, then in the code, it means it could not establish connection to LDAP server
You may also have in the log, errors starting by Error - LDAP connection : or Error - LDAP bind : depending of th error found.
Check you hosts input. Normally server is not case sensitive but try to provide all inputs in lowercase letters in your settings.
Perhaps also see some others configuration, as an example check the configuration in https://github.com/nilsteampassnet/TeamPass/issues/4157. This user is also using ActiveDirectory
DaveWebb2
commented
2 months ago @nilsteampassnet Thanks for getting back to me. To confirm, as you saying that for a clean install of v3 the LDAP library is not included and I need to add it, which is why it is failing? If so that's fine, I didn't know that, and can do that. Where should I put it within the /var/www/teampass folder?
nilsteampassnet
commented
2 months ago @DaveWebb2 There is no need to perform anything in files ... You need to adapt the LDAP parameters inside TP to fit you AD server. As I said, check the log errors, the documentation (from TP and the external library one if needed), and also a working configuration from another user.
You should not have to perform any file switch or mix, every commit contains the expected files
DaveWebb2
commented
2 months ago @nilsteampassnet where is the server log should I check? All the logs inside the Logs page within the application are empty. I've tried changing the config so many times, nothing seems to work, as far as I can see everything is correct.
nilsteampassnet
commented
2 months ago Depends of your server configuration, the path to errors is usually defined in its config file. To get the correct attributes I usually use the Ad itself. Read the ldapreccord documentation and compare to working configurations from other tp users. I cannot really help here, it is often related to ad conf itself. I could check your server also but with no guarantee as I'm not an it expert
DaveWebb2
commented
2 months ago @nilsteampassnet I can't see any option in the TeamPass config to specify a path to log files - can you please advise exactly what I need to do here (I'm a Windows admin, not Linux, so may need clear instructions).
I'm struggling to see how it can be my configuration, I've tried so many variations (host names, IP addresses, uppercase, lowercase, mixed case, etc) and they all fail. It also works fine on the older version of TeamPass and other applications I have using LDAPS.
I have used PowerShell on my Windows laptop to confirm that LDAP and LDAPS are working and responding on both domain controllers I have tried.
I have created a PHP file on the web server to test, and it connects successfully on port 636.
I have enabled verbose logging for LDAP on the Domain Controllers and can only see Event ID 1215 generating when a request originates from TeamPass: "Internal event: An LDAP client connection was closed because the client closed the connection."
Here is my configuration, with just the company name redacted:
@``` <?php global $SETTINGS; $SETTINGS = array ( 'max_latest_items' => '10', 'enable_favourites' => '1', 'show_last_items' => '1', 'enable_pf_feature' => '1', 'log_connections' => '1', 'log_accessed' => '1', 'time_format' => 'H:i:s', 'date_format' => 'd/m/Y', 'duplicate_folder' => '0', 'item_duplicate_in_same_folder' => '0', 'duplicate_item' => '0', 'number_of_used_pw' => '3', 'manager_edit' => '1', 'cpassman_dir' => '/var/www/teampass', 'cpassman_url' => 'https://teampassv3.corp.mycompany.com', 'favicon' => 'https://teampassv3.corp.mycompany.com/favicon.ico', 'path_to_upload_folder' => '/var/www/teampass/upload', 'url_to_upload_folder' => 'https://teampass.corp.mycompany.com/upload', 'path_to_files_folder' => '/var/www/teampass/files', 'url_to_files_folder' => 'https://teampass.corp.mycompany.com/files', 'activate_expiration' => '0', 'pw_life_duration' => '0', 'maintenance_mode' => '0', 'enable_sts' => '0', 'encryptClientServer' => '1', 'cpassman_version' => '2.1.27', 'ldap_mode' => '1', 'ldap_type' => 'ActiveDirectory', 'ldap_suffix' => '@corp.mycompany.com', 'ldap_domain_dn' => 'DC=corp,DC=mycompany,DC=com', 'ldap_domain_controler' => 'dc01.corp.mycompany.com', 'ldap_user_attribute' => 'sAMAccountName', 'ldap_ssl' => '1', 'ldap_tls' => '0', 'ldap_search_base' => '0', 'ldap_port' => '636', 'richtext' => '0', 'allow_print' => '0', 'roles_allowed_to_print' => '0', 'show_description' => '1', 'anyone_can_modify' => '0', 'anyone_can_modify_bydefault' => '0', 'nb_bad_authentication' => '0', 'utf8_enabled' => '1', 'restricted_to' => '0', 'restricted_to_roles' => '0', 'enable_send_email_on_user_login' => '0', 'enable_user_can_create_folders' => '0', 'insert_manual_entry_item_history' => '0', 'enable_kb' => '0', 'enable_email_notification_on_item_shown' => '0', 'enable_email_notification_on_user_pw_change' => '0', 'custom_logo' => '', 'custom_login_text' => '', 'default_language' => 'english', 'send_stats' => '0', 'send_statistics_items' => 'stat_country;stat_users;stat_items;stat_items_shared;stat_folders;stat_folders_shared;stat_admins;stat_managers;stat_ro;stat_mysqlversion;stat_phpversion;stat_teampassversion;stat_languages;stat_kb;stat_s> 'send_stats_time' => '1559483041', 'get_tp_info' => '1', 'send_mail_on_user_login' => '0', 'nb_items_by_query' => 'auto', 'enable_delete_after_consultation' => '0', 'enable_personal_saltkey_cookie' => '0', 'personal_saltkey_cookie_duration' => '31', 'email_smtp_server' => 'smtp.corp.mycompany.com', 'email_smtp_auth' => '', 'email_auth_username' => '', 'email_auth_pwd' => '', 'email_port' => '25', 'email_security' => 'none', 'email_server_url' => '', 'email_from' => 'teampass@mycompany.com', 'email_from_name' => 'MyCompany TeamPass', 'pwd_maximum_length' => '40', 'google_authentication' => '0', 'delay_item_edition' => '0', 'allow_import' => '1', 'proxy_ip' => '', 'proxy_port' => '', 'upload_maxfilesize' => '10mb', 'upload_docext' => 'doc,docx,dotx,xls,xlsx,xltx,rtf,csv,txt,pdf,ppt,pptx,pot,dotx,xltx', 'upload_imagesext' => 'jpg,jpeg,gif,png', 'upload_pkgext' => '7z,rar,tar,zip', 'upload_otherext' => 'sql,xml', 'upload_imageresize_options' => '1', 'upload_imageresize_width' => '800', 'upload_imageresize_height' => '600', 'upload_imageresize_quality' => '90', 'use_md5_password_as_salt' => '0', 'ga_website_name' => 'TeamPass for MyCompany', 'api' => '0', 'subfolder_rights_as_parent' => '0', 'show_only_accessible_folders' => '0', 'enable_suggestion' => '0', 'otv_expiration_period' => '7', 'default_session_expiration_time' => '60', 'duo' => '0', 'enable_server_password_change' => '0', 'ldap_object_class' => '0', 'bck_script_path' => '/var/www/teampass/backups', 'bck_script_filename' => 'bck_teampass', 'syslog_enable' => '0', 'syslog_host' => 'localhost', 'syslog_port' => '514', 'manager_move_item' => '0', 'create_item_without_password' => '0', 'otv_is_enabled' => '0', 'agses_authentication_enabled' => '0', 'item_extra_fields' => '1', 'saltkey_ante_2127' => 'none', 'migration_to_2127' => 'done', 'files_with_defuse' => 'done', 'timezone' => 'UTC', 'enable_attachment_encryption' => '1', 'personal_saltkey_security_level' => '50', 'ldap_new_user_is_administrated_by' => '0', 'disable_show_forgot_pwd_link' => '0', 'offline_key_level' => '0', 'enable_http_request_login' => '0', 'ldap_and_local_authentication' => '0', 'secure_display_image' => '1', 'upload_zero_byte_file' => '0', 'upload_all_extensions_file' => '0', 'bck_script_passkey' => 'eYQwRvq4vTQ6mrQuyH8UfU9H9z2TRUDAQnWYPdhP', 'admin_2fa_required' => '0', 'password_overview_delay' => '4', 'roles_allowed_to_print_select' => '', 'clipboard_life_duration' => '30', 'mfa_for_roles' => '', 'tree_counters' => '0', 'settings_offline_mode' => '0', 'settings_tree_counters' => '0', 'copy_to_clipboard_small_icons' => '0', 'enable_massive_move_delete' => '0', 'email_debug_level' => '0', 'ga_reset_by_user' => '', 'onthefly-backup-key' => '', 'onthefly-restore-key' => '', 'ldap_user_dn_attribute' => 'distinguishedName', 'ldap_dn_additional_user_dn' => '', 'ldap_user_object_filter' => '', 'ldap_bdn' => 'DC=corp,DC=mycompany,DC=com', 'ldap_hosts' => 'dc01.corp.mycompany.com', 'ldap_password' => 'MyPassword', 'ldap_username' => 'CN=Administrator,CN=Users,DC=corp,DC=mycompany,DC=com', 'api_token_duration' => '60', 'enable_tasks_manager' => '1', 'task_maximum_run_time' => '300', 'maximum_number_of_items_to_treat' => '300', 'tasks_manager_refreshing_period' => '100', 'ldap_tls_certifacte_check' => 'LDAP_OPT_X_TLS_NEVER', 'enable_tasks_log' => '0', 'enable_ad_users_with_ad_groups' => '0', 'enable_ad_user_auto_creation' => '0', 'ldap_group_object_filter' => '', 'ldap_guid_attibute' => 'objectGUID', 'sending_emails_job_frequency' => '2', 'user_keys_job_frequency' => '1', 'items_statistics_job_frequency' => '5', 'reload_cache_table_task' => '', 'rebuild_config_file' => '', 'purge_temporary_files_task' => '', 'clean_orphan_objects_task' => '', 'users_personal_folder_task' => '', 'maximum_session_expiration_time' => '60', 'items_ops_job_frequency' => '1', 'upgrade_timestamp' => '1712481938', 'enable_refresh_task_last_execution' => '1', 'ldap_group_objectclasses_attibute' => '', 'pwd_default_length' => '14', 'tasks_log_retention_delay' => '3650', 'oauth2_azure' => '0', 'oauth2_azure_clientId' => '', 'oauth2_azure_clientSecret' => '', 'oauth2_azure_urlAuthorize' => '', 'oauth2_azure_urlAccessToken' => '', 'oauth2_azure_urlResourceOwnerDetails' => '', 'oauth2_azure_scopes' => 'openid,profile,email', 'teampass_version' => '3.1.2', );
@DaveWebb2
I can't see any option in the TeamPass config to specify a path to log files - can you please advise exactly what I need to do here (I'm a Windows admin, not Linux, so may need clear instructions).
It has nothing to do with TP. It is pure server configuration (Apache or other). So refer to Google :)
DaveWebb2
commented
2 months ago It has nothing to do with TP. It is pure server configuration (Apache or other). So refer to Google :)
I've spent hours trying to Google this, but as a Windows admin I'm struggling to figure out how all this works on Linux. It seems that TeamPass doesn't log any errors and neither does LdapRecord, and setting up any sort of logging for LdapRecord requires lots of Linux skills and knowledge. So without any logging enabled by default, troubleshooting is really difficult.
Is there any reason you don't want to have any logging within TeamPass? It would be so much easier to figure this out if TeamPass logged the specific error to a file that I could see to investigate.
DaveWebb2
commented
2 months ago For info, I have installed the LDAP Utils on the server and when using ldapwhoami with the same details specified in TeamPass it returns success. This would suggest that there is nothing wrong with the configuration I am specifying or the connection between Linux server and AD Domain Controller. It has to be something wrong in TeamPass.
DaveWebb2
commented
2 months ago Further testing with ldapsearch using the same configuration returns success every time, no errors.
nilsteampassnet
commented
2 months ago If an error occurs during LDAP server then an error is logged into the server (Apache most of the time) error log file. No need to have an extra file. Binding relied on the for 4 first fields inside the configuration page. As explained, TP uses an external library to manage AD, I provided your the link and it's in the documentation. Many users has AD synched with TP. I don't say that it is working in all cases, I just say that it works, but in IT so many configurations are possible. Please compare your ldap_settings with the one of a user that has it working, and see what could be the main difference. I would be pleased to focus a code review but I need a direction.
DaveWebb2
commented
2 months ago @nilsteampassnet I've managed to resolve this by manually editing some values in the tp.config.php file, such as adding the 'ldap_suffix' value. This and some other values are not configurable through the LDAP page in the application, but are required, so probably should be added to that page.
Thankfully, I can now successfully use LDAP with Active Directory.
nilsteampassnet
commented
2 months ago @DaveWebb2 THis is good to read. Can you share the changes you performed please? Indeed variable 'ldap_suffix' is an old one that is not currently used anymore. So you must have changed something else that could be interesting to share to other users.
DaveWebb2
commented
2 months ago Out of frustration I was playing around quite a bit, but the only differences in my config file (that now works) are the ldap_suffix value and the ldap_domain_dn value. This is all I changed and it started working.
Page on which it happened
Login page
Steps to reproduce
Expected behaviour
The user should be able to log in
Actual behaviour
The user can't log in, they see this error: "LDAP error: Error:Error - LDAP bind : ldap_bind(): Unable to bind to server: Can't contact LDAP server"
When testing LDAP the admin sees this error: "An error occurred while opening connection to AD server"
Server configuration
Operating system: Linux aimnpt-svrapp05 5.15.0-100-generic #110-Ubuntu SMP Wed Feb 7 13:27:48 UTC 2024 x86_64
Web server: Apache/2.4.52 (Ubuntu)
Database: 10.6.16-MariaDB-0ubuntu0.22.04.1
PHP version: 8.2.16
Teampass version: 3.1.2
Teampass configuration file:
Updated from an older Teampass or fresh install:
Trying desperately to upgrade from version 2. I've tried upgrading and installing new.
Client configuration
Browser: -
Operating system: - bits
Logs
Web server error log
Teampass 10 last system errors
Log from the web-browser developer console (CTRL + SHIFT + i)