search

nuxsmin / sysPass

Systems Password Manager
https://syspass.org
GNU General Public License v3.0
976 stars 209 forks source link

LDAP on 3.1 - Test OK but sign-in failed #1554

Open Yotouille opened 4 years ago

Yotouille commented 4 years ago

Syspass infos:

    3.1 (312.20030701)
    Config: 300.18112501
    App: 310.19042701
    DB: 310.19042701

I have seen a few other issues on this subject, but this one don't really fit the other AD/LDAP issues. After upgrading from 3.0 to 3.1, it seems we had to reconfigure the LDAP settings.

On the LDAP settings page, all is configured, and the TEST button just says:

LDAP connection OK
object found: 4

with the list of my 4 users' "CN"

After "Enabling LDAP" and clicking "Save" then sign-out, I cannot sign-in to syspass anymore "Connection Error (BIND)", and no fallback to mysql (need to disable LDAP in config file to sign-in again).

I have tried with a less aggressive password (no special char), but with no luck. And all seems to be stored OK in the config file.

This is the exception, when trying to sign-in with LDAP:

``` [2020-05-26 12:58:36] syspass.INFO: logger {"message":"Extensions checked","caller":"SP\Core\PhpExtensionChecker::checkMandatory"} [2020-05-26 12:58:36] syspass.INFO: logger {"message":"Loaded icons cache","caller":"SP\Core\UI\Theme::initIcons"} [2020-05-26 12:58:36] syspass.INFO: logger {"message":"Loaded actions cache","caller":"SP\Core\Acl\Actions::loadCache"} [2020-05-26 12:58:36] syspass.EXCEPTION: logger {"message":"Erreur de connexion (BIND) #0 /var/web/contents/www/lib/SP/Providers/Auth/Ldap/LdapConnection.php(114): SP\Providers\Auth\Ldap\LdapConnection->bind() #1 /var/web/contents/www/lib/SP/Providers/Auth/Ldap/LdapConnection.php(95): SP\Providers\Auth\Ldap\LdapConnection->connectAndBind() #2 /var/web/contents/www/lib/SP/Providers/Auth/Ldap/Ldap.php(96): SP\Providers\Auth\Ldap\LdapConnection->checkConnection() #3 /var/web/contents/www/lib/SP/Providers/Auth/AuthProvider.php(154): SP\Providers\Auth\Ldap\Ldap->factory(Object(SP\Providers\Auth\Ldap\LdapParams),Object(SP\Core\Events\EventDispatcher),Boolean) #4 /var/web/contents/www/lib/SP/Providers/Auth/AuthProvider.php(116): SP\Providers\Auth\AuthProvider->getLdapAuth() #5 /var/web/contents/www/lib/SP/Providers/Auth/AuthProvider.php(97): SP\Providers\Auth\AuthProvider->authLdap() #6 /var/web/contents/www/lib/SP/Services/Auth/LoginService.php(154): SP\Providers\Auth\AuthProvider->doAuth(Object(SP\DataModel\UserLoginData)) #7 /var/web/contents/www/app/modules/web/Controllers/LoginController.php(65): SP\Services\Auth\LoginService->doLogin() #8 [internal function]: SP\Modules\Web\Controllers\LoginController->loginAction() #9 /var/web/contents/www/lib/SP/Bootstrap.php(240): call_user_func_array(Array,Array) #10 [internal function]: SP\Bootstrap->SP\{closure}(Object(Klein\Request),Object(Klein\Response),Object(Klein\ServiceProvider),Object(Klein\App),Object(Klein\Klein),Object(Klein\DataCollection\RouteCollection),Array) #11 /var/web/contents/www/vendor/klein/klein/src/Klein/Klein.php(886): call_user_func(Object(Closure),Object(Klein\Request),Object(Klein\Response),Object(Klein\ServiceProvider),Object(Klein\App),Object(Klein\Klein),Object(Klein\DataCollection\RouteCollection),Array) #12 /var/web/contents/www/vendor/klein/klein/src/Klein/Klein.php(588): Klein\Klein->handleRouteCallback(Object(Klein\Route),Object(Klein\DataCollection\RouteCollection),Array) #13 /var/web/contents/www/lib/SP/Bootstrap.php(464): Klein\Klein->dispatch(Object(Klein\Request)) #14 /var/web/contents/www/lib/Base.php(75): SP\Bootstrap->run(Object(DI\Container)) #15 /var/web/contents/www/index.php(28): require(String)","caller":"N/A"} ``` Log from webUI: ``` 121335 2020-05-26 14:58:37 ERROR exception - 81.xxx.xxx.xxx Erreur de connexion (BIND)/Confidentiality required (13) ``` ps: the 2 hours differences may be due from different time zone, but I guarantee this happened at the same time. Beside this issue, all is perfect ! thanks again ! nb: only difference with LDAP configuration from v3.0 for us is, now we can connect (only with TEST Button) with TLS on LDAP scheme but not anymore in LDAPS scheme (without TLS), it was the other way around in v3.0. This is quite okay for us as we are gradually dropping LDAPS anywhere we can, but the two scheme should work with our server, and... this is strange.
nuxsmin commented 4 years ago

Hello, sorry for the late reply.

It seems that the LDAP server CA certificate would be required, since Confidentiality required message stands that the connection must be enabled through a secure channel. Do you use the standard LDAP port (ie. 389)?

Regards

Yotouille commented 4 years ago

Hi there !

I've double check the CA and it's ok (btw, this part had not been modified since 3.0). The LDAP server is listening on 389 (StartTLS is mandatory) and also on 636, both are used elsewhere without an issue. And our sysPass 3.0 is working fine on 636 (only on this port, but that's another thing) with the exact same LDAP server.

As the TEST button says the connection is OK, I don't understand why it stop working once LDAP settings are saved.

Let me know if you need more infos !

Thanks for all !!

diegopaludo commented 3 years ago

Hi folks!

I also have the same problem :( Config test and user import works fine, but login with imported user appear BIND error: image

My configs: image

sysPass log: image

slapd log: image

zektulu commented 3 years ago

Hi,

I have the same issue with the 3.2 version.

Do you have find a solution ?

Regards

diegopaludo commented 3 years ago

I forgot the LDAP TLS config parameters:

image

nuxsmin commented 3 years ago

Hello,

@diegopaludo did you configure the LDAP TLS and certificates within sysPass server?. LDAP server is requiring TLS to be enabled on sysPass side.

Regards

nuxsmin commented 3 years ago

@Yotouille could you please provide the LDAP connection string? (masked please...)

diegopaludo commented 3 years ago

Hello,

@diegopaludo did you configure the LDAP TLS and certificates within sysPass server?. LDAP server is requiring TLS to be enabled on sysPass side.

Regards

sysPass and LDAP are on the same server and LDAP certificates are validated by Let's Encrypt.

I have other applications on the same server and on others one that works fine with LDAP with Let's Encrypt and I don't need configure the certificates in this applications.

My doubt is during sysPass LDAP configuration the connection works and LDAP user import, too. But after apply this configs I can't login with imported LDAP user.

diegopaludo commented 3 years ago

Hello,

@nuxsmin I try others options but same error 😢

LDAP log during testing config: image

LDAP log during login: image

Testing SSL (by troubleshooting in documation): image

diegopaludo commented 3 years ago

I think login page doesn't send TLS information and fallback login doesn't work. I need to manually set "ldapEnabled" in config.xml to 0 for login with admin again.

diegopaludo commented 3 years ago

This pull request

https://github.com/nuxsmin/sysPass/pull/1646/commits/2651d25e6525e9c75c1133e577ea2ceb5a5b04f5

Solve partially my problem. Now login with LDAP works, but fallback, no. Admin login needs to manually set "ldapEnabled" in config.xml to 0

mrtxmrtx commented 3 years ago

This pull request

2651d25

Solve partially my problem. Now login with LDAP works, but fallback, no. Admin login needs to manually set "ldapEnabled" in config.xml to 0

Thank you, after a day looking into it I found your solution. I am having exactly the same problem. Will at least this fix be part of coming versions?