osTicket / osTicket-plugins

Core plugins for osTicket (v1.8+)
GNU General Public License v2.0
151 stars 161 forks source link

Auth-LDAP and Bind DN #99

Open tuudik opened 8 years ago

tuudik commented 8 years ago

When your bind DN has spaces in it, then authentication will fail. Error appears in authentication.php on line 220.

Plugin downloaded from here.

tuudik commented 8 years ago

LDAP log:

Mar 18 11:46:39 mail slapd[1073]: conn=4095 fd=23 ACCEPT from IP=*.*.*.*:40429 (IP=0.0.0.0:389)
Mar 18 11:46:39 mail slapd[1073]: conn=4095 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Mar 18 11:46:39 mail slapd[1073]: conn=4095 op=0 SRCH attr=vendorName vendorVersion namingContexts altServer supportedExtension supportedControl supportedSASLMechanisms supportedLDAPVersion subschemaSubentry
Mar 18 11:46:39 mail slapd[1073]: conn=4095 op=0 SEARCH RESULT tag=101 err=53 nentries=0 text=authentication required
Mar 18 11:46:39 mail slapd[1073]: conn=4095 op=1 EXT oid=1.3.6.1.4.1.1466.20037
Mar 18 11:46:39 mail slapd[1073]: conn=4095 op=1 STARTTLS
Mar 18 11:46:39 mail slapd[1073]: conn=4095 op=1 RESULT oid= err=0 text=
Mar 18 11:46:40 mail slapd[1073]: conn=4095 fd=23 TLS established tls_ssf=128 ssf=128
Mar 18 11:46:40 mail slapd[1073]: conn=4095 op=2 BIND dn="" method=128
Mar 18 11:46:40 mail slapd[1073]: conn=4095 op=2 RESULT tag=97 err=48 text=anonymous bind disallowed
Mar 18 11:46:40 mail slapd[1073]: conn=4095 op=3 UNBIND
Mar 18 11:46:40 mail slapd[1073]: conn=4095 fd=23 closed

Error log:

2016/03/18 11:43:41 [error] 4750#0: *5128 FastCGI sent in stderr: "PHP message: PHP Fatal error:  Call to a member function bind() on a non-object in /srv/www/support.domain.com/include/plugins/auth-ldap/authentication.php on line 220" while reading response header from upstream, client: *.*.*.*, server: support.domain.com, request: "POST /scp/login.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "support.domain.com", referrer: "https://support.domain.com/scp/login.php"
ntozier commented 8 years ago

The LDAP log you provided says: Mar 18 11:46:40 mail slapd[1073]: conn=4095 op=2 BIND dn="" method=128 Mar 18 11:46:40 mail slapd[1073]: conn=4095 op=2 RESULT tag=97 err=48 text=anonymous bind disallowed

I'd say that there are two problems. The first is that your dn is empty. This could be because of having a space in it.

The second is that "anonymous bind disallowed". Which I would think would mean the you didnt provide a username/password with rights to search AD.

tuudik commented 8 years ago

Yes, that is true my DN has spaces in it. But shouldnt it still work?

ntozier commented 8 years ago

According to Microsoft you should not have a space the beginning or end of a string in a dn. That being said we removed spaces from out ou's some time ago and replaced them with _. I don't recall if it was for this very problem or another one, but there are a LOT of google threads about spaces in dn's causing issues. You could try putting the string in quotes or single quotes.

tuudik commented 8 years ago

Sry for not mentioning, I use openldap:)

Kuupäeval reede, 18. märts 2016 kirjutas ntozier notifications@github.com:

According to Microsoft you should not have a space the beginning or end of a string in a dn. That being said we removed spaces from out ou's some time ago and replaced them with _. I don't recall if it was for this very problem or another one, but there are a LOT of google threads about spaces in dn's causing issues. You could try putting the string in quotes or single quotes.

— You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub https://github.com/osTicket/osTicket-plugins/issues/99#issuecomment-198420498