Open n-borges opened 1 year ago
👋 Thanks for opening your first issue here! If you're reporting a 🐞 bug, please make sure you include steps to reproduce it. We get a lot of issues on this repo, so please be patient and we will get back to you as soon as we can.
Same Problem.
Can confirm problem with docker installation.
@uberbrady can you take a look at this when you get a moment?
I’d be surprised if this’d work, but can you try LDAP Auth query of cn=
?
Snipe-IT tends to expect the thing you log in as to be the ‘username’ and I’m not sure if we’re smart enough to let you authenticate with something else entirely, but then pluck the ‘username’ out of the LDAP results and correctly use that. So that’s why I’m pretty skeptical that it’d work.
I’d be surprised if this’d work, but can you try LDAP Auth query of
cn=
?Snipe-IT tends to expect the thing you log in as to be the ‘username’ and I’m not sure if we’re smart enough to let you authenticate with something else entirely, but then pluck the ‘username’ out of the LDAP results and correctly use that. So that’s why I’m pretty skeptical that it’d work.
Unfortunately it doesn't work; I think the query is still incomplete as no OUs are specified. I guess the solution, as you suggested, would be to decouple what snipeit considers as its "username" and what fields are used to actually authenticate against the LDAP server.
I suppose that other services do exactly this: query the server using the provided username, get the object, and then build the authentication query using the retrieved data.
I cannot quite understand if we fell in some obscure usecase or if this is a common problem. Do you think a fix for this would be too much of a trouble to implement?
It's relatively obscure, but I've heard people ask for something similar to this before, so I wouldn't say unique. The challenge here would be for how you go about storing the 'authentication string' separately from the 'username' for when you want to do fallthrough-authentication (for when an LDAP server is down). Or, maybe, we just allow it to 'not work' and leave it at that. I'm not sure. I think we have a PR up that might handle this use case? This one: https://github.com/snipe/snipe-it/pull/11715 - if you have the ability to pull that down and test it, it'd be interesting if it managed to handle this use case - but flipping through the code I suspect it might not. But, if you can, do check it out and report back.
I'm sorry for the late reply, but unfortunately this PR's version does not solve things either.
Do you think this is worth fixing/working on?
Hi. Thanks for opening this bug report. Same problem for me, version "v6.2.0 - build 11566 (master)" Thanks.
It is still not possible to use LDAP login. I assume that I have set the data correctly. Reading the LDAP table also works. Every time I try to test a user it does not work.
In the database, all users that were imported have the same hash in the PW entry.
Hi all,
what is the status from this ticket. Unfortunately it still does not work with the latest update that imported LDAP users can log in.
Version v6.1.2 - build 10938 (master)
Interessting result on cli
/var/www/html/snipe.xxxxx.com# sudo -u www-data php artisan ldap:troubleshoot
WARNING: This command will make several attempts to connect to your LDAP server. Are you sure this is ok? (yes/no) [no]:
> yes
STAGE 1: Checking settings
Determined LDAP hostname to be: ldap.xxxxxx.com
Performing DNS lookup of: ldap.xxxxxxx.com
In LdapTroubleshooter.php line 214:
dns_get_record(): A temporary server error occurred.
I think this issue could be related to my issue, the login part of the problem looks like the same from this issue : https://github.com/snipe/snipe-it/issues/13845
@Alpha6333 I see you fixed LDAP Sync in https://github.com/snipe/snipe-it/issues/13845 (many thanks!), now I can login using "cn=xxx" (I'm in v6.3.0). But how is "LDAP Authentication query" really used? I mean, in my case the BIND operation could only happens with "cn=" but the username I want to use is the field "uid=" (RDN identifier is "cn" in my "ou=People"). It seems that any value I put in that field is completely ignored.
Debug mode
Describe the bug
Hi everyone
I'm trying to configure a Snipe-IT instance to work with a Zentyal LDAP server. I have configured several other services to work with our LDAP, and they seem to work well; Snipe-IT, though, is giving me some errors I cannot quite understand.
Other services i have setup seem to authenticate users with the following:
cn=<first name> <last name>,dc=example,dc=com
While Snipe-IT, no matter how I try to tweak the configuration, sends the following to my LDAP:
samaccountname=<whatever is entered in the username field>,dc=example,dc=com
In the configuration page, i can successfully test "LDAP Syncronisation". All the expected users show up, according to the filters i have configured. "Test LDAP Login", though, fails with:
Login Failed. <user> did not successfully bind to LDAP.
I tried every configuration that came to my mind to try and debug this, but nothing seems to work. Do you have any suggestions? I'll put a screenshot of my configs here
Thanks for your help!
Reproduction steps
Expected behavior
Snipe-IT should authenticate through LDAP successfully
Screenshots
No response
Snipe-IT Version
6.1.2
Operating System
Alpine (Docker)
Web Server
Apache
PHP Version
8.1.22
Operating System
No response
Browser
No response
Version
No response
Device
No response
Operating System
No response
Browser
No response
Version
No response
Error messages
No response
Additional context
No response