kevinpapst
commented
10 months ago That is actually a question for: https://github.com/kimai/kimai/issues
But anyway: I never heard of such a problem and I have not enough knowledge about LDAP structures to add anything valuable to the discussion. All I can share is: you are the first person in the last 5 years with that issue. So this sounds rather uncommon. Not sure if Laminas will be able to help either.
After a long search, I discovered that users who had registered an ActiveSync device (mobile) to their MS Exchange mailbox were unable to log in to Kimai. I was then able to verify that users received the message "Incorrect access data" after they had registered their mobile to the Exchange server.
The ActiveSync device appears in LDAP below the corresponding user object as a sub-object (leaf), which is filled with attributes of the device.
The Authenticated Users - and so also the Bind User has read rights to the object. Adding explicit read rights to the user and his child objects for the Bind user did not help.
The security log on the domain controller shows ever: "Account has been successfully logged on".
Message in the dev.log:
security.INFO: Authenticator failed. {"exception":"[object] (Symfony\Component\Security\Core\Exception\BadCredentialsException(code: 0): Fetching user data/roles failed, probably DN is expired. at /var/www/html/kimai/src/Ldap/LdapCredentialsSubscriber.php:76)", "authenticator": "App\Ldap\LdapAuthenticator"}
As I said, users without child object work! I have no idea anymore. Is this more of a question for the laminas team?
kimai 2.3.0