kitsook
commented
4 years ago Hard to tell from the log as it doesn't print out the exact LDAP error. The binding call seems passed so the system authentication part should be fine.
Try printing out ldap_error($ds) as part of the log within the if block in app/plugins/guard/controllers/components/ldap_module.php
When you try with ldapsearch command, did you use the same base DN dc=drake,dc=edu and filter sAMAccountName=000214567?
I am thinking could it be the filter syntax? Try to change the filter in the ldap_search call
'(&(objectCategory=person)('.$this->usernameField.'='.$this->data[$this->guard->fields['username']].'))'
reference: https://stackoverflow.com/questions/6507492/get-samaccountname-from-ldap-using-php
dramaley
Hello! I've recently moved our iPeer from a RHEL 7 to a Debian 10 server. The new server has PHP 7, which allowed me to update iPeer to version 3.4.4 with CakePHP-Guard-Plugin 1.0.5. It all seems to be running just fine.
The next change is to authentication though. Our iPeer currently authenticates to a standard LDAP server which is scheduled for removal later this year. So I need to change it to authenticate against Active Directory. We have the same users in AD as the standard LDAP, so it should be a simple matter of changing the configuration in app/config/guard.php, right?
Here is the configuration that goes to the old server; i'm going to obscure the credentials but it does work:
$config['Guard.AuthModule.Ldap'] = array('host' => 'ldaps://eds.drake.edu','port' => 636,'serviceUsername' => '[SECURED]', // username to connect to LDAP'servicePassword' => '[SECURED]', // password to connect to LDAP'baseDn' => 'ou=people,dc=drake,dc=edu','usernameField' => 'uid','attributeSearchFilters' => array(// 'uid',),'attributeMap' => array(// 'username' => 'uid',),'fallbackInternal' => true,);That works just fine. And this gets written to app/tmp/logs/debug.log:
2020-03-09 14:18:40 Debug: Using LDAP Authentication module2020-03-09 14:18:41 Debug: redirecting to /Nothing is written to app/tmp/logs/error.log.
Now, i tried to change guard.php to point to our Active Directory:
$config['Guard.AuthModule.Ldap'] = array('host' => 'ldaps://drake.edu','port' => 636,'serviceUsername' => '[SECURED]', // username to connect to LDAP'servicePassword' => '[SECURED]', // password to connect to LDAP'baseDn' => 'dc=drake,dc=edu','usernameField' => 'sAMAccountName','attributeSearchFilters' => array(// 'uid',),'attributeMap' => array(// 'username' => 'uid',),'fallbackInternal' => true,);And that does not work. Any ideas? I have confirmed using the ldapsearch command that all the information is accurate, and I can use those credentials to perform searches, so I know all the values are correct.
I see different things in the logs though. In app/tmp/logs/debug.log:
2020-03-09 14:16:51 Debug: Using LDAP Authentication moduleAnd in app/tmp/logs/error.log:
2020-03-09 14:16:51 Warning: Warning (2): ldap_search(): Search: Operations error in [/srv/www/ipeer/html/app/plugins/guard/controllers/components/ldap_module.php, line 58]2020-03-09 14:16:51 Error: Fatal Error (256): Unable to perform LDAP seach with base DN dc=drake,dc=edu and search sAMAccountName=000214567. in [/srv/www/ipeer/html/app/plugins/guard/controllers/components/guard.php, line 325]