search

wheelybird / ldap-user-manager

A PHP web-based interface for LDAP user account management and self-service password change.
MIT License
489 stars 108 forks source link

Ldap Manager not able fetch users from Bitnami Openldap #207

Closed ajbisht closed 1 year ago

ajbisht commented 1 year ago

Hi,

We are trying to connect to Bitnami Openldap server using wheelybird Ldap User manager. I can see in the logs that i can fetch the user but its giving and error as "Please login to continue " in the UI.

Debug Logs

ldap-dns.com:80 172.27.1.85 - - [20/Jun/2023:06:01:49 +0000] "GET /ldap-user-manager/ HTTP/1.1" 200 609 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36" ldap-dns.com:80 172.27.1.85 - - [20/Jun/2023:06:01:49 +0000] "GET /ldap-user-manager/bootstrap/css/bootstrap.min.css HTTP/1.1" 200 20028 "https://ldap-dns.com/ldap-user-manager/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36" ldap-dns.com:80 172.27.1.85 - - [20/Jun/2023:06:01:49 +0000] "GET /ldap-user-manager/bootstrap/js/bootstrap.min.js HTTP/1.1" 200 10122 "https://ldap-dns.com/ldap-user-manager/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36" ldap-dns.com:80 172.27.1.85 - - [20/Jun/2023:06:01:49 +0000] "GET /ldap-user-manager/js/jquery-3.6.0.min.js HTTP/1.1" 200 31193 "https://ldap-dns.com/ldap-user-manager/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36" ldap-dns.com:80 172.27.1.85 - - [20/Jun/2023:06:01:51 +0000] "GET /ldap-user-manager/log_in/ HTTP/1.1" 200 873 "https://ldap-dns.com/ldap-user-manager/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36" ldap-dns.com:80 172.27.1.1 - - [20/Jun/2023:06:01:52 +0000] "GET / HTTP/1.1" 200 973 "-" "kube-probe/1.24" [Tue Jun 20 06:01:53.871735 2023] [php:notice] [pid 24] [client 172.27.1.85:38108] Failed to start STARTTLS connection to ldap://chubbio-bitnami-openldap:1389: Protocol error, referer: https://ldap-dns.com/ldap-user-manager/log_in/ [Tue Jun 20 06:01:53.872010 2023] [php:notice] [pid 24] [client 172.27.1.85:38108] Attempting to bind to ldap://chubbio-bitnami-openldap:1389 as cn=admin,dc=chubb,dc=com, referer: https://ldap-dns.com/ldap-user-manager/log_in/ [Tue Jun 20 06:01:53.873771 2023] [php:notice] [pid 24] [client 172.27.1.85:38108] Bound successfully as cn=admin,dc=chubb,dc=com, referer: https://ldap-dns.com/ldap-user-manager/log_in/ [Tue Jun 20 06:01:53.873801 2023] [php:notice] [pid 24] [client 172.27.1.85:38108] Running LDAP search for: uid=ldapadmin, referer: https://ldap-dns.com/ldap-user-manager/log_in/ [Tue Jun 20 06:01:53.874522 2023] [php:notice] [pid 24] [client 172.27.1.85:38108] LDAP search returned 1 records for uid=ldapadmin, referer: https://ldap-dns.com/ldap-user-manager/log_in/ [Tue Jun 20 06:01:53.874561 2023] [php:notice] [pid 24] [client 172.27.1.85:38108] Entry 1: uid=ldapadmin,ou=people,dc=chubb,dc=com, referer: https://ldap-dns.com/ldap-user-manager/log_in/ [Tue Jun 20 06:01:53.874567 2023] [php:notice] [pid 24] [client 172.27.1.85:38108] Attempting authenticate as ldapadmin by binding with uid=ldapadmin,ou=people,dc=chubb,dc=com , referer: https://ldap-dns.com/ldap-user-manager/log_in/ [Tue Jun 20 06:01:53.876074 2023] [php:notice] [pid 24] [client 172.27.1.85:38108] Failed to start STARTTLS connection to ldap://chubbio-bitnami-openldap:1389: Protocol error, referer: https://ldap-dns.com/ldap-user-manager/log_in/ [Tue Jun 20 06:01:53.881332 2023] [php:notice] [pid 24] [client 172.27.1.85:38108] Able to bind as ldapadmin, referer: https://ldap-dns.com/ldap-user-manager/log_in/ [Tue Jun 20 06:01:53.882186 2023] [php:notice] [pid 24] [client 172.27.1.85:38108] LDAP RFC2307BIS detection - found that the 'subschemaSubentry' base DN is 'cn=Subschema', referer: https://ldap-dns.com/ldap-user-manager/log_in/ [Tue Jun 20 06:01:53.883782 2023] [php:notice] [pid 24] [client 172.27.1.85:38108] LDAP RFC2307BIS detection - found 75 objectClasses under cn=Subschema, referer: https://ldap-dns.com/ldap-user-manager/log_in/ [Tue Jun 20 06:01:53.883955 2023] [php:notice] [pid 24] [client 172.27.1.85:38108] LDAP RFC2307BIS detection - couldn't find AUXILIARY in the posixGroup definition which suggests we're not using the RFC2307BIS schema. Set FORCE_RFC2307BIS to TRUE if you DO use RFC2307BIS. , referer: https://ldap-dns.com/ldap-user-manager/log_in/ ldap-dns.com:80 172.27.1.85 - - [20/Jun/2023:06:01:53 +0000] "POST /ldap-user-manager/log_in/ HTTP/1.1" 302 578 "https://ldap-dns.com/ldap-user-manager/log_in/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36" ldap-dns.com:80 172.27.1.85 - - [20/Jun/2023:06:01:53 +0000] "GET /ldap-user-manager/account_manager?logged_in HTTP/1.1" 301 670 "https://ldap-dns.com/ldap-user-manager/log_in/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36" ldap-dns.com:80 172.27.1.85 - - [20/Jun/2023:06:01:53 +0000] "GET /ldap-user-manager/account_manager/?logged_in HTTP/1.1" 302 347 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36" ldap-dns.com:80 172.27.1.85 - - [20/Jun/2023:06:01:54 +0000] "GET /ldap-user-manager/log_in/index.php?unauthorised&redirect_to=L2xkYXAtdXNlci1tYW5hZ2VyL2FjY291bnRfbWFuYWdlci8/bG9nZ2VkX2lu HTTP/1.1" 200 985 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36" ldap-dns.com:80 172.27.1.1 - - [20/Jun/2023:06:02:02 +0000] "GET / HTTP/1.1" 200 973 "-" "kube-probe/1.24" Version Version is Latest one also I have tried it with version 1.7

Note: This setup is working with osixia openldap

ajbisht commented 1 year ago

Found the issue. The /tmp directory was readonly

miamilabs commented 1 year ago

Found the issue. The /tmp directory was readonly

could you share your fix in docker-compose file?

ajbisht commented 1 year ago

@miamilabs Are you running your container as readonly ?

If you are then mount /tmp directory as volume

miamilabs commented 1 year ago

@miamilabs Are you running your container as readonly ?

I found issue "Unable to connect to ldap://openldap via StartTLS". Looks like "LDAP_REQUIRE_STARTTLS" wont work.

Will check if i missed something. Thank you for quick reply.

miamilabs commented 1 year ago

@miamilabs Are you running your container as readonly ?

If you are then mount /tmp directory as volume

Do you have something similar as me?


openldap-ui:
    image: wheelybird/ldap-user-manager:v1.5
    container_name: openldap-ui
    ports:
      - "8090:80"
    depends_on:
      - openldap
    environment:
      - LDAP_URI=ldap://openldap
      - LDAP_BASE_DN=dc=xxxx
      - LDAP_REQUIRE_STARTTLS=FALSE
      - LDAP_ADMINS_GROUP=admins
      - LDAP_ADMIN_BIND_DN=cn=admin,xxxxx
      - LDAP_ADMIN_BIND_PWD=xxxxx
      - LDAP_IGNORE_CERT_ERRORS=true
      - NO_HTTPS=TRUE
      - PASSWORD_HASH=SSHA
      - USERNAME_FORMAT={first_name}.{last_name} 
      - EMAIL_DOMAIN=xxxx
    networks:
      - proxy
      - openldap
ajbisht commented 1 year ago

I am using the similar config, just few difference

NO_HTTPS=FALSE and I bitnami openldap run on port 1389 so your LDAP_URI should be ldap://openldap:1389

You can confirm the port of Openldap in Bitnami https://hub.docker.com/r/bitnami/openldap/