Bookstack: Active Directory LDAP not working

Created on 20 Feb 2017  路  11Comments  路  Source: BookStackApp/BookStack
Expected Behavior

Allows AD users to Login

Actual Behavior

BookStack throws error about Search Operators.

Hi There,

I am having trouble making this work. I have been unable to get BookStack to find the DN rather than the UID. Bookstack successfully connects to AD but fails when trying to search for the user
This is the error I get
at HandleExceptions->handleError('2', 'ldap_search(): Search: Operations error', '/var/www/BookStack/app/Services/Ldap.php', '57', array('ldapConnection' => resource, 'baseDn' => 'DC=domain,DC=local', 'filter' => '(&(dn=${user}))', 'attributes' => array('cn', 'uid', 'dn', 'mail')))

This is how I have configured my LDAP settings:

LDAP Settings
LDAP_SERVER=172.23.35.10:389
LDAP_BASE_DN="DC=domain,DC=local"
LDAP_DN="CN=ServiceAccount,OU=Users,OU=Domain,DC=Domain,DC=local"
LDAP_PASS=password
LDAP_USER_FILTER=(&(dn=${user}))
LDAP_VERSION=3

I believe this is similar to #56

Let me know if you need any more info

Bug
Source
picture RantMaster

Most helpful comment

@RantMaster
For whatever reason, we were not able to do a base search off of the LDAP root, but we did find that if we bind to a container or organizational unit that is worked without issue.

Also, quotes are not needed for the LDAP_BASE_DN

Here's is out LDAP settings for comparison:

# LDAP Settings
LDAP_SERVER=IP_ADDRESS
LDAP_BASE_DN=ou=OU_NAME,dc=DOMAIN,dc=local
[email protected]
LDAP_PASS=PASSWORD
LDAP_USER_FILTER=(&(uid=${user}))
LDAP_VERSION=3
picture btone-comm on 17 Mar 2017
2 👍1

All 11 comments

Hi @RantMaster, Sorry to hear your facing LDAP troubles.

The error message posted seems a little cut-off. Would you be able to post the full error message? Here a page on getting debug messages from logs:
https://www.bookstackapp.com/docs/admin/debugging/

ssddanbrown picture ssddanbrown on 23 Feb 2017

@RantMaster
For whatever reason, we were not able to do a base search off of the LDAP root, but we did find that if we bind to a container or organizational unit that is worked without issue.

Also, quotes are not needed for the LDAP_BASE_DN

Here's is out LDAP settings for comparison:

# LDAP Settings
LDAP_SERVER=IP_ADDRESS
LDAP_BASE_DN=ou=OU_NAME,dc=DOMAIN,dc=local
[email protected]
LDAP_PASS=PASSWORD
LDAP_USER_FILTER=(&(uid=${user}))
LDAP_VERSION=3
btone-comm picture btone-comm on 17 Mar 2017
2 👍1

@btone-comm
Thanks man for that tip! no longer getting any errors in laravel.log when trying to login, however I'm also not able to login :/
I'm getting:

These credentials do not match our records

Any thoughts or tips on this one?

Update
Nevermind, I changed the filter from uid=${user} to SAMAccountName=${user} and that sorted it

comnam90 picture comnam90 on 27 Mar 2017

@comnam90 Awesome!

btone-comm picture btone-comm on 27 Mar 2017

For whatever reason, we were not able to do a base search off of the LDAP root, but we did find that if we bind to a container or organizational unit that is worked without issue.

Does anybody has come with a fix for this issue? I hit the same bug: https://github.com/BookStackApp/BookStack/issues/431 and cannot authenticate my users into the app :'(

Alwaysin picture Alwaysin on 10 Jul 2017

@Alwaysin Can you try the following:

  1. Open the app/Services/LdapService.php file. After line 44, Add the following line:
$this->ldap->setOption($ldapConnection, LDAP_OPT_REFERRALS, 0);

That block of code should then look like this:

        // Find user
        $userFilter = $this->buildFilter($this->config['user_filter'], ['user' => $userName]);
        $baseDn = $this->config['base_dn'];
        $emailAttr = $this->config['email_attribute'];
        $this->ldap->setOption($ldapConnection, LDAP_OPT_REFERRALS, 0);
        $users = $this->ldap->searchAndGetEntries($ldapConnection, $baseDn, $userFilter, ['cn', 'uid', 'dn', $emailAttr]);
        if ($users['count'] === 0) return null;

Then see if it binds on the base DN. Unfortunately I don't have active directory myself so I can't test this before deploying a fix. Let me know if this works and I'll patch it into a bugfix release.

ssddanbrown picture ssddanbrown on 10 Jul 2017

With this line added, I got a new error:

Whoops, looks like something went wrong.

1/1
ErrorException in Ldap.php line 57:
ldap_search(): Search: Partial results and referral received

I hope it is going into the right direction :D

Alwaysin picture Alwaysin on 10 Jul 2017

@Alwaysin Do you have the following line in your .env file?

LDAP_VERSION=3

If not, Please try adding it. (Might need to run php artisan optimize after changing .env file)

ssddanbrown picture ssddanbrown on 10 Jul 2017
1

Yes!!
That made it work!

Thank you very much @ssddanbrown :)

Alwaysin picture Alwaysin on 10 Jul 2017

@Alwaysin Awesome, Glad to hear. I'll mark this change to be in the next bugfix release. Keep this in mind as you might have to make a configuration tweak on that update in the event there's a reason this change will have to be configurable/non-default.

ssddanbrown picture ssddanbrown on 10 Jul 2017
👍1

Update now out to cover this.

ssddanbrown picture ssddanbrown on 10 Jul 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

alex2702 picture alex2702  路  3Comments
Zeigren picture Zeigren  路  3Comments
Legoracers picture Legoracers  路  3Comments
ensemblebd picture ensemblebd  路  3Comments
Abijeet picture Abijeet  路  3Comments