The ldap test works fine but when trying to log into syspass with AD creds I get the error below. Thanks for the help.
My config.php
'ldap_ads' => true,
'ldap_base' => 'OU=something,DC=example,DC=net',
'ldap_bindpass' => 'somepassword',
'ldap_binduser' => 'ldapuser',
'ldap_defaultgroup' => 2,
'ldap_defaultprofile' => 2,
'ldap_enabled' => true,
'ldap_group' => 'admins',
'ldap_server' => 'ldaps://usingIPhere',
Error Im seeing
"Error while searching user DN"
Can you take a look to the sysPass event log? It should log the LDAP error and the filtering string.
Thanks for the quick reply!!!
Error while searching user DN
User: firstname.lastname
LDAP FILTER:
(&(|(samaccountname=firstname.lastname)(cn=firstname.lastname)(uid=firstname.lastname))(|(objectClass=inetOrgPerson)(objectClass=person)(objectClass=simpleSecurityOb
ject))(objectCategory=person))
Does the user exist within the search base?
Yes. I can get the login to work it seems if I enter the DN for the user Im testing as the search base. Example:
User DN: CN=User Name,OU=Network_Engineering,OU=Technical_Services,OU=Users,OU=
REP,DC=example,DC=net
Search Base: OU=Network_Engineering,OU=Technical_Services,OU=Users,OU=
REP,DC=example,DC=net
But if I try using: DC=example,DC=net
I get this error:
searchBase ADMIN 10.1.1.33 Error while searching objects in base DN
LDAP ERROR: Operations error (1)
LDAP FILTER: (&(|(memberOf=_)(groupMembership=_))(|(objectClass=inetOrgPerson)(objectClass=person)(objectClass=simpleSecurityObject)))
It seems the recursive lookup is not working properly?
Ideally i would like to use DC=example,DC=net as the search base as our AD environment is quite overly complicated and users are organized in many diff containers and ou's.
Right, it should work, even nested group membership too. Really, the searching is done by ADS, so sysPass does not perform any action on the searches.
Can you perform some test with the ldp utility or whatever LDAP utility by using the filtering string?
Hello, can you try out the latest commit?, There are some LDAP related fixes.
I will give the latest commit a try and report back. Thank you.
Still seeing the same issue after updating to latest commit :(
Again. If I point the base search to where my test accounts DN lives I can get it to work. Otherwise, I can not auth. Let me know if I can provide more information. This seems like it would work with simple setups where all users live on one OU. This is not the case in my environment.
OU=Network_Engineering,OU=Technical_Services,OU=Users,OU=
REP,DC=example,DC=net
What about the ldp test? Can you perform it?, It could be useful try out with an external tool.
Currently, this setup is running over a windows 2012 ADS environment without any issue and the search base is set some levels up to the users OUs.
I've also tested it over openLdap and edirectory services.
Im using ldapsearch on ubuntu. Not 100% sure how to apply the string above to my search. Im trying it now.
Example of a search that works without issue.
ldapsearch -LLL -H ldaps://domaincontroller.example.net -M -b "DC=example,DC=net" -D "[email protected]" -w "password" "sAMAccountName=firstname.lastname"
Ok. I have tried all the filters
&(|(samaccountname=firstname.lastname)(cn=firstname.lastname)(uid=firstname.lastname))(|(objectClass=inetOrgPerson)(objectClass=person)(objectClass=simpleSecurityOb
ject))(objectCategory=person))
Still no worky.
Ok...
ldapsearch -x -W -D "bind_dn" -h servername -b "search_base" "filter string within ()"
.
Can you add the attribute "cn" to the end of the command?
It would look like: ldapsearch .... "cn"
So it will only return that attribute... sorry, I should mention it above
root@vault:/opt/apps/syspass# ldapsearch -x -D "CN=_ldap_lookup,OU=ServiceAccounts,OU=Central_IT,DC=example,DC=net" -w "somepass" -h someserver.example.net -b "DC=example,DC=net" "(&(|(samaccountname=firstname.lastname)(cn=firstname.lastname)(uid=firstname.lastname))(|(objectClass=inetOrgPerson)(objectClass=person)(objectClass=simpleSecurityObject))(objectCategory=person))" "cn"
# extended LDIF
#
# LDAPv3
# base <DC=example,DC=net> with scope subtree
# filter: (&(|(samaccountname=firstname.lastname)(cn=firstname.lastname)(uid=firstname.lastname))(|(objectClass=inetOrgPerson)(objectClass=person)(objectClass=simpleSecurityObject))(objectCategory=person))
# requesting: cn
#
# Firstname Lastname, Network_Engineering, Technical_Services, Users, DER, example
.net
dn: CN=Firstname Lastname,OU=Network_Engineering,OU=Technical_Services,OU=Users,OU=
derp,DC=example,DC=net
cn: Firstname Lastname
# search reference
ref: ldap://ForestDnsZones.example.net/DC=ForestDnsZones,DC=example,DC=net
# search reference
ref: ldap://DomainDnsZones.example.net/DC=DomainDnsZones,DC=example,DC=net
# search reference
ref: ldap://example.net/CN=Configuration,DC=example,DC=net
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 1
# numReferences: 3
Appreciate the help!
Fine, searches are working...
Did you set the bind user like "cn=user,dc=example,dc=net"?. I can't see it in some comments above?
Regarding a comment, you posted an error that shows a LDAP filter like "memberof=blank", is that right?
Current bind
CN=_ldap_lookup,OU=ServiceAccounts,OU=Central_IT,DC=example,DC=net
Test Error
Error while searching objects in base DN
LDAP ERROR: Operations error (1)
LDAP FILTER: (&(|(memberOf=_)(groupMembership=_))(|(objectClass=inetOrgPerson)(objectClass=person)(objectClass=simpleSecurityObject)))
Login Error
Error while searching user DN
User: test.user
LDAP ERROR: Operations error (1)
LDAP FILTER:
(&(|(samaccountname=test.user)(cn=test.user)(uid=test.user))(|(objectClass=inetOrgPerson)(objectClass=person)(objectClass=simpleSecurityObject))(objectCa
tegory=person))
AD config block
'ldap_ads' => true,
'ldap_base' => 'DC=example,DC=net',
'ldap_bindpass' => 'somepass',
'ldap_binduser' => 'CN=ldapuser,OU=ServiceAccounts,OU=Central_IT,DC=example,DC=net',
'ldap_defaultgroup' => 2,
'ldap_defaultprofile' => 2,
'ldap_enabled' => true,
'ldap_group' => false,
'ldap_server' => 'ldaps://someip',
'ldap_userattr' => '',
.
Ummm...you're using ldaps so would need to import the ADS CA certificate in order to trust in it.
This website can help you:
I have already completed this. I mentioned this works when Im using the test users DN as the base so I dont think the cert is the issue.
Sure, but that "operations error" sounds that the ADS server is not responding correctly.
Is your ADS running on windows 2003?
An excerpt from PHP:
In order to perform the searches on Windows 2003 Server Active Directory you have to set the LDAP_OPT_REFERRALS option to 0:
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
Without this, you will get "Operations error" if you try to search the whole AD schema (using root of the domain as a $base_dn).
As opposed to Windows 2000 Server, where this option was optional and only increased the performance.
This particular DC is 2012. Also I have many web apps that use AD auth using that DC.
Ok, but what is the domain functional level?
BTW, I'm programming a piece of code to get some raw data from the ADS by PHP.
Can you set the LDAP group to "*"?. This would make the test to work.
Ok, but what is the domain functional level?
2008 r2
Can you set the LDAP group to "*"?. This would make the test to work.
I will do that now.
Test results below.
2016-08-30 11:45:49 searchGroupDN ADMIN someip Error while searching group RDN
Group: (cn=*)
LDAP FILTER: (cn=*)
I do appreciate the help with this. I would love to get this working :)
Well, can you put this script in your sysPass root dir and point the broswer to it? (take care to replace some config vars at the beginning)
https://gist.github.com/nuxsmin/a6b2f2701ce8b78ceadd835adc26756a
You can also take a look to http://stackoverflow.com/a/6222836 (LDAP_OPT_REFERRALS is commented out in the script), so it seems that can be useful for any ADS version...
Thanks. I will give this a go.
When I browse to the script I only get this
Array
(
)
Can you comment out the "LDAP_OPT_REFERRALS" line?
It would appear its commented out already?
$groupName = '';
$ldapConn = @ldap_connect($ldapServer);
@ldap_set_option($ldapConn, LDAP_OPT_NETWORK_TIMEOUT, 10); // Set timeout
@ldap_set_option($ldapConn, LDAP_OPT_PROTOCOL_VERSION, 3); // Set LDAP version
//@ldap_set_option($ldapConn, LDAP_OPT_REFERRALS, 0); // Uncomment if "operations error"
@ldap_bind($ldapConn, $bindUser, $bindPass);
preg_match('/^(cn=[\w\s-]+)(,.*)?$/i', $groupName, $groupFilter);
$searchGroup = ldap_get_entries($ldapConn, ldap_search($ldapConn, $searchBase, $groupFilter[1], array("dn", "cn")));
$userFilter = '(memberof:1.2.840.113556.1.4.1941:=' . $searchGroup[0]["dn"] . ')';
$searchUser = ldap_get_entries($ldapConn, ldap_search($ldapConn, $searchBase, $userFilter, array("sAMAccountName")));
echo '<pre>';
print_r($groupFilter);
print_r($searchGroup);
print_r($searchUser);
echo '</pre>';
Sorry, I meant uncomment...
Umm...please, fill in the "groupName", because the script won't take care if this is unset, so it will fail
Ok.
Here is an excerpt from the output of the script obfuscated of course. This appears to be working.
96] => Array
(
[samaccountname] => Array
(
[count] => 1
[0] => firstname.lastname
)
[0] => samaccountname
[count] => 1
[dn] => CN=Firstname Lastname,OU=Application_Development,OU=Technical_Services,OU=Users,OU=EEE,DC=example,DC=net
Great!!, can you try out the latest commit?
Absolutely. I will report back. Thanks.
Here is what I have. What is different is Im not getting a "Wrong User/Pass" error anymore. I have also tried using without ldaps.
Config
'ldap_ads' => true,
'ldap_base' => 'DC=example,DC=net',
'ldap_bindpass' => 'somepass',
'ldap_binduser' => 'CN=ldapuser,OU=ServiceAccounts,OU=Central_IT,DC=example,DC=net',
'ldap_defaultgroup' => 2,
'ldap_defaultprofile' => 2,
'ldap_enabled' => true,
'ldap_group' => 'example', (((_Also tried full group DN here like in ldap.php_)))
'ldap_server' => 'ldaps://someip',
'ldap_userattr' => '',
Error On login
Error while searching group RDN
Group: (cn=Groupname)
LDAP FILTER: (cn=Groupname)
Test Error
696 2016-08-30 16:54:33 searchGroupDN ADMIN someip Error while searching group RDN
Group: (cn=Group)
LDAP ERROR: Operations error (1)
LDAP FILTER: (cn=Group)
Also. In ldap.php output and can see my tests user samaccountname as well. I have tries multiple users to be sure.
Regarding ldap.php, there are 3 lines that should output some info:
Outputs group filter (string): print_r($groupFilter);
Outputs the groups found (array): print_r($searchGroup);
Outputs the users found (array): print_r($searchUser);
Can you see those outputs?
All of the output I see is in the below format besides the first couple lines of course.
96] => Array
(
[samaccountname] => Array
(
[count] => 1
[0] => firstname.lastname
)
[0] => samaccountname
[count] => 1
[dn] => CN=Firstname Lastname,OU=Application_Development,OU=Technical_Services,OU=Users,OU=EEE,DC=example,DC=net
Can you give a try to the latest "ldap.php"?. I have just updated it with some modifications and useful comments. The important point is "Group Entries", that should list the group you're filtering on.
np. Will try now.
ldap.php
<?php
// Customization - Start
$ldapServer = 'someip';
$bindUser = 'CN=ldapuser,OU=ServiceAccounts,OU=Central_IT,DC=example,DC=net';
$bindPass = 'somepass';
$searchBase = 'DC=example,DC=net';
$groupName = 'CN=example,OU=Security,OU=Groups,OU=Central_IT,DC=example,DC=net'; // Please use DN syntax
// Customization - End
$ldapConn = @ldap_connect($ldapServer);
@ldap_set_option($ldapConn, LDAP_OPT_NETWORK_TIMEOUT, 10); // Set timeout
@ldap_set_option($ldapConn, LDAP_OPT_PROTOCOL_VERSION, 3); // Set LDAP version
@ldap_set_option($ldapConn, LDAP_OPT_REFERRALS, 0); // Uncomment if ADS
@ldap_bind($ldapConn, $bindUser, $bindPass);
preg_match('/^(cn=[\w\s-]+)(,.*)?$/i', $groupName, $groupFilter);
$searchGroup = ldap_get_entries($ldapConn, ldap_search($ldapConn, $searchBase, $groupName, array("dn", "cn")));
$searchGroup = ldap_get_entries($ldapConn, ldap_search($ldapConn, $searchBase, $groupFilter[1], array("dn", "cn")));
$userFilter = '(memberof:1.2.840.113556.1.4.1941:=' . $searchGroup[0]["dn"] . ')';
$searchUser = ldap_get_entries($ldapConn, ldap_search($ldapConn, $searchBase, $userFilter, array("sAMAccountName")));
echo '<pre>';
print_r('Group Filter (regex): ' . $groupFilter);
echo PHP_EOL;
print_r('Group Entries: ' . $searchGroup);
echo PHP_EOL;
print_r('User Filter: ' . $userFilter);
echo PHP_EOL;
print_r('User Entries: ' . $searchUser);
echo '</pre>';
Output
Group Filter (regex): Array
Group Entries: Array
User Filter: (memberof:1.2.840.113556.1.4.1941:=CN=example,OU=Security,OU=Groups,OU=Central_IT,DC=example,DC=net)
User Entries: Array
Ive also tried uncommenting line 16.
Sorry, I had a mistake so arrays weren't shown. Already updated...
One question, does your group include numbers?, Actually the allowed chars are: letters, "_", "-" and spaces.
No numbers
Output looks similar to the previous script. Anything specific I should be looking for? Also, it only works if I uncomment line 21.
Here is the output without uncommenting line 21.
## Group Filter (regex):
Array
(
[0] => CN=example,OU=Security,OU=Groups,OU=Central_IT,DC=example,DC=net
[1] => CN=example
[2] => ,OU=Security,OU=Groups,OU=Central_IT,DC=example,DC=net
)
## Group Entries:
Array
(
[count] => 0
)
## User Filter:
(memberof:1.2.840.113556.1.4.1941:=)## User Entries:
Array
(
[count] => 0
)
Please, set the group name without DN syntax, that is "example"
Ummm, it should be "cn=example"
Ok that works. I see the samaccount names now.
And group entries?
I see the group entries as well.
Is there more than one entry?
yes. 16.
## Group Filter (regex):
Array
(
[0] => CN=example
[1] => CN=example
)
## Group Entries:
Array
(
[count] => 16
[0] => Array
(
[cn] => Array
(
[count] => 1
[0] => example
)
[0] => cn
[count] => 1
[dn] => CN=example,OU=Security,OU=Groups,OU=Central_IT,DC=example,DC=net
)
[1] => Array
(
[cn] => Array
(
[count] => 1
[0] => example
)
[0] => cn
[count] => 1
[dn] => CN=example,CN=mail,CN=ypServ30,CN=RpcServices,CN=System,DC=example,DC=net
)
[2] => Array
(
[cn] => Array
(
[count] => 1
[0] => example
)
[0] => cn
[count] => 1
[dn] => CN=example,CN=services,CN=ypServ30,CN=RpcServices,CN=System,DC=example,DC=net
)
[3] => Array
(
[cn] => Array
(
[count] => 1
[0] => example
)
[0] => cn
[count] => 1
[dn] => CN=example,CN=ethers,CN=ypServ30,CN=RpcServices,CN=System,DC=example,DC=net
)
[4] => Array
(
[cn] => Array
(
[count] => 1
[0] => example
)
[0] => cn
[count] => 1
[dn] => CN=example,CN=rpc,CN=ypServ30,CN=RpcServices,CN=System,DC=example,DC=net
)
[5] => Array
(
[cn] => Array
(
[count] => 1
[0] => example
)
[0] => cn
[count] => 1
[dn] => CN=example,CN=netgroup,CN=ypServ30,CN=RpcServices,CN=System,DC=example,DC=net
)
[6] => Array
(
[cn] => Array
(
[count] => 1
[0] => example
)
[0] => cn
[count] => 1
[dn] => CN=example,CN=bootparams,CN=ypServ30,CN=RpcServices,CN=System,DC=example,DC=net
)
[7] => Array
(
[cn] => Array
(
[count] => 1
[0] => example
)
[0] => cn
[count] => 1
[dn] => CN=example,CN=networks,CN=ypServ30,CN=RpcServices,CN=System,DC=example,DC=net
)
[8] => Array
(
[cn] => Array
(
[count] => 1
[0] => example
)
[0] => cn
[count] => 1
[dn] => CN=example,CN=netmasks,CN=ypServ30,CN=RpcServices,CN=System,DC=example,DC=net
)
[9] => Array
(
[cn] => Array
(
[count] => 1
[0] => example
)
[0] => cn
[count] => 1
[dn] => CN=example,CN=hosts,CN=ypServ30,CN=RpcServices,CN=System,DC=example,DC=net
)
[10] => Array
(
[cn] => Array
(
[count] => 1
[0] => example
)
[0] => cn
[count] => 1
[dn] => CN=example,CN=protocols,CN=ypServ30,CN=RpcServices,CN=System,DC=example,DC=net
)
[11] => Array
(
[cn] => Array
(
[count] => 1
[0] => example
)
[0] => cn
[count] => 1
[dn] => CN=example,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=example,DC=net
)
[12] => Array
(
[cn] => Array
(
[count] => 1
[0] => example
)
[0] => cn
[count] => 1
[dn] => CN=example,CN=group,CN=ypServ30,CN=RpcServices,CN=System,DC=example,DC=net
)
[13] => Array
(
[cn] => Array
(
[count] => 1
[0] => example
)
[0] => cn
[count] => 1
[dn] => CN=example,CN=shadow,CN=ypServ30,CN=RpcServices,CN=System,DC=example,DC=net
)
[14] => Array
(
[cn] => Array
(
[count] => 1
[0] => example
)
[0] => cn
[count] => 1
[dn] => CN=example,CN=passwd,CN=ypServ30,CN=RpcServices,CN=System,DC=example,DC=net
)
[15] => Array
(
[cn] => Array
(
[count] => 1
[0] => example
)
[0] => cn
[count] => 1
[dn] => CN=example,CN=netid,CN=ypServ30,CN=RpcServices,CN=System,DC=example,DC=net
Want me to give the latest commit a try?
Yes, but the app won't know which group to use, so it will pick the first one, because it searches for the group name, and not for the whole dn.
Can you create a new group to sign into sysPass?
If you want to allow to every user in those groups, it's not possible, because the application will have to iterate over each group and get if the user is in it (time consuming and server overhead). You can use group hierarchy to accomplish that instead, that is create a group for sysPass and then add all those groups to it.
Everything appears to be working now!!!
The test fails but im now able to log into syspass with the specified group.
Great!!
I greatly appreciate the patience and effort you put into fixing this.
I'm very glad that it now works fine.
Many thanks for your feedback and testing skills ;)