Active Directory LDAP Authentication - seems to work, but still a problem
I've configured the LdapAuthentication plugin in my config.php file (I'll paste in a sanitized version of it below) but I'm having a weird issue whenever I login as an AD user. I've confirmed with the AD admins that they're seeing successful login attempts on their end, but what happens on my install of Status.net is that as soon as I click the Login button, a blank page loads, with the address bar still showing /main/login. In addition, the user doesn't actually seem to be logged in at all, at least not as far as Status.net is concerned.
Any thoughts?
Here is the LDAP section from my config.php
addPlugin('ldapAuthentication', array(
'provider_name'=>'AD-new',
'authoritative'=>false,
'autoregistration'=>true,
'binddn'=>'serviceaccount',
'bindpw'=>'sapassword',
'basedn'=>'DC=child,DC=domain,DC=edu',
'host'=>array('first.domain.controller', 'second.domain.controller'),
'password_encoding'=>'ad',
'attributes'=>array(
'username'=>'sAMAccountName',
'nickname'=>'sAMAccountName',
'email'=>'mail',
'fullname'=>'displayName',
'password'=>'unicodePwd')
));
Any thoughts?
Here is the LDAP section from my config.php
addPlugin('ldapAuthentication', array(
'provider_name'=>'AD-new',
'authoritative'=>false,
'autoregistration'=>true,
'binddn'=>'serviceaccount',
'bindpw'=>'sapassword',
'basedn'=>'DC=child,DC=domain,DC=edu',
'host'=>array('first.domain.controller', 'second.domain.controller'),
'password_encoding'=>'ad',
'attributes'=>array(
'username'=>'sAMAccountName',
'nickname'=>'sAMAccountName',
'email'=>'mail',
'fullname'=>'displayName',
'password'=>'unicodePwd')
));
Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Comments
blank page on login you say? nothing in the logs?
are your ldap user names valid statusnet usernames? [a-z 0-9]
And yes, blank page on login, seemingly without successfully logging in, at least as far as the app is concerned. On the AD side, it looks like a successful login was made.
Now this may be where I'm going wrong, I thought that if I had autoregistration set to true, that statusnet user accounts would be created at initial login via LDAP?
Just for testing, I created a statusnet account with the same username and password as an AD test user, and I get the same blank page result.
Is there a way to turn on any sort of debug logging? I'm not sure which logs you're asking about, but I'll take a look at them if you can point me in that direction.
Thanks!
PHP Fatal error: Call to a member function search() on a non-object in /var/www/html/statusnet/plugins/LdapAuthentication/LdapAuthenticationPlugin.php on line 212
Hmmm, ill have to get back to you on this one. I dont think we have done enough testing on AD, only open-ldap...
//---utility functions---//
function ldap_get_config(){
$config = array();
$keys = array('host','port','version','starttls','binddn','bindpw','basedn','options','filter','scope');
foreach($keys as $key){
$value = $this->$key;
if($value!==null){
$config[$key]=$value;
}
}
this is line 212 --> return $config;
}
function ldap_get_user($username,$attributes=array(),$ldap=null){
if($ldap==null) {
$ldap = $this->ldap_get_connection();
}
$filter = Net_LDAP2_Filter::create($this->attributes['username'], 'equals', $username);
$options = array(
'attributes' => $attributes
);
$search = $ldap->search($this->basedn, $filter, $options);
if (PEAR::isError($search)) {
common_log(LOG_WARNING, 'Error while getting DN for user: '.$search->getMessage());
return false;
}
which version is yours?
0.9.1 just came out, I might try that to start.
though there may actually just be some bugs in AD, I wish I had a setup I could test on.
candrews: Hmm, the line numbers don't match with 0.9.1
foucault: yeah...
foucault: okay lets leave it at "time to upgrade" :)
candrews:http://gitorious.org/statusnet/mainline/blobs/980d1a66ec0bb5b42ddb39e253fba9bad1b41aca/plugins/LdapAuthentication/LdapAuthenticationPlugin.php#line212
There's the line where he gets an error
so $ldap isn't defined at that point....
I re-did how this works for 0.9.1 - so I bet that whatever issue he has is probably solved in that version.
@mikestanley, I also ran into an issue not entirely dissimilar to the one you reported... in that case I was connecting to a parent level domain to validate a child level domain user, for example:
--> company.corp
--> -->na.company.corp
--> --> --> Users
--> --> --> --> Bob T. User
My config pointed to company.corp and I could query for that user using an LDAP browser. However I got an error similar to yours from Status.Net. When I reconfigured my app to point to na.company.corp it worked great. Again, this may be something completely unrelated to what you are working on, but I thought I would offer it in case it helps.
Here is my config for the statusnet LDAP plugin:
addPlugin('ldapAuthentication', array(
'provider_name'=>'somecompany',
'authoritative'=>true,
'autoregistration'=>true,
'password_changeable'=>false,
'email_changeable'=>false,
'binddn'=>'admin@somecompany.com',
'bindpw'=>'password',
'basedn'=>'DC=somecompany,DC=com',
'host'=>array('10.xxx.xx.xx'),
//'password_encoding'=>'ad',
//'scope'=>'sub',
'attributes'=>array(
'username'=>'sAMAccountName',
'nickname'=>'sAMAccountName',
'email'=>'mail',
// 'password'=>'unicodePwd'
'fullname'=>'name')
));
I have used 'name' since the displayName contained special characters and I read a post somewhere saying it could be a problem. The 'name' field contains a-zA-Z characters only.
I cannot find any errors related to ldap in the apache/php logs... am I missing any other ones?
I am able to browse the ldap director using a standalone ldap browser and the correct binddn/bindpw/basedn/host.
Can someone kindly help me out?
uncommenting //'password_encoding'=>'ad' and //'scope'=>'sub' doesn't help
'fullname'=>'displayName' or 'fullname'=>'sAMAccountName' doesn't work either
still get the blank screen after a while...
the only error i get in the apache log on trying to log in is:
File does not exist: D:/wamp/www/favicon.ico
An important error occured, probably related to email setup. Check logfiles for more info..
I used different accounts that are all email enabled but still get the same error.
Here is my configuration....
addPlugin('ldapAuthentication', array(
'provider_name'=>'domain',
'authoritative'=>true,
'autoregistration'=>true,
'password_changeable'=>false,
'email_changeable'=>false,
'binddn'=>'CN="LDAP User",CN="Users",DC="domain",DC="gr"',
'bindpw'=>'password',
'basedn'=>'OU=Users,OU=Corporate,DC=domain,DC=gr',
'host'=>array('srv1.domain.gr', 'srv2.domain.gr'),
'password_encoding'=>'ad',
'attributes'=>array(
'username'=>'sAMAccountName',
'nickname'=>'sAMAccountName',
'email'=>'mail',
'fullname'=>'displayName',
'password'=>'unicodePwd')
));
Can someone help please?
I'll report here when it is.
addPlugin('ldapAuthentication', array(
'provider_name'=>'ldap',
'authoritative'=>true,
'autoregistration'=>true,
'password_changeable'=>false,
'email_changeable'=>false,
'version'=>'2',
'basedn'=>'dc=somesubdomain,dc=somehostname,dc=com',
'host'=>array('somehostname.com'),
'attributes'=>array(
'username'=>'uid',
'nickname'=>'uid',
'email'=>'mail',
'fullname'=>'description')
));
Uncomment the line: extension=php_ldap.dll
I installed PHP using XAMPP for the record. And I was getting the blank page after attempted login.
The error is;
Could not connect to LDAP server: Bind failed: Inappropriate authentication: LDAP_INAPPROPRIATE_AUTH
addPlugin('ldapAuthentication', array(
'provider_name'=>'ldap',
'authoritative'=>true,
'autoregistration'=>true,
'password_changeable'=>false,
'binddn'=>'ou=ZIV0,ou=Applications,dc=fg,dc=rbc,dc=com',
'bindpw'=>'xxxx',
'basedn'=>'Ou=People,dc=fg,dc=rbc,dc=com',
'host'=>'globdev.saifg.rbc.com',
'scope'=>'sub',
'attributes'=>array(
'username'=>'employeeNumber',
'nickname'=>'employeeNumber',
'email'=>'mail',
'fullname'=>'displayName',
)));