[Problem] Active Directory integration

Questions and answers about how to do stuff
Post Reply
Chriss
Posts: 2
Joined: 08 May 2017 06:07

[Problem] Active Directory integration

Post by Chriss »

Hey guys,
after running EFA (Version EFA-3.0.2.2) since some months i wanted to go a step further and authenticate the Website against my Server 2016 ADDS.
Followed the given guides at viewtopic.php?f=14&t=1484 and https://raw.githubusercontent.com/E-F-A ... LEASENOTES.
Here the modifications i made:
conf.php

Code: Select all

// LDAP settings for authentication
define('USE_LDAP', true);
define('LDAP_SSL', false); 
define('LDAP_HOST', '192.168.1.30');
define('LDAP_PORT', '389');
define('LDAP_DN', 'DC=my-real-domain,DC=eu');
define('LDAP_USER', 'cn=ldap,cn=users,dc=my-real-domain,dc=eu'); 
define('LDAP_PASS', 'Super-secure-Password');
define('LDAP_SITE', 'Default-First-Site-Name');
define('LDAP_FILTER', 'sAMAccountName=%s'); 
define('LDAP_PROTOCOL_VERSION', 3);
define('LDAP_EMAIL_FIELD', 'mail');
define('LDAP_USERNAME_FIELD', 'userprincipalname');
define('LDAP_MS_AD_COMPATIBILITY', true);
in functions.php

Code: Select all

function ldap_authenticate($username, $password)
{
    $username = ldap_escape(strtolower($username), '', LDAP_ESCAPE_DN);
    if ($username !== '' && $password !== '') {
        ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);			// as found in release notes
        ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);	// as found in release notes
        $ds = ldap_connect(LDAP_HOST, LDAP_PORT) or die(__('ldpaauth103') . ' ' . LDAP_HOST);
Now the problem: i can't successfully login with my ADDS username (wrong username or password), the funny part of that is that i tcpdump'ed the communication between efa and my dc with the following result:

.30 = adds
.38 = efa

Code: Select all

4	0.000470	192.168.1.38	192.168.1.30	LDAP	124	bindRequest(1) "cn=ldap,cn=users,dc=my-real-domain,dc=eu" simple 
5	0.002222	192.168.1.30	192.168.1.38	LDAP	88	bindResponse(1) success 
7	0.002339	192.168.1.38	192.168.1.30	LDAP	150	searchRequest(2) "DC=my-real-domain,DC=eu" wholeSubtree 
17	0.014419	192.168.1.30	192.168.1.38	LDAP	880	searchResEntry(2) "CN=my.adlogin,OU=users,DC=my-real-domain,DC=eu" 
18	0.015271	192.168.1.38	192.168.1.30	LDAP	124	bindRequest(3) "my.adlogin@my-real-domain.eu" simple 
19	0.017125	192.168.1.30	192.168.1.38	LDAP	88	bindResponse(3) success 
20	0.017615	192.168.1.38	192.168.1.30	LDAP	73	unbindRequest(4) 
If you ask me it should work... do you have any idea how to go deeper in troubleshooting or maybe had the same problem and a solution for me?

Greetings

Chriss
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: [Problem] Active Directory integration

Post by shawniverson »

These two lines should not be present since define('LDAP_MS_AD_COMPATIBILITY', true) takes care of this now. (although they shouldn't cause any problems, either)

Code: Select all

ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);			// as found in release notes
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);	// as found in release notes
Chriss
Posts: 2
Joined: 08 May 2017 06:07

Re: [Problem] Active Directory integration

Post by Chriss »

Hey shawniverson,

removed the two lines and tested again: same phenomenon, wireshark trace says bindRespone success but webpage says username or password wrong. :-(
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: [Problem] Active Directory integration

Post by shawniverson »

The bind is successful, so it is likely that the lookup itself after the bind is returning no matching results.

The problem is here...

Code: Select all

define('LDAP_USERNAME_FIELD', 'userprincipalname');
This is combined with the following by default:

Code: Select all

define('LDAP_BIND_PREFIX', 'cn=');
define('LDAP_BIND_SUFFIX', ',' . LDAP_DN);
define('LDAP_FILTER', 'sAMAccountName=%s'); 
Which doesn't make any sense, because the userPrincipalName in the cn field will surely fail.

Looking at the MailWatch code, it is clear that the LDAP_USERNAME_FIELD is not the username entered into the login interface, but rather the results returned by LDAP. Since the filter is sAMAccountName, it should the cn or sAMAccountName, in your case, not userPrincipalName

Code: Select all

define('LDAP_USERNAME_FIELD', 'cn');
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: [Problem] Active Directory integration

Post by pdwalker »

Now if only we had forum antispam like we have for mail.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: [Problem] Active Directory integration

Post by shawniverson »

Get to work on that please :D , I think this spammer is the same person and keeps creating new accounts, very annoying....
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: [Problem] Active Directory integration

Post by pdwalker »

Does anyone have any recommendations on how we can debug this?

If I could see the requests sent, and the replies received, I'll be better able to figure out what is going wrong rather than making random changes and hoping it'll work.
smyers119
Posts: 108
Joined: 29 Nov 2019 11:36

Re: [Problem] Active Directory integration

Post by smyers119 »

Are you able to manually do the lookup with "ldapsearch" and return a successful result? This works fine for me on 4.0.2. I am even using SSL.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: [Problem] Active Directory integration

Post by pdwalker »

Yes, I can. ldapsearch works fine. I can query and see everything I expect to see.

Code: Select all

ldapsearch -x -h <server> -D <username> -w <password> -b "dc=<domain>,dc=local"  "(objectclass=user)"
[Edit]
Solved.

Here are the settings I used to make it work:

Code: Select all

define('USE_LDAP', true);
define('LDAP_SSL', false);
define('LDAP_HOST', '<my ldap server>');
define('LDAP_PORT', '389');
define('LDAP_DN', 'DC=<my domain>,DC=local');
define('LDAP_USER', '<a user>'); 
define('LDAP_PASS', '<a user password>');
define('LDAP_FILTER', 'sAMAccountName=%s'); 
define('LDAP_PROTOCOL_VERSION', 3);
define('LDAP_EMAIL_FIELD', 'mail');
define('LDAP_MS_AD_COMPATIBILITY', true);
And this is where I was going wrong. I thought the LDAP_USERNAME_FIELD should have been "samaccountname" but apparently it needed to be set to "cn". Once I changed that, everything worked. I have no idea why.

Code: Select all

//define('LDAP_USERNAME_FIELD', 'samaccountname');
define('LDAP_USERNAME_FIELD', 'cn');
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: [Problem] Active Directory integration

Post by shawniverson »

That actually does makes sense. The problem is that LDAP_USERNAME_FIELD is a little misleading as a setting....

cn (Active Directory)
uid (OpenLDAP)
Post Reply