ldap logins fail after 3.0.0.8 upgrade

[azuercher]

Hello,
I had ldap logins working against our directory and a couple weeks ago I upgraded to 3.0.0.8 and now when trying to login with ldap credentials it says "bad username or password" I can still login with my local admin account. I have verified the ldap settings are still in mailscanner/conf.php post upgrade.

I am trying to find a log file that may give me more details about the login failures but I don't see anything in /var/log/messages for /var/log/maillog.

Where are log files I need to check?

Thanks,
Aaron

[DaN]

Hi
any informations in /var/log/httpd/...?

[azuercher]

ah, a few clues. found these lines in /var/log/httpd/ssl_error_log

[Tue Aug 04 10:24:27 2015] [error] [client 10.100.31.250] PHP Notice: Undefined offset: 0 in /var/www/html/mailscanner/functions.php on line 2347, referer: https://.org/mailscanner/login.php
[Tue Aug 04 10:24:32 2015] [error] [client 10.100.31.250] PHP Notice: Undefined offset: 0 in /var/www/html/mailscanner/functions.php on line 2347, referer: https://.org/mailscanner/login.php?error=baduser


Here is relevant portion of functions.php

2346 $result = ldap_get_entries($ds, $r) or die ("Could not get entries");
2347 if ($result[0]) {
2348 $USER = $result[0]['userprincipalname']['0'];
2349 if (ldap_bind($ds, $USER, "$PASS")) {
2350 if (isset ($result[0][LDAP_EMAIL_FIELD])) {
2351 foreach ($result[0][LDAP_EMAIL_FIELD] as $email) {
2352 if (substr($email, 0, 4) == "SMTP") {
2353 $email = strtolower(substr($email, 5));
2354 break;
2355 }

[DaN]

looks like the same "function ldap_authenticate($USER, $PASS)" in my older functions.php so i bet there is no probleme with the function but a problem with your configuration/ldap connection/certificate...

Break the problem down. Does LDAP works correctly? A LDAP browser could help.

[azuercher]

Dan,
I suspected LDAP as well as I did server upgrades earlier in the summer. However, when I did a ldapsearch from the command line it connected and showed search results. Perhaps I need to verifly SSL. Let me see if there is an option to force ssl with ldapsearch.

Aaron

[azuercher]

Hello all,
I finally had time to work on this after our back-to-school rush. I updated certificates and verified i could ldapsearch from console. However I could still not login to the web interface with ldap accounts. Next I started a DSTrace on my Novell server and discovered that the login request was formatted for microsoft AD. Here is a sample:

Code: Select all

11:07:34 20449700 LDAP: DoSearch on connection 0xf3f9880
11:07:34 20449700 LDAP: Search request:
   base: "ou=staff,o=dist86"
   scope:2 dereference:0 sizelimit:0 timelimit:0 attrsonly:0
   filter: "(sAMAccountName=zuerchera)"
   no attributes

sAMAccountName is not valid in Novell eDirectory. A quick search of functions.php found the code on line 2343 and I removed the sAMAccountName and replaced with cn. After that change was made I can now login with ldap again. Hopefully this will help others who run into this problem on next update.

Thanks!
Aaron

[shawniverson]

[53Clubs]

I know this is a little late, but,... windows guy (see bottom for quick answer)

I fought through the LDAP login for a long while, and ultimately found the errors in the /var/log/httpd/ssl_error_log which look like junk...

[error] [client ser.ver.ip.add] PHP Notice: Uninitialized string offset: 0 in /var/www/html/mailscanner/functions.php on line 3035, referer: https://myserver/mailscanner/login.php?error=baduser
[error] [client ser.ver.ip.add] PHP Notice: Uninitialized string offset: -1 in /var/www/html/mailscanner/functions.php on line 3038, referer: https://myserver/mailscanner/login.php?error=baduser
[error] [client ser.ver.ip.add] ModSecurity: Access denied with code 403 (phase 1). Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] [data "PROPFIND"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "myserver"] [uri "/"] [unique_id "WRUJesCoJBAAAAo6IpkAAAAF"]

...but which directed me to /var/www/html/mailscanner/functions.php - line 3035

3033 // Encode leading/trailing spaces if LDAP_ESCAPE_DN is passed
3034 if ($flags & LDAP_ESCAPE_DN) {
3035 if ($result[0] === ' ') {
3036 $result = '\\20' . substr($result, 1);
3037 }
3038 if ($result[strlen($result) - 1] === ' ') {
3039 $result = substr($result, 0, -1) . '\\20';

Not a ton of help...
...but it seemed to be referring to the characters passed in the username/password

So... being primarily a "Windows Guy", I recognized that I'd been trying for hours with 'username', and with 'DOMAIN\username'... and that it has been working for my user, but that is administrative and has a similar local account. Finally, I tried 'username@domain.ours' for the username of a standard user and Viola!... it worked for me.

Man... that was a pain for me and I'm certainly no 'noob', but I'm walking on water I have only had brief interludes with over the past 25 years.

Basic issue: I was trying 'username' and 'DOMAIN\username' to log into web interface, but needed to be using "username@domain.ours" for universal success.