Page 1 of 1
[Problem] Active Directory integration
Posted: 08 May 2017 06:27
by Chriss
Hey guys,
after running EFA (Version EFA-3.0.2.2) since some months i wanted to go a step further and authenticate the Website against my Server 2016 ADDS.
Followed the given guides at
viewtopic.php?f=14&t=1484 and
https://raw.githubusercontent.com/E-F-A ... LEASENOTES.
Here the modifications i made:
conf.php
Code: Select all
// LDAP settings for authentication
define('USE_LDAP', true);
define('LDAP_SSL', false);
define('LDAP_HOST', '192.168.1.30');
define('LDAP_PORT', '389');
define('LDAP_DN', 'DC=my-real-domain,DC=eu');
define('LDAP_USER', 'cn=ldap,cn=users,dc=my-real-domain,dc=eu');
define('LDAP_PASS', 'Super-secure-Password');
define('LDAP_SITE', 'Default-First-Site-Name');
define('LDAP_FILTER', 'sAMAccountName=%s');
define('LDAP_PROTOCOL_VERSION', 3);
define('LDAP_EMAIL_FIELD', 'mail');
define('LDAP_USERNAME_FIELD', 'userprincipalname');
define('LDAP_MS_AD_COMPATIBILITY', true);
in functions.php
Code: Select all
function ldap_authenticate($username, $password)
{
$username = ldap_escape(strtolower($username), '', LDAP_ESCAPE_DN);
if ($username !== '' && $password !== '') {
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0); // as found in release notes
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); // as found in release notes
$ds = ldap_connect(LDAP_HOST, LDAP_PORT) or die(__('ldpaauth103') . ' ' . LDAP_HOST);
Now the problem: i can't successfully login with my ADDS username (wrong username or password), the funny part of that is that i tcpdump'ed the communication between efa and my dc with the following result:
.30 = adds
.38 = efa
Code: Select all
4 0.000470 192.168.1.38 192.168.1.30 LDAP 124 bindRequest(1) "cn=ldap,cn=users,dc=my-real-domain,dc=eu" simple
5 0.002222 192.168.1.30 192.168.1.38 LDAP 88 bindResponse(1) success
7 0.002339 192.168.1.38 192.168.1.30 LDAP 150 searchRequest(2) "DC=my-real-domain,DC=eu" wholeSubtree
17 0.014419 192.168.1.30 192.168.1.38 LDAP 880 searchResEntry(2) "CN=my.adlogin,OU=users,DC=my-real-domain,DC=eu"
18 0.015271 192.168.1.38 192.168.1.30 LDAP 124 bindRequest(3) "my.adlogin@my-real-domain.eu" simple
19 0.017125 192.168.1.30 192.168.1.38 LDAP 88 bindResponse(3) success
20 0.017615 192.168.1.38 192.168.1.30 LDAP 73 unbindRequest(4)
If you ask me it should work... do you have any idea how to go deeper in troubleshooting or maybe had the same problem and a solution for me?
Greetings
Chriss
Re: [Problem] Active Directory integration
Posted: 14 May 2017 13:18
by shawniverson
These two lines should not be present since define('LDAP_MS_AD_COMPATIBILITY', true) takes care of this now. (although they shouldn't cause any problems, either)
Code: Select all
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0); // as found in release notes
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); // as found in release notes
Re: [Problem] Active Directory integration
Posted: 15 May 2017 06:10
by Chriss
Hey shawniverson,
removed the two lines and tested again: same phenomenon, wireshark trace says bindRespone success but webpage says username or password wrong.
Re: [Problem] Active Directory integration
Posted: 16 May 2017 09:01
by shawniverson
The bind is successful, so it is likely that the lookup itself after the bind is returning no matching results.
The problem is here...
Code: Select all
define('LDAP_USERNAME_FIELD', 'userprincipalname');
This is combined with the following by default:
Code: Select all
define('LDAP_BIND_PREFIX', 'cn=');
define('LDAP_BIND_SUFFIX', ',' . LDAP_DN);
define('LDAP_FILTER', 'sAMAccountName=%s');
Which doesn't make any sense, because the userPrincipalName in the cn field will surely fail.
Looking at the MailWatch code, it is clear that the LDAP_USERNAME_FIELD is not the username entered into the login interface, but rather the results returned by LDAP. Since the filter is sAMAccountName, it should the cn or sAMAccountName, in your case, not userPrincipalName
Code: Select all
define('LDAP_USERNAME_FIELD', 'cn');
Re: [Problem] Active Directory integration
Posted: 24 May 2017 06:09
by pdwalker
Now if only we had forum antispam like we have for mail.
Re: [Problem] Active Directory integration
Posted: 24 May 2017 09:31
by shawniverson
Get to work on that please
, I think this spammer is the same person and keeps creating new accounts, very annoying....
Re: [Problem] Active Directory integration
Posted: 12 Jun 2020 04:31
by pdwalker
Does anyone have any recommendations on how we can debug this?
If I could see the requests sent, and the replies received, I'll be better able to figure out what is going wrong rather than making random changes and hoping it'll work.
Re: [Problem] Active Directory integration
Posted: 12 Jun 2020 18:48
by smyers119
Are you able to manually do the lookup with "ldapsearch" and return a successful result? This works fine for me on 4.0.2. I am even using SSL.
Re: [Problem] Active Directory integration
Posted: 13 Jun 2020 05:18
by pdwalker
Yes, I can. ldapsearch works fine. I can query and see everything I expect to see.
Code: Select all
ldapsearch -x -h <server> -D <username> -w <password> -b "dc=<domain>,dc=local" "(objectclass=user)"
[Edit]
Solved.
Here are the settings I used to make it work:
Code: Select all
define('USE_LDAP', true);
define('LDAP_SSL', false);
define('LDAP_HOST', '<my ldap server>');
define('LDAP_PORT', '389');
define('LDAP_DN', 'DC=<my domain>,DC=local');
define('LDAP_USER', '<a user>');
define('LDAP_PASS', '<a user password>');
define('LDAP_FILTER', 'sAMAccountName=%s');
define('LDAP_PROTOCOL_VERSION', 3);
define('LDAP_EMAIL_FIELD', 'mail');
define('LDAP_MS_AD_COMPATIBILITY', true);
And this is where I was going wrong. I thought the LDAP_USERNAME_FIELD should have been "samaccountname" but apparently it needed to be set to "cn". Once I changed that, everything worked. I have no idea why.
Code: Select all
//define('LDAP_USERNAME_FIELD', 'samaccountname');
define('LDAP_USERNAME_FIELD', 'cn');
Re: [Problem] Active Directory integration
Posted: 19 Jun 2020 18:24
by shawniverson
That actually does makes sense. The problem is that LDAP_USERNAME_FIELD is a little misleading as a setting....
cn (Active Directory)
uid (OpenLDAP)