You are not logged in.
Pages: 1
Topic closed
Hi all,
We are running a production GLPI version 0.72.3 on a windows 2008 R2 machine with Xampp(OCSNG install version 2.1).
We want to upgrade to 0.83.0.
On a test machine we did the upgrade but lost the authentication to our ldap server. Mind you, the connection is OK and a testscript will get info from the LDAP server. So the problem must be in GLPI.
We did an upgrade in steps and found that the authentication was lost with the upgrade to 0.78.0 (reproducable).
I hope someone has a solution for this. I read some comments on ldap on the forum but my knowledge on French is not as elaborate as I would wish.;-)
Thanks for any suggestions, Regards Bert
Our system:
OS Windows 2008 R2
Apache Version Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8o PHP/5.3.4 mod_perl/2.0.4 Perl/v5.10.1
Apache API Version 20051115
PHP Version 5.3.5
Xampp version 1.7.4
LDAP Support enabled
RCS Version $Id: ldap.c 299434 2010-05-17 20:09:42Z pajoye $
Total Links 0/unlimited
API Version 3001
Vendor Name OpenLDAP
Vendor Version 20319
Offline
hello
can you post GLPI LDAP configuration here please ?
Offline
Hi,
ldap.conf is in the root of the server.
c:\ldap.conf:
TLS_REQCERT never
In GLPI:
LDAP
Name ldaps://ldap.ru.nl Internal server ID *1*
Server ldaps://ldap.ru.nl LDAP Port (default=389) 636
Basedn ou=users,o=ru,c=nl rootdn (for non anonymous binds)
Pass (for non-anonymous binds) Login Field uid
Connection filter
Use TLS NO Time zone GMT +1
How LDAP aliases should be handled
Belonging to groups
Search type User attribute containing its groups
Filter to search in groups Group attribute containing its users
Use DN in the search YES
GLPI/LDAP Links
Surname commonname First name
Comments E-Mail rumail
Phone telephonenumber Phone 2
Mobile Title
Category Select Language
Is this what you're looking for?
Regards Bert
Offline
hi,
1- is the LDAP connection test ok or not ?
2 - there's no connection filter, is it normal (should be something like (objectclass=inetOrgPerson) for example)
3 - can you try to enter the root password again ?
Offline
Hi
hi,
1- is the LDAP connection test ok or not ?
Yes the connection tests OK.
2 - there's no connection filter, is it normal (should be something like (objectclass=inetOrgPerson) for example)
We never used a filter, so that is the normal condition, and up to now it worked fine.
Because of your remark I set this filter on the test server and I couldn't log on with a ldap account. Cleared this filter and it worked again.3 - can you try to enter the root password again?
We do an anonymous bind. Access is granted to the ldap server on account of our machine name. This does not change on an upgrade.
Regards Bert
Offline
ok so if I understand correctly what you say :
- GLPI can connect to OpenLDAP using SSL
- users cannot login with or without connection filter
am I right ?
what do you mean by :
Access is granted to the ldap server on account of our machine name. This does not change on an upgrade.
Offline
Hi,
ok so if I understand correctly what you say :
- GLPI can connect to OpenLDAP using SSLYes thats right.
- users cannot login with or without connection filter
If the connection filter is empty users CAN logon with ldap authentication(this is the default)
If I set the filter like you suggested : objectclass=inetOrgPerson
LDAP users can NOT logon.am I right ?
what do you mean by :
bdg66 wrote:Access is granted to the ldap server on account of our machine name. This does not change on an upgrade.
The ability to authenticate to our ldap server is restricted by Accesslist. In the accesslist are the servers that may use ldap authentication. So you don't have to use an account to connect, this can be done 'anonymous'.
Regards Bert
Offline
thanks for your answers
my (dumb) question is : if users can authenticate, where's the problem ?
(objectclass=inetOrgPerson) was an example, it depends on the objectclass used to create your users.
Offline
Hi,
thanks for your answers
my (dumb) question is : if users can authenticate, where's the problem ?
(objectclass=inetOrgPerson) was an example, it depends on the objectclass used to create your users.
The problem is like I stated in the first post: We want to upgrade from GLPI version 0.72.3 to 0.83.0.
In our current version Ldap authentication works fine but if we upgrade to version 0.78.0 Ldap authentication does NOT work anymore. We have no idea why the Ldap authentication seizes to work. So we have been looking for a solution and thought maybe someone on the forum has an idea or maybe the same problem.
Regards Bert
Offline
Hi,
This past weekend the central ldap server has been replaced, so I thougt that maybe this would solve our problem, but unfortunatly this didn't help.
When I try to logon with a ldap-account in the GLPI server(version 0.78.0) it gives this back:
unsuccessful authorization in LDAP
Log in again
So still no result.
Regards Bert
Offline
hi,
I think that as you can test LDAP connection successfully but cannot login with an end user, it might come from the connection filter.
Could you copy/paste one user entry here ?
Offline
hi,
I think that as you can test LDAP connection successfully but cannot login with an end user, it might come from the connection filter.
Until now this field was empty and worked fine. Are you suggesting that as of version 0.78.0 this field should be filled? And if so with what?
Could you copy/paste one user entry here ?
I'm not sure what you are looking for but I cannot paste specific user info here for privacy reasons but what I did is anonymize the entry. I really cannot imagine what this would tell you but her goes:
User : U123456 Vcard
Login U123456
Surname: Test, A.B.C. (Albert)
First name:
Mobile:
E-Mail: A.Test@test.ru.nl
Phone:
Phone 2:
Location: 011-1111111 Active
Title Category
Comments:
Authentication: LDAP Server ldaps://ldap.ru.nl
Last login date: 2012-04-10 11:45 Last login: 2012-04-18 14:49
Regards Bert
Offline
I'm looking for the "objectclass" LDAP attribute of the user
Offline
Hi,
I will have to ask somebody with knowledge of LDAP for mine is very superficial. This may take a while for we have a central LDAP.
Regards Bert
Offline
Hi There,
Test in rootdn: user@domain
Att.
Danilo Santos - dbNetSys IT Consulting
cel.: +55 (11) 7093.6442 or id: 55*82*8011
@Danilo_C_Santos - Linux Counter: #279531
danilo@dbnetsys.com.br - www.dbnetsys.com.br
Offline
Hi,
Thanks for the suggestion but I'm not sure what this would accomplish for we do an anonymous bind and authenticate on the basis of access to the ldap server.
I'm looking into it with an LDAP expert from our central IT department. I wil ask him if this will lead us on the road to succes.;-)
Regards Bert
Offline
Hi all,
I'm happy to report that we tackeled this issue. In cooperation with our central IT-department we made some changes to the settings in the ldap connection.
For rootdn we now use a special user with password.
Email adres changed to 'mail' instead of 'rumail'.
Connection filter must be clear, with '(objectclass=inetOrgPerson)' it will not work.
In "Groups" we changed the 'Use DN in the search' to YES
So thanks for all the input,
Regards Bert
Offline
great !
I can now close this thread :)
Offline
Pages: 1
Topic closed