LDAP authentication lost on upgrade from GLPI 0.72.3 to 0.78.0

bdg66 · 2012-04-12 11:14:17

Hi all,

We are running a production GLPI version 0.72.3 on a windows 2008 R2 machine with Xampp(OCSNG install version 2.1).
We want to upgrade to 0.83.0.
On a test machine we did the upgrade but lost the authentication to our ldap server. Mind you, the connection is OK and a testscript will get info from the LDAP server. So the problem must be in GLPI.
We did an upgrade in steps and found that the authentication was lost with the upgrade to 0.78.0 (reproducable).

I hope someone has a solution for this. I read some comments on ldap on the forum but my knowledge on French is not as elaborate as I would wish.;-)

Thanks for any suggestions, Regards Bert

Our system:
OS Windows 2008 R2
Apache Version Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8o PHP/5.3.4 mod_perl/2.0.4 Perl/v5.10.1
Apache API Version 20051115
PHP Version 5.3.5
Xampp version 1.7.4
LDAP Support enabled
RCS Version $Id: ldap.c 299434 2010-05-17 20:09:42Z pajoye $
Total Links 0/unlimited
API Version 3001
Vendor Name OpenLDAP
Vendor Version 20319

wawa · 2012-04-12 11:35:47

hello
can you post GLPI LDAP configuration here please ?

bdg66 · 2012-04-12 12:13:52

Hi,

ldap.conf is in the root of the server.
c:\ldap.conf:
TLS_REQCERT never

In GLPI:
LDAP
Name ldaps://ldap.ru.nl Internal server ID *1*
Server ldaps://ldap.ru.nl LDAP Port (default=389) 636
Basedn ou=users,o=ru,c=nl rootdn (for non anonymous binds)
Pass (for non-anonymous binds) Login Field uid
Connection filter
Use TLS NO Time zone GMT +1
How LDAP aliases should be handled
Belonging to groups
Search type User attribute containing its groups
Filter to search in groups Group attribute containing its users
Use DN in the search YES
GLPI/LDAP Links
Surname commonname First name
Comments E-Mail rumail
Phone telephonenumber Phone 2
Mobile Title
Category Select Language

Is this what you're looking for?

Regards Bert

wawa · 2012-04-12 12:26:13

hi,

1- is the LDAP connection test ok or not ?
2 - there's no connection filter, is it normal (should be something like (objectclass=inetOrgPerson) for example)
3 - can you try to enter the root password again ?

bdg66 · 2012-04-12 12:48:52

Hi

wawa wrote:

hi,
1- is the LDAP connection test ok or not ?
Yes the connection tests OK.
2 - there's no connection filter, is it normal (should be something like (objectclass=inetOrgPerson) for example)
We never used a filter, so that is the normal condition, and up to now it worked fine.
Because of your remark I set this filter on the test server and I couldn't log on with a ldap account. Cleared this filter and it worked again.
3 - can you try to enter the root password again?
We do an anonymous bind. Access is granted to the ldap server on account of our machine name. This does not change on an upgrade.

Regards Bert

wawa · 2012-04-12 13:04:57

ok so if I understand correctly what you say :
- GLPI can connect to OpenLDAP using SSL
- users cannot login with or without connection filter

am I right ?

what do you mean by :

bdg66 wrote:

Access is granted to the ldap server on account of our machine name. This does not change on an upgrade.

bdg66 · 2012-04-12 16:31:50

Hi,

wawa wrote:

ok so if I understand correctly what you say :
- GLPI can connect to OpenLDAP using SSL
Yes thats right.
- users cannot login with or without connection filter
If the connection filter is empty users CAN logon with ldap authentication(this is the default)
If I set the filter like you suggested : objectclass=inetOrgPerson
LDAP users can NOT logon.
am I right ?
what do you mean by :
bdg66 wrote:
Access is granted to the ldap server on account of our machine name. This does not change on an upgrade.
The ability to authenticate to our ldap server is restricted by Accesslist. In the accesslist are the servers that may use ldap authentication. So you don't have to use an account to connect, this can be done 'anonymous'.

Regards Bert

wawa · 2012-04-12 23:01:55

thanks for your answers

my (dumb) question is : if users can authenticate, where's the problem ?

(objectclass=inetOrgPerson) was an example, it depends on the objectclass used to create your users.

bdg66 · 2012-04-13 17:28:56

Hi,

wawa wrote:

thanks for your answers
my (dumb) question is : if users can authenticate, where's the problem ?
(objectclass=inetOrgPerson) was an example, it depends on the objectclass used to create your users.

The problem is like I stated in the first post: We want to upgrade from GLPI version 0.72.3 to 0.83.0.
In our current version Ldap authentication works fine but if we upgrade to version 0.78.0 Ldap authentication does NOT work anymore. We have no idea why the Ldap authentication seizes to work. So we have been looking for a solution and thought maybe someone on the forum has an idea or maybe the same problem.

Regards Bert

bdg66 · 2012-04-17 10:36:09

Hi,

This past weekend the central ldap server has been replaced, so I thougt that maybe this would solve our problem, but unfortunatly this didn't help.
When I try to logon with a ldap-account in the GLPI server(version 0.78.0) it gives this back:

unsuccessful authorization in LDAP

Log in again

So still no result.

Regards Bert

wawa · 2012-04-17 13:53:30

hi,
I think that as you can test LDAP connection successfully but cannot login with an end user, it might come from the connection filter.

Could you copy/paste one user entry here ?

bdg66 · 2012-04-18 15:13:50

wawa wrote:

hi,
I think that as you can test LDAP connection successfully but cannot login with an end user, it might come from the connection filter.

Until now this field was empty and worked fine. Are you suggesting that as of version 0.78.0 this field should be filled? And if so with what?

wawa wrote:

Could you copy/paste one user entry here ?

I'm not sure what you are looking for but I cannot paste specific user info here for privacy reasons but what I did is anonymize the entry. I really cannot imagine what this would tell you but her goes:

User : U123456 Vcard

Login U123456
Surname:    Test, A.B.C. (Albert)
First name:

Mobile:
E-Mail: A.Test@test.ru.nl

Phone:
Phone 2:

Location:    011-1111111 Active
Title Category
Comments:

Authentication: LDAP Server ldaps://ldap.ru.nl

Last login date: 2012-04-10 11:45 Last login: 2012-04-18 14:49

Regards Bert

wawa · 2012-04-18 15:32:23

I'm looking for the "objectclass" LDAP attribute of the user

bdg66 · 2012-04-19 20:44:59

Hi,

I will have to ask somebody with knowledge of LDAP for mine is very superficial. This may take a while for we have a central LDAP.

Regards Bert

danilocs · 2012-04-25 07:22:37

Hi There,

Test in rootdn: user@domain

Att.

bdg66 · 2012-04-26 11:29:06

Hi,

Thanks for the suggestion but I'm not sure what this would accomplish for we do an anonymous bind and authenticate on the basis of access to the ldap server.
I'm looking into it with an LDAP expert from our central IT department. I wil ask him if this will lead us on the road to succes.;-)

Regards Bert

bdg66 · 2012-05-03 12:36:31

Hi all,

I'm happy to report that we tackeled this issue. In cooperation with our central IT-department we made some changes to the settings in the ldap connection.
For rootdn we now use a special user with password.
Email adres changed to 'mail' instead of 'rumail'.
Connection filter must be clear, with '(objectclass=inetOrgPerson)' it will not work.

In "Groups" we changed the 'Use DN in the search' to YES

So thanks for all the input,

Regards Bert

wawa · 2012-05-03 19:05:54

great !
I can now close this thread :)

Forum GLPI-Project

Announcement

#1 2012-04-12 11:14:17

LDAP authentication lost on upgrade from GLPI 0.72.3 to 0.78.0

#2 2012-04-12 11:35:47

Re: LDAP authentication lost on upgrade from GLPI 0.72.3 to 0.78.0

#3 2012-04-12 12:13:52

Re: LDAP authentication lost on upgrade from GLPI 0.72.3 to 0.78.0

#4 2012-04-12 12:26:13

Re: LDAP authentication lost on upgrade from GLPI 0.72.3 to 0.78.0

#5 2012-04-12 12:48:52

Re: LDAP authentication lost on upgrade from GLPI 0.72.3 to 0.78.0

#6 2012-04-12 13:04:57

Re: LDAP authentication lost on upgrade from GLPI 0.72.3 to 0.78.0

#7 2012-04-12 16:31:50

Re: LDAP authentication lost on upgrade from GLPI 0.72.3 to 0.78.0

#8 2012-04-12 23:01:55

Re: LDAP authentication lost on upgrade from GLPI 0.72.3 to 0.78.0

#9 2012-04-13 17:28:56

Re: LDAP authentication lost on upgrade from GLPI 0.72.3 to 0.78.0

#10 2012-04-17 10:36:09

Re: LDAP authentication lost on upgrade from GLPI 0.72.3 to 0.78.0

#11 2012-04-17 13:53:30

Re: LDAP authentication lost on upgrade from GLPI 0.72.3 to 0.78.0

#12 2012-04-18 15:13:50

Re: LDAP authentication lost on upgrade from GLPI 0.72.3 to 0.78.0

#13 2012-04-18 15:32:23

Re: LDAP authentication lost on upgrade from GLPI 0.72.3 to 0.78.0

#14 2012-04-19 20:44:59

Re: LDAP authentication lost on upgrade from GLPI 0.72.3 to 0.78.0

#15 2012-04-25 07:22:37

Re: LDAP authentication lost on upgrade from GLPI 0.72.3 to 0.78.0

#16 2012-04-26 11:29:06

Re: LDAP authentication lost on upgrade from GLPI 0.72.3 to 0.78.0

#17 2012-05-03 12:36:31

Re: LDAP authentication lost on upgrade from GLPI 0.72.3 to 0.78.0

#18 2012-05-03 19:05:54

Re: LDAP authentication lost on upgrade from GLPI 0.72.3 to 0.78.0

Board footer