Secure LDAP fails in 0.70.2 (extra information)

Fred Melssen · 2008-01-30 18:06:21

In addition to Eric's mail, I would like to post some supplementary findings.

Eric wrote:

>Config: Windows 2003 Server, IIS 6, MYSQL 5.0 , PHP 5.2.0
>Secure LDAP connection is working o.k. in GLPI 0.68.3
>Using the same settings in version 0.7.2 we get an Access Denied ,
>PHP erros and an empty user account is created.

We use 0.68.3 and 0.70.2 on the same server (we use different directories for these versions of GLPI on this server). We have a SSL certificate for secure LDAP running on this server, and it works fine with 0.68.3. Therefore I think it should work also for 0.70.2.

The LDAP 'test-button' works fine. However, logging in with an LDAP user works fine in 0.68.3, but it does not work with 0.70.2 (either 'access denied' or 'no such user or more users found').

If you have any question with which you can help us, or want specific screencaptures of some configuration settings, please let us know.

Thank you very much in advance,
kind regards,
Fred

MoYo · 2008-01-30 18:59:03

is the LDAP non SSL working in 0.70.2 ?

Bind seems to work but data retrieving seems to have troubles.

Fred Melssen · 2008-01-30 19:29:14

MoYo wrote:

is the LDAP non SSL working in 0.70.2 ?
Bind seems to work but data retrieving seems to have troubles.

We can't test the non-SSL connection as our university's LDAP server requires it.
Of course we can setup a non-SSL LDAP server to test it, if necessary.

But we copied the entire new version into the map of the existing and working version (temporarily) to check if it could be an IIS/SSL issue. Even then it did not work.

I'ts a good idea I think to test this with a non-SSL LDAP server.

yvesdm · 2008-01-31 09:32:22

MoYo wrote:

is the LDAP non SSL working in 0.70.2 ?
Bind seems to work but data retrieving seems to have troubles.

I'm trying to set it up here. (0.70.2)
I've got the connection with the LDAP directory working, but fail to authenticate users from it.
So the connection test is ok, when I leave the rootdn empty. As soon as I try to add something there I get connection failed when i test connection. When i try to log in with AD credentials I get 'no such user or more users found'

Kind regards,
Yves

Fred Melssen · 2008-01-31 10:34:39

yvesdm wrote:

MoYo wrote:
is the LDAP non SSL working in 0.70.2 ?
Bind seems to work but data retrieving seems to have troubles.
I'm trying to set it up here. (0.70.2)
I've got the connection with the LDAP directory working, but fail to authenticate users from it.
So the connection test is ok, when I leave the rootdn empty. As soon as I try to add something there I get connection failed when i test connection. When i try to log in with AD credentials I get 'no such user or more users found'
Kind regards,
Yves

I notice the following:

When I add a user manually to GLPI (and this user exists in LDAP), then this user can login, authenticating with his LDAP password. When the user does not exist in GLPI, GLPI will not authenticate against LDAP and will not add this user to the GLPI database.

This means that we have to add all usernames (not the passwords) manually in GLPI?

yvesdm · 2008-01-31 11:19:25

Fred Melssen wrote:

This means that we have to add all usernames (not the passwords) manually in GLPI?

That can't be the way it is meant to be. I got +/- 3000 users total :-)

MoYo · 2008-01-31 23:46:19

we will try to find why there is a problem.

Sorry for the inconvenient but we are on a Free Software Exhibition for 3 days.

Adding manually or using data injection may be a solution for the moment.

We will try to correct the problem the quicker as possible.

MoYo · 2008-02-01 00:31:13

On openldap :
- really strange does not working on first attempt. Ok on second.
- data retrieve correctly

MoYo · 2008-02-01 13:49:02

on openldap over SSL :
- using TLS : unable to login
- without : need to login twice to succeed.

MoYo · 2008-02-01 13:49:29

which information do you have in debug mode ?

Fred Melssen · 2008-02-01 17:10:26

MoYo wrote:

which information do you have in debug mode ?

First, I have extra information.
I see that the problem also exist in former release: users have to be added first, after LDAP authentication can take place. So there is (I think) only one other problem:

When a user (loginname) is added, this user can authenticaty by LDAP.
However, other LDAP attributes (surname, givenname and email) are not updated in the database, in version 0.70.2 (this update works fine in former versions).
We have 'surname', 'givenname' and 'mail' defined in GLPI's LDAP configuration page.

Thank you,
Fred

wawa · 2008-02-01 17:23:28

there's something I don't understand.
when you talk about secure ldap, you mean using TLS or using ldaps ?

Fred Melssen · 2008-02-01 17:43:02

wawa wrote:

there's something I don't understand.
when you talk about secure ldap, you mean using TLS or using ldaps ?

ldaps

Fred Melssen · 2008-02-01 18:13:03

Information that supports my conclusion that users have to be added first before they can authenticate by LDAP:

The 'login.php' includes the statement:

// exists=0 -> no exist (this is when the user does not exist in the database)
There is no statement that runs when this condition exist; there are statements that are runned when 'exists=1' or 'exists=2'.

MoYo · 2008-02-01 18:35:29

if user does not exists, we cannot try its old login method. So this case does not exists here.
But all auth methods are tested just after to find the right one.

Process work fine on ldap. switching one ldaps make it working bad. Problem is not global on the login.php process but in the specific ldap auth methods used.

Eric Hofland · 2008-02-06 13:32:02

Is there any news about this problem ??

As long as ldaps is not working for new users we cannot upgrade to version 0.70.2

Last edited by Eric Hofland (2008-02-06 13:32:20)

wawa · 2008-02-06 13:38:52

I'll work on it as soon as possible
ok I reproduce the problem, I'm working on a solution

Last edited by wawa (2008-02-06 17:24:57)

Eric Hofland · 2008-02-06 20:39:41

If you need any help with testing ...just give a shout

wawa · 2008-02-22 09:58:33

hello
after some testing neither MoYo nor myself could reproduce the problem on recent systems.
Could you please test a higher version of PHP, because it seems to come from here (I had another problem solved by upgrading PHP's version)

MoYo · 2008-02-22 17:52:05

for information my php version : 5.2.3

Eric Hofland · 2008-02-25 10:44:02

We already upgraded PHP to 5.2.5

If PHP version was the problem it should also fail in 0.68.3 but that version is working o.k. (running on the same system)

In 0.70.2 user gets Access Denied and an empty record is created.

If i then try to add the user manually in

Users - From an external source - Add LDAP

The message is: Unable to add. The user already exists.

Eric

Eric Hofland · 2008-02-25 16:21:44

I just tried the latest svn (glpi-unstable-2008-02-25) and the login using ldaps is working ok in that version, user record is created and filled with Ldap data.

however if I add a user using Administration - Users - From an external source - and enter login - Add LDAP
the error message is: User not found or several users found

Forum GLPI-Project

Announcement

#1 2008-01-30 18:06:21

Secure LDAP fails in 0.70.2 (extra information)

#2 2008-01-30 18:59:03

Re: Secure LDAP fails in 0.70.2 (extra information)

#3 2008-01-30 19:29:14

Re: Secure LDAP fails in 0.70.2 (extra information)

#4 2008-01-31 09:32:22

Re: Secure LDAP fails in 0.70.2 (extra information)

#5 2008-01-31 10:34:39

Re: Secure LDAP fails in 0.70.2 (extra information)

#6 2008-01-31 11:19:25

Re: Secure LDAP fails in 0.70.2 (extra information)

#7 2008-01-31 23:46:19

Re: Secure LDAP fails in 0.70.2 (extra information)

#8 2008-02-01 00:31:13

Re: Secure LDAP fails in 0.70.2 (extra information)

#9 2008-02-01 13:49:02

Re: Secure LDAP fails in 0.70.2 (extra information)

#10 2008-02-01 13:49:29

Re: Secure LDAP fails in 0.70.2 (extra information)

#11 2008-02-01 17:10:26

Re: Secure LDAP fails in 0.70.2 (extra information)

#12 2008-02-01 17:23:28

Re: Secure LDAP fails in 0.70.2 (extra information)

#13 2008-02-01 17:43:02

Re: Secure LDAP fails in 0.70.2 (extra information)

#14 2008-02-01 18:13:03

Re: Secure LDAP fails in 0.70.2 (extra information)

#15 2008-02-01 18:35:29

Re: Secure LDAP fails in 0.70.2 (extra information)

#16 2008-02-06 13:32:02

Re: Secure LDAP fails in 0.70.2 (extra information)

#17 2008-02-06 13:38:52

Re: Secure LDAP fails in 0.70.2 (extra information)

#18 2008-02-06 20:39:41

Re: Secure LDAP fails in 0.70.2 (extra information)

#19 2008-02-22 09:58:33

Re: Secure LDAP fails in 0.70.2 (extra information)

#20 2008-02-22 17:52:05

Re: Secure LDAP fails in 0.70.2 (extra information)

#21 2008-02-25 10:44:02

Re: Secure LDAP fails in 0.70.2 (extra information)

#22 2008-02-25 16:21:44

Re: Secure LDAP fails in 0.70.2 (extra information)

Board footer