-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LDAP sync works - login/test fails if user not in base DN #12331
Comments
👋 Thanks for opening your first issue here! If you're reporting a 🐞 bug, please make sure you include steps to reproduce it. We get a lot of issues on this repo, so please be patient and we will get back to you as soon as we can. |
This doesn't sound like a bug to me. Typically a freshly created user is not allowed to log in if I remember right. The user either needs to be marked manually with login enabled or using an LDAP flag. The LDAP Active Flag might be configured wrong in your settings. You can check the /users page to see if login is actually enabled for each user. |
Hm - I don't agree - login / LDAP test succeeds when I change just the base bind dn. As I said, sync works so I got all LDAP users imported/synced and I marked all logins enabled.
On January 11, 2023 11:46:11 AM GMT+01:00, nsty ***@***.***> wrote:
This doesn't sound like a bug to me. Typically a freshly created user is not allowed to log in if I remember right. The user either needs to be marked manually with login enabled or using an LDAP flag. The LDAP Active Flag might be configured wrong in your settings. You can check the /users page to see if login is actually enabled for each user.
If this is not the problem, I think you should name the LDAP server you are using. Might also be a server setting.
--
Reply to this email directly or view it on GitHub:
#12331 (comment)
You are receiving this because you authored the thread.
Message ID: ***@***.***>
--
Verstuurd vanaf mijn Android apparaat met K-9 Mail. Excuseer mijn beknoptheid.
|
You are right. I can just tell you that it's working for me. We use several levels of OUs and nested group filters. I also tested with a new user on our AD (regarding #12296 ). But I just noticed, we are still on 6.0.13 on production because of #12288 . Might be all the same issue with the default LDAP group introduced in 6.0.14. |
Well, I found this in App/Models/Ldap.php on line 98: Imho the better option is to first search the user in the base dn and then grab the user dn from the search result |
... so this is my workaround - added this after line 118 $filterQuery = "({$filter}({$filterQuery}))"; $res = ldap_search($connection, $baseDn, $filterQuery); |
i think you should downgrade your php version.youd better dont use more then 8.1(include),my php 8.1 down to 8.0 it works |
If you analyze what I changed to fix things you'll see that this is very unrelated to the php version. Just go through the details of my findings, you'll see that things depend on how you have setup LDAP in terms of OUs. Bottom line: if your user dn does not reflect a dn in the base OU, authentication fails but user sync still works because of the search filter. |
This explains exactly what I have experienced on the latest version. I was able to set the base DN to match where my users are, since this currently works for my structure. However that is just luck, there isn't any requirement that this would have been true. |
Friend, thank you very much, I had been trying to solve this for days. |
Same issue here, I changed the workaround a little bit: So now it's really findAndBindUserLdap as the Function name suggests. Lines 122-138 look like that block:
Edit: Maybe solved within the following issue #9903 ? |
Currently, snipe-it relies on a manually crafted user DN to bind a user and therefore check if they exist, and *then*, it searches in LDAP if the user is found when applying the filter. This works nicely when the base_dn is "fixed". In a company with multiple business lines or business units, though, there might be more than one OU for LDAP users, and in that case, crafting the DN manually might fail. This patch aims at crafting the userDn from a ldap_search, assuming the user field is unique. If more than 1 user is found, the user field is not unique and the login method will throw. This increases significantly the LDAP login flexibility. Fixes snipe#12331
Debug mode
Describe the bug
I'm trying to get LDAP login working on my freshly installed Snipe-IT v6.0.14 build 9038.
Configured the LDAP server settings (we're using 389-DS with ldaps) and the 'Test LDAP synchronizaton' works fine, however if I try to authenticate any user, I get " Login Failed. did not successfully bind to LDAP. "
So I did some more testing to make sure I got the settings correct and found out that I can get authentication to work if the user is in the base bind DN and not in one of the sub-OU's of that DN. E.g.:
user 'Danny' is in ou=ICT,ou=authorized,dc=foo,dc=bar
If I set base bind dn to ou=authorized,dc=foo,dc=bar, authentication fails (LDAP user sync lists the user though)
If I set base bind dn to ou=ICT,ou=authorized,dc=foo,dc=bar, authentication works ....
That looks like a bug to me - if sync (which does an LDAP search) nicely lists all users of the sub-OUs, authentication should also work for a user in one of those sub-OUs.
Reproduction steps
Expected behavior
authentication should also work for any user in a sub-OUs of the base bind DN (regardless of the number of levels below that OU)
Screenshots
No response
Snipe-IT Version
v6.0.14 build 9038
Operating System
Ubuntu
Web Server
apache
PHP Version
8.4.33
Operating System
No response
Browser
No response
Version
No response
Device
No response
Operating System
No response
Browser
No response
Version
No response
Error messages
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: