Re: A successful bind must be completed on the connection, but ldapsearch works
15,693 views
Skip to first unread message
Message has been deleted
Jaime Perez Crespo
Sep 16, 2016, 4:39:01 AM9/16/16
to simple...@googlegroups.com
Hi Joost,
On 16 Sep 2016, at 10:25 AM, Joost Hillen <hillen...@gmail.com> wrote:
> Good day one and all,
>
> I've setup a simplesamlphp system inside a network with a server 2008 r2 active directory server.
> I can connect to LDAP / retrieve results using ldapsearch
>
> ldapsearch -h exampleserver.internal.customer.net -V -b "OU=Users,OU=Domain,DC=intern,DC=domain,DC=net" -D "ldapbind" -w "password"
>
> However, when I input those variables into /etc/simplesamlphp/authsources.php (see below), I get the following error message when trying to authenticate.
What does “trying to authenticate” means here? You are testing the authsource in the web interface, and then typing the username and password? In that case, what username, and what password?
“priv.username” and “priv.password” are NOT the username and password of the user you want to authenticate (obviously). Those options are intended to provide an account that you can use to bind with higher privileges than the user, so that you can retrieve attributes that the user him/herself cannot access.
> Error in authenticationsource 'ldap'. As reason was provided: 'Library - LDAP search(): Failed search on base \'OU=Users,OU=Domain,DC=intern,DC=domain,DC=net\' for \'(|(samAccountName=ldapbind))\'; cause: \'Operations error\' (0x1); additional: \'000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1\''.
>
>
> 'customer-ldap' => array(
> 'ldap:LDAP',
> 'hostname' => 'exampleserver.internal.customer.net',
> 'enable_tls' => FALSE,
> 'attributes' => NULL,
> 'debug' => TRUE,
> 'timeout' => 30,
> 'referrals' => FALSE,
> 'attributes' => NULL,
> 'search.enable' => TRUE,
> 'search.base' => 'OU=Users,OU=Domain,DC=intern,DC=domain,DC=net',
> 'search.attributes' => array('samAccountName'),
> 'priv.read' => TRUE,
> 'priv.username' => 'ldapbind',
> 'priv.password' => 'password',
>
> As ldapsearch works without problems, and I have provided the user to bind against (priv.username), I can't figure out what I am doing wrong.
>
> If someone would be able to give a hint, point me in the right direction, I'd be most grateful.
>
> Kind regards,
>
> Joost Hillen
--
Jaime Pérez
UNINETT / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
On 16 Sep 2016, at 10:25 AM, Joost Hillen <hillen...@gmail.com> wrote:
> Good day one and all,
>
> I've setup a simplesamlphp system inside a network with a server 2008 r2 active directory server.
> I can connect to LDAP / retrieve results using ldapsearch
>
> ldapsearch -h exampleserver.internal.customer.net -V -b "OU=Users,OU=Domain,DC=intern,DC=domain,DC=net" -D "ldapbind" -w "password"
>
> However, when I input those variables into /etc/simplesamlphp/authsources.php (see below), I get the following error message when trying to authenticate.
What does “trying to authenticate” means here? You are testing the authsource in the web interface, and then typing the username and password? In that case, what username, and what password?
“priv.username” and “priv.password” are NOT the username and password of the user you want to authenticate (obviously). Those options are intended to provide an account that you can use to bind with higher privileges than the user, so that you can retrieve attributes that the user him/herself cannot access.
> Error in authenticationsource 'ldap'. As reason was provided: 'Library - LDAP search(): Failed search on base \'OU=Users,OU=Domain,DC=intern,DC=domain,DC=net\' for \'(|(samAccountName=ldapbind))\'; cause: \'Operations error\' (0x1); additional: \'000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1\''.
>
>
> 'customer-ldap' => array(
> 'ldap:LDAP',
> 'hostname' => 'exampleserver.internal.customer.net',
> 'enable_tls' => FALSE,
> 'attributes' => NULL,
> 'debug' => TRUE,
> 'timeout' => 30,
> 'referrals' => FALSE,
> 'attributes' => NULL,
> 'search.enable' => TRUE,
> 'search.base' => 'OU=Users,OU=Domain,DC=intern,DC=domain,DC=net',
> 'search.attributes' => array('samAccountName'),
> 'priv.read' => TRUE,
> 'priv.username' => 'ldapbind',
> 'priv.password' => 'password',
>
> As ldapsearch works without problems, and I have provided the user to bind against (priv.username), I can't figure out what I am doing wrong.
>
> If someone would be able to give a hint, point me in the right direction, I'd be most grateful.
>
> Kind regards,
>
> Joost Hillen
--
Jaime Pérez
UNINETT / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Message has been deleted
Jaime Perez Crespo
Sep 16, 2016, 4:49:35 AM9/16/16
to simple...@googlegroups.com
What happens if you switch “search.enable” to false?
On 16 Sep 2016, at 10:44 AM, Joost Hillen <hillen...@gmail.com> wrote:
> Hi Jaime, thank you for your reply.
>
> I am indeed visiting https://fqdn/simplesamlphp/ -> Authenticate -> test configured authentication sources -> select ldap auth source
>
> Then I to enter account name of a user in Active Directory, any user/password combination I know of in AD.
>
> I've created a separate account for the priv.username/priv.password variables, with limited rights, but sufficient rights to read out LDAP, which I verified with ldapsearch.
>
> Kind regards,
>
> Joost Hillen
> --
> You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at https://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/d/optout.
On 16 Sep 2016, at 10:44 AM, Joost Hillen <hillen...@gmail.com> wrote:
> Hi Jaime, thank you for your reply.
>
> I am indeed visiting https://fqdn/simplesamlphp/ -> Authenticate -> test configured authentication sources -> select ldap auth source
>
> Then I to enter account name of a user in Active Directory, any user/password combination I know of in AD.
>
> I've created a separate account for the priv.username/priv.password variables, with limited rights, but sufficient rights to read out LDAP, which I verified with ldapsearch.
>
> Kind regards,
>
> Joost Hillen
> You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at https://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/d/optout.
Jaime Perez Crespo
Sep 16, 2016, 4:49:48 AM9/16/16
to simple...@googlegroups.com
What happens if you switch “search.enable” to false?
On 16 Sep 2016, at 10:44 AM, Joost Hillen <hillen...@gmail.com> wrote:
> Hi Jaime, thank you for your reply.
>
> I am indeed visiting https://fqdn/simplesamlphp/ -> Authenticate -> test configured authentication sources -> select ldap auth source
>
> Then I to enter account name of a user in Active Directory, any user/password combination I know of in AD.
>
> I've created a separate account for the priv.username/priv.password variables, with limited rights, but sufficient rights to read out LDAP, which I verified with ldapsearch.
>
> Kind regards,
>
> Joost Hillen
>
> On Friday, September 16, 2016 at 10:39:01 AM UTC+2, Jaime Pérez wrote:
On 16 Sep 2016, at 10:44 AM, Joost Hillen <hillen...@gmail.com> wrote:
> Hi Jaime, thank you for your reply.
>
> I am indeed visiting https://fqdn/simplesamlphp/ -> Authenticate -> test configured authentication sources -> select ldap auth source
>
> Then I to enter account name of a user in Active Directory, any user/password combination I know of in AD.
>
> I've created a separate account for the priv.username/priv.password variables, with limited rights, but sufficient rights to read out LDAP, which I verified with ldapsearch.
>
> Kind regards,
>
> Joost Hillen
>
> On Friday, September 16, 2016 at 10:39:01 AM UTC+2, Jaime Pérez wrote:
> --
> You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at https://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at https://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/d/optout.
Message has been deleted
Jaime Perez Crespo
Sep 16, 2016, 5:17:51 AM9/16/16
to simple...@googlegroups.com
Hi again,
On 16 Sep 2016, at 11:01 AM, Joost Hillen <hillen...@gmail.com> wrote:
> I've set:
>
> 'search.enable' => FALSE,
> 'dnpattern' => 'uid=%username%,OU=Users,OU=Domain,DC=intern,DC=domain,DC=net’,
I understand there’s no “uid” in AD, and according to the configuration you had, it looks like the username would be in the “samAccountName”, right? In that case, you should have something like this:
'dnpattern' => ‘samAccountName=%username%,OU=Users,OU=Domain,DC=intern,DC=domain,DC=net’,
> Which no longer pops up the bind message, but it does not succesfully authenticate either.
>
> I have tried different username formats and different accounts.
>
> username
> user...@internal.customer.net
> domainname\username
>
>
> It shows a friendly message "The specified username does not exist, or the password is not valid. Verify the username and try again."
>
> syslog shows me the following:
>
> Sep 16 10:55:07 saml simplesamlphp[1368]: 7 [a1e3975b8a] Library - LDAP __construct(): Setup LDAP with host='exampleserver.internal.customer.net', tls=false, debug=true, timeout=30, referrals=false
> Sep 16 10:55:07 saml simplesamlphp[1368]: 6 [a1e3975b8a] Authentication source 'customer-ldap': ldapbind failed to authenticate. DN=uid=ldapbind,OU=Users,OU=Customer,DC=intern,DC=customer,DC=net
> Sep 16 10:55:07 saml simplesamlphp[1368]: 5 STAT [a1e3975b8a] Unsuccessful login attempt from 192.168.100.X.
On 16 Sep 2016, at 11:01 AM, Joost Hillen <hillen...@gmail.com> wrote:
> I've set:
>
> 'search.enable' => FALSE,
> 'dnpattern' => 'uid=%username%,OU=Users,OU=Domain,DC=intern,DC=domain,DC=net’,
I understand there’s no “uid” in AD, and according to the configuration you had, it looks like the username would be in the “samAccountName”, right? In that case, you should have something like this:
'dnpattern' => ‘samAccountName=%username%,OU=Users,OU=Domain,DC=intern,DC=domain,DC=net’,
> Which no longer pops up the bind message, but it does not succesfully authenticate either.
>
> I have tried different username formats and different accounts.
>
> username
> user...@internal.customer.net
> domainname\username
>
>
> It shows a friendly message "The specified username does not exist, or the password is not valid. Verify the username and try again."
>
> syslog shows me the following:
>
> Sep 16 10:55:07 saml simplesamlphp[1368]: 7 [a1e3975b8a] Library - LDAP __construct(): Setup LDAP with host='exampleserver.internal.customer.net', tls=false, debug=true, timeout=30, referrals=false
> Sep 16 10:55:07 saml simplesamlphp[1368]: 6 [a1e3975b8a] Authentication source 'customer-ldap': ldapbind failed to authenticate. DN=uid=ldapbind,OU=Users,OU=Customer,DC=intern,DC=customer,DC=net
> Sep 16 10:55:07 saml simplesamlphp[1368]: 5 STAT [a1e3975b8a] Unsuccessful login attempt from 192.168.100.X.
Message has been deleted
Message has been deleted
Michael A Weber
Sep 16, 2016, 11:58:52 AM9/16/16
to simple...@googlegroups.com
On Sep 16, 2016, at 3:25 AM, Joost Hillen <hillen...@gmail.com> wrote:
Good day one and all,
I've setup a simplesamlphp system inside a network with a server 2008 r2 active directory server.
I can connect to LDAP / retrieve results using ldapsearch
ldapsearch -h exampleserver.internal.customer.net -V -b "OU=Users,OU=Domain,DC=intern,DC=domain,DC=net" -D "ldapbind" -w "password"
However, when I input those variables into /etc/simplesamlphp/authsources.php (see below), I get the following error message when trying to authenticate.
Error in authenticationsource 'ldap'. As reason was provided: 'Library - LDAP search(): Failed search on base \'OU=Users,OU=Domain,DC=intern,DC=domain,DC=net\' for \'(|(samAccountName=ldapbind))\'; cause: \'Operations error\' (0x1); additional: \'000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1\''.
'customer-ldap' => array(
'ldap:LDAP',
'hostname' => 'exampleserver.internal.customer.net',
'enable_tls' => FALSE,
'attributes' => NULL,
'debug' => TRUE,
'timeout' => 30,
'referrals' => FALSE,
'attributes' => NULL,
'search.enable' => TRUE,
'search.base' => 'OU=Users,OU=Domain,DC=intern,DC=domain,DC=net',
'search.attributes' => array('samAccountName'),
'priv.read' => TRUE,
'priv.username' => 'ldapbind',
'priv.password' => 'password',
As ldapsearch works without problems, and I have provided the user to bind against (priv.username), I can't figure out what I am doing wrong.
If someone would be able to give a hint, point me in the right direction, I'd be most grateful.
Kind regards,
Joost Hillen
--
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at https://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.
Joost—
Try your ldapsearch like this:
ldapsearch -x -ZZ -LLL -b "dc=intern,dc=domain,dc=net" -s sub -D “us...@domain.net" -h exampleserver.internal.customer.net -W
and see if it works. Be sure to change the the binddn (-D) to a user’s email that is recognized, and your host (-h) option to be the host. You will be prompted for a password with this (-W).
This is the test I needed to make work for my LDAP bind against active directory with simplesamlphp. When I made that work, and used the correct information from that in my authsources.php file, it works.
Also, I was told that for LDAP bind access to Active Directory, TLS is required. Setting it to false and not making it work very well may not work for you. I know I had to enable it and make it work to access.
This is my section of authsources.php, sanitized, of course. Note the part which says the dnpattern is not used if search is enabled, and search needs to be enabled. Also, I would not use priv.user/pass and use search.user/pass instead:
‘MY-LDAP' => array(
'ldap:LDAP',
'hostname' => ’somehost.domain2.domain1.tld',
'enable_tls' => TRUE,
'debug' => FALSE,
'timeout' => 10,
'port' => 389,
'referrals' => FALSE,
'attributes' => NULL,
// The pattern which should be used to create the users DN given the username.
// %username% in this pattern will be replaced with the users username.
//
// This option is not used if the search.enable option is set to TRUE.
'dnpattern' => 'sAMAccountName=%username%,cn=users,dc=domain2,dc=domain1,dc=tld',
'search.enable' => TRUE,
'search.base' => ‘dc=domain2,dc=domain1,dc=tld',
'search.attributes' => array('sAMAccountName'),
// The username & password the SimpleSAMLphp should bind to before searching. If
// this is left as NULL, no bind will be performed before searching.
'search.username' => ‘an active directory reader account@[domain2].domain1.tld',
'search.password' => ’the above user’s password',
'priv.read' => FALSE,
// The DN & password the SimpleSAMLphp should bind to before
// retrieving attributes. These options are required if
// 'priv.read' is set to TRUE.
'priv.username' => NULL,
'priv.password' => NULL,
);
Hope this helps.
Mike
Message has been deleted
Message has been deleted
Michael A Weber
Sep 19, 2016, 12:05:26 PM9/19/16
to simple...@googlegroups.com
On Sep 19, 2016, at 4:12 AM, Joost Hillen <hillen...@gmail.com> wrote:Good day Mike,
Thank you kindly - that set me on the right path towards a succesful connection.
LDAPS configured on the host, tested with ldapsearch, used those settings in authsources.php
Succesfully logged on with AD user and it retrieved LDAP information.
Thanks again, both Mike and Jaime for your time and responses.
Kind regards,
Joost Hillen
On Sunday, September 18, 2016 at 10:19:35 AM UTC+2, Joost Hillen wrote:Thank you kindly Mike, I am currently not able to test this, but will later today and report back.
Have a nice Sunday in the meantime.
Glad it helped you out!
Mike
Reply all
Reply to author
Forward
0 new messages