connecting simplesamlphp to phpLDAPadmin
149 views
Skip to first unread message
houho...@gmail.com
May 9, 2016, 7:53:27 AM5/9/16
to SimpleSAMLphp
Hi,
I have tried to connect simplesamlphp with a phpLDAPadmin but i had problems when i put the login.
This is the list of Debug information i had :
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace: 0 /home/../simplesamlphp/www/module.php:170 (N/A) Caused by: SimpleSAML_Error_Exception: Library - LDAP __construct(): Unable to force TLS Backtrace: 6 /home/../simplesamlphp/lib/SimpleSAML/Auth/LDAP.php:147 (SimpleSAML_Auth_LDAP::makeException) 5 /home/../simplesamlphp/lib/SimpleSAML/Auth/LDAP.php:112 (SimpleSAML_Auth_LDAP::__construct) 4 /home/../simplesamlphp/modules/ldap/lib/ConfigHelper.php:188 (sspmod_ldap_ConfigHelper::login) 3 /home/../simplesamlphp/modules/ldap/lib/Auth/Source/LDAP.php:51 (sspmod_ldap_Auth_Source_LDAP::login) 2 /home/../simplesamlphp/modules/core/lib/Auth/UserPassBase.php:253 (sspmod_core_Auth_UserPassBase::handleLogin) 1 /home/../simplesamlphp/modules/core/www/loginuserpass.php:67 (require) 0 /home/../simplesamlphp/www/module.php:127 (N/A)
I haven't changed the module.php UserPassBase LDAP.php and the other files. I have modified just authosources.php. THat's why I can't understand those errors .
I have to mention that the idP is the plugin for wordpress named single sign on saml2.0.
Can someone help me plz ? thnx
Peter Schober
May 9, 2016, 7:05:43 PM5/9/16
to SimpleSAMLphp
* houho...@gmail.com <houho...@gmail.com> [2016-05-09 13:53]:
for login? Modifying any existing application that way may be
complicated and each application integration is different.
Also in this specific case, where phpLDAPadmin is merely an LDAP user
agent connecting to an LDAP server, how would you bind to the LDAP
directory as the subjecting logging in if you have no password (or
other factor, such as an X.509 client cert) available for the subject
due to SAML SSO? Do all subjects share anonymous binds or bind with
the same system account (i.e. all sharing the exact same level of
access)?
Using Emmanuel's CrudeSAML this would work (search the list archive or
the web) but that's another thing for you to understand and build and
deploy and configure.
> Backtrace:
> 0 /home/../simplesamlphp/www/module.php:170 (N/A)
> Caused by: SimpleSAML_Error_Exception: Library - LDAP __construct(): Unable to force TLS
That happens if PHP's ldap_start_tls() fails. So make sure the server
in question supports that and all the connection parameters are
correct, e.g. by using the ldapsearch or ldapwhoami command line
tools.
Also, if the LDAP server runs on the same machine as the web server
using StartTLS may not make much sense. At least if the machine
doesn't have untrusted local users (which no server should ever have,
other than a login/console/timesharing server).
> I have to mention that the idP is the plugin for wordpress named
> single sign on saml2.0.
There are several available but none with that exact name, AFAICT.
There's one based on SimpleSAMLphp code, though, so that would be an
obvious choice, at least that will be Free/Libre Software and won't
tie you into some "cloud" vendor's services (like some of the
available plugins seem to do, such as "miniOrange" or "OneLogin").
-peter
> I have tried to connect simplesamlphp with a phpLDAPadmin but i had
> problems when i put the login.
You want to modify the PHP application "phpLDAPadmin" to use SAML SSO
> problems when i put the login.
for login? Modifying any existing application that way may be
complicated and each application integration is different.
Also in this specific case, where phpLDAPadmin is merely an LDAP user
agent connecting to an LDAP server, how would you bind to the LDAP
directory as the subjecting logging in if you have no password (or
other factor, such as an X.509 client cert) available for the subject
due to SAML SSO? Do all subjects share anonymous binds or bind with
the same system account (i.e. all sharing the exact same level of
access)?
Using Emmanuel's CrudeSAML this would work (search the list archive or
the web) but that's another thing for you to understand and build and
deploy and configure.
> Backtrace:
> 0 /home/../simplesamlphp/www/module.php:170 (N/A)
> Caused by: SimpleSAML_Error_Exception: Library - LDAP __construct(): Unable to force TLS
in question supports that and all the connection parameters are
correct, e.g. by using the ldapsearch or ldapwhoami command line
tools.
Also, if the LDAP server runs on the same machine as the web server
using StartTLS may not make much sense. At least if the machine
doesn't have untrusted local users (which no server should ever have,
other than a login/console/timesharing server).
> I have to mention that the idP is the plugin for wordpress named
> single sign on saml2.0.
There's one based on SimpleSAMLphp code, though, so that would be an
obvious choice, at least that will be Free/Libre Software and won't
tie you into some "cloud" vendor's services (like some of the
available plugins seem to do, such as "miniOrange" or "OneLogin").
-peter
houho...@gmail.com
May 10, 2016, 3:49:38 AM5/10/16
to SimpleSAMLphp
>You want to modify the PHP application "phpLDAPadmin" to use SAML SSO
>for login? Modifying any existing application that way may be
>complicated and each application integration is different.
>for login? Modifying any existing application that way may be
>complicated and each application integration is different.
No maybe, I haven't explain the issue correctly. the phpLDAPAdmin is used to create the users and
the groupes with their information and their login. I tried to connect the users registered in the LDAP
to my wordpress page.
In fact, i added https://fr.wordpress.org/plugins/saml-20-single-sign-on/ as a plugin in my wordpress
so when the user connect at the wordpress login page it redirects him to the simplesamlphp login page.
>That happens if PHP's ldap_start_tls() fails. So make sure the server
the groupes with their information and their login. I tried to connect the users registered in the LDAP
to my wordpress page.
In fact, i added https://fr.wordpress.org/plugins/saml-20-single-sign-on/ as a plugin in my wordpress
so when the user connect at the wordpress login page it redirects him to the simplesamlphp login page.
>That happens if PHP's ldap_start_tls() fails. So make sure the server
>in question supports that and all the connection parameters are
>correct, e.g. by using the ldapsearch or ldapwhoami command line
>tools.
>correct, e.g. by using the ldapsearch or ldapwhoami command line
>tools.
with ldapsearch for example i haven't errors and i can see the users that i created with phpldapadmin
and there is not problems of connexion to the server.
for example :
ldapsearch -x -d 1
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 14 bytes to sd 3
ldap_result ld 0x7f6605bcf240 msgid 1
.....
and there is not problems of connexion to the server.
for example :
ldapsearch -x -d 1
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 14 bytes to sd 3
ldap_result ld 0x7f6605bcf240 msgid 1
.....
>Also, if the LDAP server runs on the same machine as the web server
>using StartTLS may not make much sense. At least if the machine
>doesn't have untrusted local users (which no server should ever have,
>other than a login/console/timesharing server)
yes, they run in the same machine
>There are several available but none with that exact name, AFAICT.
>There's one based on SimpleSAMLphp code, though, so that would be an
>obvious choice, at least that will be Free/Libre Software and won't
>tie you into some "cloud" vendor's services (like some of the
>available plugins seem to do, such as "miniOrange" or "OneLogin").
the plugin i used is SAML 2.0 Single Sign-On
https://fr.wordpress.org/plugins/saml-20-single-sign-on/
https://fr.wordpress.org/plugins/saml-20-single-sign-on/
houho...@gmail.com
May 10, 2016, 3:51:36 AM5/10/16
to SimpleSAMLphp
thanx a lot for your response and just for information the tracking number is 7ac2ad2219.
Thanx again
Peter Schober
May 10, 2016, 4:50:36 PM5/10/16
to SimpleSAMLphp
* houho...@gmail.com <houho...@gmail.com> [2016-05-10 09:49]:
means this has nothing to do with phpLDAPadmin, at all.
> In fact, i added
> https://fr.wordpress.org/plugins/saml-20-single-sign-on/ as a plugin
> in my wordpress so when the user connect at the wordpress login page
> it redirects him to the simplesamlphp login page.
OK, but that's a plugin to add a SAML SP to WordPress.
But you're asking about connecting SimpleSAMLphp to an LDAP DSA, which
usually only makes sense on the SAML IDP side.
In other words, whatever you do with WordPress (and what extensions
you add to it) has nothing to go with an ldap_start_tls() error your
IDP has connecting to your LDAP DSA.
[SP] <--SAML--> [IDP] <--LDAP--> [OpenLDAP or whatever]
> >That happens if PHP's ldap_start_tls() fails. So make sure the
> >server in question supports that and all the connection parameters
> >are correct, e.g. by using the ldapsearch or ldapwhoami command
> >line tools.
>
> with ldapsearch for example i haven't errors and i can see the users that i
> created with phpldapadmin
> and there is not problems of connexion to the server.
> for example :
> ldapsearch -x -d 1
> ldap_create
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP localhost:389
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 127.0.0.1:389
The error came from PHP's ldap_start_tls() but in your ldapsearch
"example" you're not using TLS at all. So obviously you won't get
the/an TLS error that way.
Also TLS makes very little sense when connecting to slapd on
localhost (as I've explained before), which is what you're obviously
doing.
> >Also, if the LDAP server runs on the same machine as the web server
> >using StartTLS may not make much sense. At least if the machine
> >doesn't have untrusted local users (which no server should ever have,
> >other than a login/console/timesharing server)
>
> yes, they run in the same machine
See above.
Again, the error message you sent was:
"Unable to force TLS"
So don't use StartTLS in your SimpleSAMLphp IDP ldap module
configuration -- just like you didn't use TLS when using ldapsearch on
the command line.
-peter
> >You want to modify the PHP application "phpLDAPadmin" to use SAML SSO
> >for login? Modifying any existing application that way may be
> >complicated and each application integration is different.
>
> No maybe, I haven't explain the issue correctly. the phpLDAPAdmin is
> used to create the users and the groupes with their information and
> their login.
OK, so "I have tried to connect simplesamlphp with a phpLDAPadmin"
> >for login? Modifying any existing application that way may be
> >complicated and each application integration is different.
>
> No maybe, I haven't explain the issue correctly. the phpLDAPAdmin is
> used to create the users and the groupes with their information and
> their login.
means this has nothing to do with phpLDAPadmin, at all.
> In fact, i added
> https://fr.wordpress.org/plugins/saml-20-single-sign-on/ as a plugin
> in my wordpress so when the user connect at the wordpress login page
> it redirects him to the simplesamlphp login page.
But you're asking about connecting SimpleSAMLphp to an LDAP DSA, which
usually only makes sense on the SAML IDP side.
In other words, whatever you do with WordPress (and what extensions
you add to it) has nothing to go with an ldap_start_tls() error your
IDP has connecting to your LDAP DSA.
[SP] <--SAML--> [IDP] <--LDAP--> [OpenLDAP or whatever]
> >That happens if PHP's ldap_start_tls() fails. So make sure the
> >server in question supports that and all the connection parameters
> >are correct, e.g. by using the ldapsearch or ldapwhoami command
> >line tools.
>
> with ldapsearch for example i haven't errors and i can see the users that i
> created with phpldapadmin
> and there is not problems of connexion to the server.
> for example :
> ldapsearch -x -d 1
> ldap_create
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP localhost:389
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 127.0.0.1:389
"example" you're not using TLS at all. So obviously you won't get
the/an TLS error that way.
Also TLS makes very little sense when connecting to slapd on
localhost (as I've explained before), which is what you're obviously
doing.
> >Also, if the LDAP server runs on the same machine as the web server
> >using StartTLS may not make much sense. At least if the machine
> >doesn't have untrusted local users (which no server should ever have,
> >other than a login/console/timesharing server)
>
> yes, they run in the same machine
Again, the error message you sent was:
"Unable to force TLS"
So don't use StartTLS in your SimpleSAMLphp IDP ldap module
configuration -- just like you didn't use TLS when using ldapsearch on
the command line.
-peter
Reply all
Reply to author
Forward
0 new messages