Library - LDAP bind(): Bind failed with DN
1,029 views
Skip to first unread message
Nobody
Feb 22, 2017, 8:57:58 AM2/22/17
to SimpleSAMLphp
I don't get my LDAP IdP up and running.
Authentication error in source 'ldap'. The reason was: 'Library - LDAP bind(): Bind failed with DN
\'uid="username",ou=people,dc="thecorrectdc",dc=de\'; cause: \'Can\'t contact LDAP server\' (0xffffffffffffffff)'
Output from /var/log/messages
Library - LDAP bind(): Bind failed with DN 'uid="username",ou=people,dc="thecorrectdc",dc=de'; cause: 'Can't contact LDAP server' (0xffffffffffffffff)
Unsuccessful login attempt from "CLIENT-IP"
My Setup:
CentOS Linux release 7.3.1611 (Core)
3.10.0-514.6.1.el7.x86_64
nginx version: nginx/1.10.2
PHP 7.0.16 (remi repo)
Configs:
saml20-idp-hosted.php
<?php/** * SAML 2.0 IdP configuration for SimpleSAMLphp. * */
$metadata['__DYNAMIC:1__'] = array( /* * The hostname of the server (VHOST) that will use this SAML entity. * * Can be '__DEFAULT__', to use this entry by default. */ 'host' => '__DEFAULT__',
// X.509 key and certificate. Relative to the cert directory. 'privatekey' => '/etc/ssl/private/example.org.pem', 'certificate' => '/etc/ssl/certs/example.org.crt',
/* * Authentication source to use. Must be one that is configured in * 'config/authsources.php'. */ 'auth' => 'example-ldap',
/* * WARNING: SHA-1 is disallowed starting January the 1st, 2014. * * Uncomment the following option to start using SHA-256 for your signatures. * Currently, SimpleSAMLphp defaults to SHA-1, which has been deprecated since * 2011, and will be disallowed by NIST as of 2014. Please refer to the following * document for more information: * * * If you are uncertain about service providers supporting SHA-256 or other * algorithms of the SHA-2 family, you can configure it individually in the * SP-remote metadata set for those that support it. Once you are certain that * all your configured SPs support SHA-2, you can safely remove the configuration * options in the SP-remote metadata set and uncomment the following option. * * Please refer to the IdP hosted reference for more information. */ // 'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
/* Uncomment the following to use the uri NameFormat on attributes. */
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'authproc' => array( // Convert LDAP names to oids. 100 => array('class' => 'core:AttributeMap', 'name2oid'), ),
/* * Uncomment the following to specify the registration information in the * exported metadata. Refer to: * for more information. */ /* 'RegistrationInfo' => array( 'authority' => 'urn:mace:example.org', 'instant' => '2008-01-17T11:28:03Z', 'policies' => array( 'en' => 'http://example.org/policy', 'es' => 'http://example.org/politica', ), ), */);authsources.php
<?php
$config = array(
// This is a authentication source which handles admin authentication. 'admin' => array( // The default is to use core:AdminPassword, but it can be replaced with // any authentication source.
'core:AdminPassword', ),
// An authentication source which can authenticate against both SAML 2.0 // and Shibboleth 1.3 IdPs. 'default-sp' => array( 'saml:SP',
// The entity ID of this SP. // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL. 'entityID' => null,
// The entity ID of the IdP this should SP should contact. // Can be NULL/unset, in which case the user will be shown a list of available IdPs. 'idp' => null,
// The URL to the discovery service. // Can be NULL/unset, in which case a builtin discovery service will be used. 'discoURL' => null,
/* * WARNING: SHA-1 is disallowed starting January the 1st, 2014. * * Uncomment the following option to start using SHA-256 for your signatures. * Currently, SimpleSAMLphp defaults to SHA-1, which has been deprecated since * 2011, and will be disallowed by NIST as of 2014. Please refer to the following * document for more information: * * * If you are uncertain about identity providers supporting SHA-256 or other * algorithms of the SHA-2 family, you can configure it individually in the * IdP-remote metadata set for those that support it. Once you are certain that * all your configured IdPs support SHA-2, you can safely remove the configuration * options in the IdP-remote metadata set and uncomment the following option. * * Please refer to the hosted SP configuration reference for more information. */ //'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
/* * The attributes parameter must contain an array of desired attributes by the SP. * The attributes can be expressed as an array of names or as an associative array * in the form of 'friendlyName' => 'name'. * The metadata will then be created as follows: * <md:RequestedAttribute FriendlyName="friendlyName" Name="name" /> */ /*'attributes' => array( 'attrname' => 'urn:oid:x.x.x.x', ),*/ /*'attributes.required' => array ( 'urn:oid:x.x.x.x', ),*/ ),
/* 'example-userpass' => array( 'exampleauth:UserPass',
// Give the user an option to save their username for future login attempts // And when enabled, what should the default be, to save the username or not //'remember.username.enabled' => FALSE, //'remember.username.checked' => FALSE,
'student:studentpass' => array( 'uid' => array('test'), 'eduPersonAffiliation' => array('member', 'student'), ), 'employee:employeepass' => array( 'uid' => array('employee'), 'eduPersonAffiliation' => array('member', 'employee'), ), ), */
// Example of a LDAP authentication source. 'example-ldap' => array( 'ldap:LDAP',
// Give the user an option to save their username for future login attempts // And when enabled, what should the default be, to save the username or not //'remember.username.enabled' => FALSE, //'remember.username.checked' => FALSE,
// The hostname of the LDAP server. 'hostname' => 'host.name.de',
// Whether SSL/TLS should be used when contacting the LDAP server. 'enable_tls' => FALSE,
// Whether debug output from the LDAP library should be enabled. // Default is FALSE. 'debug' => TRUE,
// The timeout for accessing the LDAP server, in seconds. // The default is 0, which means no timeout. 'timeout' => 0,
// The port used when accessing the LDAP server. // The default is 389. 'port' => 389,
// Set whether to follow referrals. AD Controllers may require FALSE to function. 'referrals' => FALSE,
// Which attributes should be retrieved from the LDAP server. // This can be an array of attribute names, or NULL, in which case // all attributes are fetched. 'attributes' => NULL,
// The pattern which should be used to create the users DN given the username. // %username% in this pattern will be replaced with the users username. // // This option is not used if the search.enable option is set to TRUE. 'dnpattern' => 'uid=%username%,ou=people,dc="thecorrectdc",dc=de',
// As an alternative to specifying a pattern for the users DN, it is possible to // search for the username in a set of attributes. This is enabled by this option. 'search.enable' => FALSE,
// The DN which will be used as a base for the search. // This can be a single string, in which case only that DN is searched, or an // array of strings, in which case they will be searched in the order given. 'search.base' => 'ou=people,dc="thecorrectdc",dc=de',
// The attribute(s) the username should match against. // // This is an array with one or more attribute names. Any of the attributes in // the array may match the value the username. 'search.attributes' => array('uid'),
// The username & password the SimpleSAMLphp should bind to before searching. If // this is left as NULL, no bind will be performed before searching. 'search.username' => NULL, 'search.password' => NULL,
// If the directory uses privilege separation, // the authenticated user may not be able to retrieve // all required attribures, a privileged entity is required // to get them. This is enabled with this option. 'priv.read' => FALSE,
// The DN & password the SimpleSAMLphp should bind to before // retrieving attributes. These options are required if // 'priv.read' is set to TRUE. 'priv.username' => NULL, 'priv.password' => NULL,
),
/* // Example of an LDAPMulti authentication source. 'example-ldapmulti' => array( 'ldap:LDAPMulti',
// Give the user an option to save their username for future login attempts // And when enabled, what should the default be, to save the username or not //'remember.username.enabled' => FALSE, //'remember.username.checked' => FALSE,
// The way the organization as part of the username should be handled. // Three possible values: // - 'none': No handling of the organization. Allows '@' to be part // of the username. // - 'allow': Will allow users to type 'username@organization'. // - 'force': Force users to type 'username@organization'. The dropdown // list will be hidden. // // The default is 'none'. 'username_organization_method' => 'none',
// Whether the organization should be included as part of the username // when authenticating. If this is set to TRUE, the username will be on // the form <username>@<organization identifier>. If this is FALSE, the // username will be used as the user enters it. // // The default is FALSE. 'include_organization_in_username' => FALSE,
// A list of available LDAP servers. // // The index is an identifier for the organization/group. When // 'username_organization_method' is set to something other than 'none', // the organization-part of the username is matched against the index. // // The value of each element is an array in the same format as an LDAP // authentication source. 'employees' => array( // A short name/description for this group. Will be shown in a dropdown list // when the user logs on. // // This option can be a string or an array with language => text mappings. 'description' => 'Employees',
// The rest of the options are the same as those available for // the LDAP authentication source. 'hostname' => 'ldap.employees.example.org', 'dnpattern' => 'uid=%username%,ou=employees,dc=example,dc=org', ),
'students' => array( 'description' => 'Students',
'hostname' => 'ldap.students.example.org', 'dnpattern' => 'uid=%username%,ou=students,dc=example,dc=org', ),
), */
);n enabled, what should the default be, to save the username or not //'remember.username.enabled' => FALSE, //'remember.username.checked' => FALSE,
'student:studentpass' => array( 'uid' => array('test'), 'eduPersonAffiliation' => array('member', 'student'), ), 'employee:employeepass' => array( 'uid' => array('employee'), 'eduPersonAffiliation' => array('member', 'employee'), ), ), */
// Example of a LDAP authentication source. 'example-ldap' => array( 'ldap:LDAP',
// Give the user an option to save their username for future login attempts // And when enabled, what should the default be, to save the username or not //'remember.username.enabled' => FALSE, //'remember.username.checked' => FALSE,
// The hostname of the LDAP server. 'hostname' => 'host.name.de',
// Whether SSL/TLS should be used when contacting the LDAP server. 'enable_tls' => FALSE,
// Whether debug output from the LDAP library should be enabled. // Default is FALSE. 'debug' => TRUE,
// The timeout for accessing the LDAP server, in seconds. // The default is 0, which means no timeout. 'timeout' => 0,
// The port used when accessing the LDAP server. // The default is 389. 'port' => 389,
// Set whether to follow referrals. AD Controllers may require FALSE to function. 'referrals' => FALSE,
// Which attributes should be retrieved from the LDAP server. // This can be an array of attribute names, or NULL, in which case // all attributes are fetched. 'attributes' => NULL,
// The pattern which should be used to create the users DN given the username. // %username% in this pattern will be replaced with the users username. // // This option is not used if the search.enable option is set to TRUE. 'dnpattern' => 'uid=%username%,ou=people,dc="thecorrectdc",dc=de',
// As an alternative to specifying a pattern for the users DN, it is possible to // search for the username in a set of attributes. This is enabled by this option. 'search.enable' => FALSE,
// The DN which will be used as a base for the search. // This can be a single string, in which case only that DN is searched, or an // array of strings, in which case they will be searched in the order given. 'search.base' => 'ou=people,dc="thecorrectdc",dc=de',
// The attribute(s) the username should match against. // // This is an array with one or more attribute names. Any of the attributes in // the array may match the value the username. 'search.attributes' => array('uid'),
// The username & password the SimpleSAMLphp should bind to before searching. If // this is left as NULL, no bind will be performed before searching. 'search.username' => NULL, 'search.password' => NULL,
// If the directory uses privilege separation, // the authenticated user may not be able to retrieve // all required attribures, a privileged entity is required // to get them. This is enabled with this option. 'priv.read' => FALSE,
// The DN & password the SimpleSAMLphp should bind to before // retrieving attributes. These options are required if // 'priv.read' is set to TRUE. 'priv.username' => NULL, 'priv.password' => NULL,
),
/* // Example of an LDAPMulti authentication source. 'example-ldapmulti' => array( 'ldap:LDAPMulti',
// Give the user an option to save their username for future login attempts // And when enabled, what should the default be, to save the username or not //'remember.username.enabled' => FALSE, //'remember.username.checked' => FALSE,
// The way the organization as part of the username should be handled. // Three possible values: // - 'none': No handling of the organization. Allows '@' to be part // of the username. // - 'allow': Will allow users to type 'username@organization'. // - 'force': Force users to type 'username@organization'. The dropdown // list will be hidden. // // The default is 'none'. 'username_organization_method' => 'none',
// Whether the organization should be included as part of the username // when authenticating. If this is set to TRUE, the username will be on // the form <username>@<organization identifier>. If this is FALSE, the // username will be used as the user enters it. // // The default is FALSE. 'include_organization_in_username' => FALSE,
// A list of available LDAP servers. // // The index is an identifier for the organization/group. When // 'username_organization_method' is set to something other than 'none', // the organization-part of the username is matched against the index. // // The value of each element is an array in the same format as an LDAP // authentication source. 'employees' => array( // A short name/description for this group. Will be shown in a dropdown list // when the user logs on. // // This option can be a string or an array with language => text mappings. 'description' => 'Employees',
// The rest of the options are the same as those available for // the LDAP authentication source. 'hostname' => 'ldap.employees.example.org', 'dnpattern' => 'uid=%username%,ou=employees,dc=example,dc=org', ),
'students' => array( 'description' => 'Students',
'hostname' => 'ldap.students.example.org', 'dnpattern' => 'uid=%username%,ou=students,dc=example,dc=org', ),
), */
);
On the LDAP server:
No entrys in the logs.
Peter Schober
Feb 22, 2017, 10:53:51 AM2/22/17
to SimpleSAMLphp
Hi Marek,
* 'Nobody' via SimpleSAMLphp <simple...@googlegroups.com> [2017-02-22 14:58]:
> 'search.base' => 'ou=people,dc="thecorrectdc",dc=de',
Same here.
-peter
* 'Nobody' via SimpleSAMLphp <simple...@googlegroups.com> [2017-02-22 14:58]:
> \'uid="username",ou=people,dc="thecorrectdc",dc=de\'; cause: \'Can\'t
> > contact LDAP server\' (0xffffffffffffffff)'
[...]
> > contact LDAP server\' (0xffffffffffffffff)'
> 'example-ldap' => array(
> 'ldap:LDAP',
[...]
> 'ldap:LDAP',
> 'dnpattern' => 'uid=%username%,ou=people,dc="thecorrectdc",dc=de',
If your actual config has double quotes in there remove those.
> 'search.base' => 'ou=people,dc="thecorrectdc",dc=de',
-peter
mare...@googlemail.com
Feb 22, 2017, 2:48:31 PM2/22/17
to SimpleSAMLphp, mare...@googlemail.com
Hello Peter,
no, my original config doesn't have double quotes sorry for the irritation.
I recognized that my authsources.php has some copy paste faults, so here is the right one (this time without any double quotes to prevent irritations)
'dnpattern' => 'uid=%username%,ou=people,dc=thecorrectdc,dc=de',
// As an alternative to specifying a pattern for the users DN, it is possible to // search for the username in a set of attributes. This is enabled by this option. 'search.enable' => FALSE,
// The DN which will be used as a base for the search. // This can be a single string, in which case only that DN is searched, or an // array of strings, in which case they will be searched in the order given. 'search.base' => 'ou=people,dc=thecorrectdc,dc=de',Jaime Perez Crespo
Feb 22, 2017, 4:49:19 PM2/22/17
to SimpleSAMLphp
Hi,
Have you tried connecting to the ldap from the machine where you have installed SimpleSAMLphp, manually?
Given that you are getting a connection error, the first thing you should do is to make sure you can actually connect.
> --
> You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at https://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/d/optout.
--
Jaime Pérez
UNINETT / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Have you tried connecting to the ldap from the machine where you have installed SimpleSAMLphp, manually?
Given that you are getting a connection error, the first thing you should do is to make sure you can actually connect.
> You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at https://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/d/optout.
--
Jaime Pérez
UNINETT / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
mare...@googlemail.com
Feb 23, 2017, 4:02:24 AM2/23/17
to SimpleSAMLphp
Hey,
yes that was the first thing i tried.
ldapsearch successfully draws me some information about my user to the command line.
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=thecorrectdc,dc=de> with scope subtree
# filter: (uid=username)
# requesting: ALL
#
...
some information about my user
...
# search result
search: 2
result: 0 Success
...
nmap confirms also that both ports (389 and 636) are accessible and open
Jaime Perez Crespo
Feb 23, 2017, 4:15:36 AM2/23/17
to SimpleSAMLphp
Hi,
What version of SimpleSAMLphp are you using?
Can you run ldapsearch again, but this time binding with your user?
What version of SimpleSAMLphp are you using?
Can you run ldapsearch again, but this time binding with your user?
mare...@googlemail.com
Feb 23, 2017, 4:20:31 AM2/23/17
to SimpleSAMLphp
Im actually using version 1.14.11
i do all my ldapsearch commands with my username (just change my username to "username" in terms of privacy)
Jaime Perez Crespo
Feb 23, 2017, 4:53:04 AM2/23/17
to simple...@googlegroups.com
Can you test it manually with PHP? Run PHP in interactive mode from the command line with “php -a”, then run this:
—>8—
$ldap = ldap_connect(“host.name.de”, 389);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
echo ldap_error($ldap);
$bind = ldap_bind($ldap, “your_dn”, “your_password”);
echo ldap_error($ldap);
—8<—
On 23 Feb 2017, at 10:20 AM, marek.lue via SimpleSAMLphp <simple...@googlegroups.com> wrote:
> Im actually using version 1.14.11
>
> i do all my ldapsearch commands with my username (just change my username to "username" in terms of privacy)
—>8—
$ldap = ldap_connect(“host.name.de”, 389);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
echo ldap_error($ldap);
$bind = ldap_bind($ldap, “your_dn”, “your_password”);
echo ldap_error($ldap);
—8<—
On 23 Feb 2017, at 10:20 AM, marek.lue via SimpleSAMLphp <simple...@googlegroups.com> wrote:
> Im actually using version 1.14.11
>
> i do all my ldapsearch commands with my username (just change my username to "username" in terms of privacy)
mare...@googlemail.com
Feb 23, 2017, 5:13:11 AM2/23/17
to SimpleSAMLphp
Okay,
everything runs successfully.
php > ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); php > echo ldap_error($ldap); Successphp > php > php > $bind = ldap_bind($ldap, "uid=username,ou=people,dc=thecorrectdc,dc=de", "password");php > echo ldap_error($ldap);Successphp >Jaime Perez Crespo
Feb 23, 2017, 5:18:42 AM2/23/17
to simple...@googlegroups.com
Just to confirm, you run that in the server where you have SSP installed, right? In that case, I really don’t see a reason why it should fail, as that code you just run is essentially what SSP does itself…
mare...@googlemail.com
Feb 23, 2017, 5:31:38 AM2/23/17
to SimpleSAMLphp
Yes Everything on the Server that runs the nginx, SSP, IdP, PHP7 etc..
I tried again with the web interface and got the same error (Library - LDAP bind(): Bind failed with DN....) even rebooted my server one minute before.
mare...@googlemail.com
Feb 23, 2017, 6:04:04 AM2/23/17
to SimpleSAMLphp, mare...@googlemail.com
Same with an apache.
I tough it maybe depends on the way how my nginx is configured (odd thought) but just to cross this out of the list of possibilities.
Same issue with the apache (Library - LDAP bind(): Bind failed with DN....)
BUT when i deactivate SELinux everything works fine.
The complete simplesamlphp folder is httpd_sys_content_t:s0 . Which component did i missing?
Federatieve Services - GDI
Feb 23, 2017, 6:34:49 AM2/23/17
to simple...@googlegroups.com
Hey Marek,
You are missing an SEboolean to allow php to setup ldap connections.
I think it’s this one: setsebool -P httpd_can_network_connect=1
- Tim
--
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
simplesamlph...@googlegroups.com.
To post to this group, send email to
simple...@googlegroups.com.
Visit this group at https://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.
This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
mare...@googlemail.com
Feb 23, 2017, 7:07:34 AM2/23/17
to SimpleSAMLphp, federatiev...@gdi.minvenj.nl
Thank you,
that does the trick
lalalasm...@gmail.com
Mar 1, 2018, 2:55:23 AM3/1/18
to SimpleSAMLphp
On Thursday, February 23, 2017 at 6:34:49 PM UTC+7, Federatieve Services - GDI wrote:
Hey Marek,
You are missing an SEboolean to allow php to setup ldap connections.
I think it’s this one: setsebool -P httpd_can_network_connect=1
- Tim
Van: marek.lue via SimpleSAMLphp [mailto:simple...@googlegroups.com]
Verzonden: donderdag 23 februari 2017 12:04
Aan: SimpleSAMLphp
CC: mare...@googlemail.com
Onderwerp: Re: Library - LDAP bind(): Bind failed with DN
Same with an apache.
I tough it maybe depends on the way how my nginx is configured (odd thought) but just to cross this out of the list of possibilities.
Same issue with the apache (Library - LDAP bind(): Bind failed with DN....)
BUT when i deactivate SELinux everything works fine.
The complete simplesamlphp folder is httpd_sys_content_t:s0 . Which component did i missing?
--
Hi GDI, where the directory i can config these command?
Peter Schober
Mar 1, 2018, 11:28:45 AM3/1/18
to SimpleSAMLphp
* lalalasm...@gmail.com <lalalasm...@gmail.com> [2018-03-01 09:01]:
account that's authorised to use it (i.e., root).
Commonly it would be in /usr/sbin/setsebool but that depends.
Either way, this is not the best place to ask about this.
-peter
> On Thursday, February 23, 2017 at 6:34:49 PM UTC+7, Federatieve Services - GDI wrote:
> > You are missing an SEboolean to allow php to setup ldap connections.
> >
> > I think it’s this one: setsebool -P httpd_can_network_connect=1
>
> > You are missing an SEboolean to allow php to setup ldap connections.
> >
> > I think it’s this one: setsebool -P httpd_can_network_connect=1
>
> Hi GDI, where the directory i can config these command?
The 'setsebool' binary should be in your $PATH, or in the path of the
account that's authorised to use it (i.e., root).
Commonly it would be in /usr/sbin/setsebool but that depends.
Either way, this is not the best place to ask about this.
-peter
Reply all
Reply to author
Forward
0 new messages