LDAP authentication against AD - searching issue
John W Parker
I have it installed and working as far as the "Checking your
PHP installation" configuration status is concerned. I have
it authenticating against my Active directory provided I
authenticate against a particular OU. If I try to enable
searching, I get different errors depending on how I modify
the search configuration. I'll detail that later.
All the threads I have seen reference using ldap.php but from my
reading it is suggested that use of ldap.php will be going away
and that authsources.php is the correct config file to use so that's
what I am using. I don't wish to even attempt using ldap.php if
it's going away.
My environment:
Windows Server 2003 Enterprise
Apache 2.2
OpenSSL 0.9.8
PHP 5.2.11
authsources.php ldap section (actual names, OUs, etc. have been changed)
'myschool-ldap' => array(
'ldap:LDAP',
'hostname' => '144.96.123.123',
'enable_tls' => FALSE,
'attributes' => NULL,
'dnpattern' => NULL,
'search.enable' => TRUE,
'search.base' => 'dc=myschool,dc=edu',
'search.attributes' => array('cn', 'uid'),
'search.username' => 'myac...@myschool.edu',
'search.password' => 'mypassword',
'priv.read' => FALSE,
'priv.username' => NULL,
'priv.password' => NULL,
),
);
I am using the account 'testuser' to test authentication.
When I use the correct password for 'search.password', I get the following
error:
Library - LDAP search(): Failed search on base 'dc=myschool,dc=edu' for
' (|(cn=testuser)(uid=testuser))'
When I use an incorrect password for 'search.password', I get the following
error:
Error authenticating using search username & password
So it appears that it is binding fine, it's just not performing the search
properly. Is there something wrong with my config? The instructions for
setting up LDAP authentication doesn't reference any other config file that
needs to be modified so I'm not sure what I have missed. Incidentally, the
dn for the user I'm trying to authenticate is as follows:
cn=testuser,ou=Users,ou=Boynton,ou=ITS,dc=myschool,dc=edu
If I set search.enable to FALSE and set the dnpattern to the following dn,
authentication works and it returns several attributes for that user:
'cn=%username%,ou=Users,ou=Boynton,ou=ITS,dc=myschool,dc=edu'
Any ideas? I think I have attempted to read all published documentation and
discussion groups that pertained to using authsources.php.
Thanks,
John
Olav Morken
> I'm beginning to look at simplesamlphp to use with Google Apps.
> I have it installed and working as far as the "Checking your
> PHP installation" configuration status is concerned. I have
> it authenticating against my Active directory provided I
> authenticate against a particular OU. If I try to enable
> searching, I get different errors depending on how I modify
> the search configuration. I'll detail that later.
>
> All the threads I have seen reference using ldap.php but from my
> reading it is suggested that use of ldap.php will be going away
> and that authsources.php is the correct config file to use so that's
> what I am using. I don't wish to even attempt using ldap.php if
> it's going away.
Mostly the options in ldap.php can also be found in the ldap
configuration in authsources.php, sometimes with a different name. I
see that many are searching for 'sAMAccountName' when using active
directory. It could be worth a try.
> My environment:
[...]
> I am using the account 'testuser' to test authentication.
>
> When I use the correct password for 'search.password', I get the following
> error:
>
> Library - LDAP search(): Failed search on base 'dc=myschool,dc=edu' for
> ' (|(cn=testuser)(uid=testuser))'
Does the user you bind to (search.username) have the required
permissions to be able to search for those attributes?
> When I use an incorrect password for 'search.password', I get the following
> error:
>
> Error authenticating using search username & password
>
> So it appears that it is binding fine, it's just not performing the search
> properly. Is there something wrong with my config? The instructions for
> setting up LDAP authentication doesn't reference any other config file that
> needs to be modified so I'm not sure what I have missed. Incidentally, the
> dn for the user I'm trying to authenticate is as follows:
>
> cn=testuser,ou=Users,ou=Boynton,ou=ITS,dc=myschool,dc=edu
>
> If I set search.enable to FALSE and set the dnpattern to the following dn,
> authentication works and it returns several attributes for that user:
>
> 'cn=%username%,ou=Users,ou=Boynton,ou=ITS,dc=myschool,dc=edu'
>
> Any ideas? I think I have attempted to read all published documentation and
> discussion groups that pertained to using authsources.php.
1. Check whether the search user has the required permissions. I don't
know enough about active directory to say how this can be tested.
The simplest may be to test with an admin account.
2. Try to search for 'sAMAccountName' instead of 'cn' and 'uid'.
Other than that, I don't have any ideas.
--
Olav Morken
John W Parker
I have made the search user a Domain Admin and tested searching on
the sAMAccountName. I get the same response:
Library - LDAP search(): Failed search on base 'dc=myschool,dc=edu' for
'(|(sAMAccountName=testuser))
>2. Try to search for 'sAMAccountName' instead of 'cn' and 'uid'.
I tested searching on the sAMAccountName. I get the same response:
Library - LDAP search(): Failed search on base 'dc=myschool,dc=edu' for
'(|(sAMAccountName=testuser))
>
>Other than that, I don't have any ideas.
>
>--
>Olav Morken
Thanks for responding Olav. I don't know if this helps anyone but when the
search fails, the following information is on the page. I probably should
have included this to begin with.
0: D:\simplesamlphp150\lib\SimpleSAML\Auth\LDAP.php:156
(SimpleSAML_Auth_LDAP::makeException)
1: D:\simplesamlphp150\lib\SimpleSAML\Auth\LDAP.php:214
(SimpleSAML_Auth_LDAP::search)
2: D:\simplesamlphp150\lib\SimpleSAML\Auth\LDAP.php:273
(SimpleSAML_Auth_LDAP::searchfordn)
3: D:\simplesamlphp150\modules\ldap\lib\ConfigHelper.php:182
(sspmod_ldap_ConfigHelper::login)
4: D:\simplesamlphp150\modules\ldap\lib\Auth\Source\LDAP.php:52
(sspmod_ldap_Auth_Source_LDAP::login)
5: D:\simplesamlphp150\modules\core\lib\Auth\UserPassBase.php:159
(sspmod_core_Auth_UserPassBase::handleLogin)
6: D:\simplesamlphp150\modules\core\www\loginuserpass.php:40 (require)
7: D:\simplesamlphp150\www\module.php:137 (N/A)
I appreciate any input that can be provided.
Thanks,
John
Peter Schober
> authsources.php ldap section (actual names, OUs, etc. have been changed)
>
> 'myschool-ldap' => array(
> 'ldap:LDAP',
Do you have access to the command line on the machine your SSP code
lives? Then try getting the relevant parameters for an ldap search
correct with ldapsearch(1) and potentially the help of the appropriate
AD forum. Once you know what's right, it's trivial to configure it in
SSP.
-peter
John W Parker
1: D:\simplesamlphp150\lib\SimpleSAML\Auth\LDAP.php:214
(SimpleSAML_Auth_LDAP::search)
If not, please explain ldapsearch(1).
Thanks Peter.
John
-----Original Message-----
From: simple...@googlegroups.com [mailto:simple...@googlegroups.com]
On Behalf Of Peter Schober
Sent: Wednesday, December 23, 2009 9:52 AM
To: simple...@googlegroups.com
Subject: Re: LDAP authentication against AD - searching issue
--
You received this message because you are subscribed to the Google Groups
"simpleSAMLphp" group.
To post to this group, send email to simple...@googlegroups.com.
To unsubscribe from this group, send email to
simplesamlph...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/simplesamlphp?hl=en.
Peter Schober
> When you mention ldapsearch(1), are you referring to the following?
>
> 1: D:\simplesamlphp150\lib\SimpleSAML\Auth\LDAP.php:214
> (SimpleSAML_Auth_LDAP::search)
>
> If not, please explain ldapsearch(1).
For many OSes there is a command line client for using the system's
(or third party's) LDAP libraries, e.g. openldap's.
http://www.openldap.org/software/man.cgi?query=ldapsearch
But since you're stuck on MS-Windows (as your path names suggest) it's
probably too much hassle getting this to work (but I guess Cygwin
would even make that rather easy).
I'd probably write up a simple PHP script that utilises PHP's LDAP API
http://php.net/manual/en/book.ldap.php and print out the return codes
from the LDAP DSA for your connections, and look those up in the RFC
(http://tools.ietf.org/html/rfc4511#appendix-A ).
Also (with an OpenLDAP directory server) I'd usually suggest looking
at the logs of the DSA (or ask the admin to provide the relevant
section), but I have no idea how MS-Active Directory works, where to
tune the logs, etc. -- without knowing what exactly the server returns
it's hard to say what you're doing wrong.
Easiest thing will be to get the MS-Active Directory admin involved
and get the correct search base, scope, filter, search-bind-account
with necessary permissions to perform the search operation,
etc. provided by them (since that's their job). If you are the
MS-Active Directory admin then this is the wrong forum on how to get
started.
There are thousands of applications our there utilising the standard
LDAP protocol as clients. It simply doesn't scale to expect generic
LDAP help from each application actingn as a client.
-peter
John W Parker
Thank you Peter and Olav for responding. I don't wish to
take up anyone's time if they haven't already done what I
am trying to do. Judging by Peter's semi-lengthy response,
I've taken up more of his time than was my intent. Please,
if you haven't done what I am trying to do, there is no
need to respond. My intent in posting was to save the time
and effort of having to figure this out on my own. I was hoping
that I just overlooked something. That doesn't appear to be
the case so I'll move forward and as soon as I get this working,
I'll respond to my own post.
Thanks,
John
-----Original Message-----
From: simple...@googlegroups.com [mailto:simple...@googlegroups.com]
On Behalf Of Peter Schober
Sent: Wednesday, December 23, 2009 11:33 AM
To: simple...@googlegroups.com
Subject: Re: LDAP authentication against AD - searching issue
--
Peter Schober
> My intent in posting was to save the time
> and effort of having to figure this out on my own.
Until someone wakes up and says "Oh, that prolem! Do x in config file
y, that solved it for me" you could try some of the more generic ways
already given to debug LDAP connection problems to solve your own
problem. Such as:
* Ask the MS-AD admin for the correct values. You're just trying to
connect another LDAP client, so let the server people worry about it.
No work, no problem solving competence and no programming involved
on your side.
* Carry over the settings from an existing LDAP client which is already
successfully connecting to your MS-AD DSA.
* Try another LDAP client to get the connection working and then carry
over the working settings to SSP. This may be a graphical client
(free ones for MS-Windows include e.g. LDAP Browser 2.6 or JXplorer),
a simple PHP script, etc. This is a way of seeing that it's not a
problem caused by simpleSAMLphp, hence not really too relevant here.
* Look at the MS-AD instance and find the relevant log entries (or ask
some MS-AD forum or MS-support where to find/enable logging), to
find our what is failing.
> Judging by Peter's semi-lengthy response, I've taken up more of his
> time than was my intent.
Maybe I should have said just this: Unless there's a bug with SSP
getting the connection/search parameters right for your site is your
own local problem and noone else can help you with that.
That would have saved you some time as well (reading all those
semi-lenghy emails...).
-peter
--
Enlightenment is man’s emergence from his self-imposed immaturity.
Immaturity is the inability to use one’s understanding without
guidance from another. This immaturity is self-imposed when its cause
lies not in lack of understanding, but in lack of resolve and courage
to use it without guidance from another. Kant, 1784