simpleSAMLphp with Active Directory

[bryan_h...@corkcity.ie]

I am trying to get simpleSAMLphp working with active directory 2008 r2 the following is the config on the authsources.php file

When I enter a username from ad I receive a http 500 error, I am fairly new to this so please forgive me if its a simple fix

 

 

<?php

$config = array(

'default-sp' => array(

'ldap:LDAP',

'hostname' => '10.35.4.1',

'enable_tls' => FALSE,

'debug' => TRUE,

'timeout' => 0,

'attributes' => NULL,

'dnpattern' => 'sAMAccountName=%username%,OU=IS Resources,OU=Directorates,DC=corkcity,DC=local',

'search.enable' => FALSE,

'search.base' => 'OU=IS Resources,OU=Directorates,DC=corkcity,DC=local',

'search.attributes' => array('uid', 'mail'),

'search.username' => 'files...@corkcity.local',

'search.password' => 'XXXXXXX',

'priv.read' => TRUE,

'priv.username' => 'files...@corkcity.local',

'priv.password' => 'XXXXXXXX',

),

　

　

);

[Thijs Kinkhorst]

Op maandag 23 september 2013 16:33:13 schreef bryan_h...@corkcity.ie:

> I am trying to get simpleSAMLphp working with active directory 2008 r2 the
> following is the config on the authsources.php file When I enter a
> username from ad I receive a http 500 error, I am fairly new to this so
> please forgive me if its a simple fix

If you receive a HTTP 500 error, your web server logs should have a clue as to
why the web server decided to generate that Internal Server Error, and hence
where to look for fixing it.


--
Thijs Kinkhorst <th...@uvt.nl> – LIS Unix

Universiteit van Tilburg – Library and IT Services • Postbus 90153, 5000 LE
Bezoekadres > Warandelaan 2 • Tel. 013 466 3035 • G 236 • http://www.uvt.nl

[Bryan Humphreys]

Thanks the apache 2 error log is reporting


[Mon Sep 23 15:13:29 2013] [error] [client 172.16.34.1] PHP Fatal error: Call to undefined function ldap_set_option() in /usr/share/simplesamlphp/lib/SimpleSAML/Auth/LDAP.php on line 68, referer: https://filesender.corkcity.ie/simplesamlphp/module.php/core/loginuserpass.php?AuthState=_85c977f0c87c8fcf74d77ced35b05eb4adcc074628%3Ahttps%3A%2F%2Ffilesender.corkcity.ie%2Fsimplesamlphp%2Fmodule.php%2Fcore%2Fas_login.php%3FAuthId%3Ddefault-sp%26ReturnTo%3Dhttps%253A%252F%252Ffilesender.corkcity.ie%252Ffilesender%252F
[Mon Sep 23 15:16:13 2013] [error] [client 172.16.34.1] PHP Fatal error: Call to undefined function ldap_set_option() in /usr/share/simplesamlphp/lib/SimpleSAML/Auth/LDAP.php on line 68, referer: https://filesender.corkcity.ie/simplesamlphp/module.php/core/loginuserpass.php?
[Mon Sep 23 15:28:39 2013] [error] [client 172.16.34.1] PHP Fatal error: Call to undefined function ldap_set_option() in /usr/share/simplesamlphp/lib/SimpleSAML/Auth/LDAP.php on line 68, referer: https://filesender.corkcity.ie/simplesamlphp/module.php/core/loginuserpass.php?AuthState=_cac9333536b8f265e4e68418e76b6ccf7ca6644d95%3Ahttps%3A%2F%2Ffilesender.corkcity.ie%2Fsimplesamlphp%2Fmodule.php%2Fcore%2Fas_login.php%3FAuthId%3Ddefault-sp%26ReturnTo%3Dhttps%253A%252F%252Ffilesender.corkcity.ie%252Fsimplesamlphp%252Fmodule.php%252Fcore%252Fauthenticate.php%253Fas%253Ddefault-sp
[Mon Sep 23 15:35:24 2013] [error] [client 172.16.34.1] PHP Fatal error: Call to undefined method sspmod_saml_Auth_Source_SP::getLoginLinks() in /usr/share/simplesamlphp/modules/core/www/loginuserpass.php on line 64, referer: https://filesender.corkcity.ie/simplesamlphp/module.php/core/authenticate.php

[Thijs Kinkhorst]

Op maandag 23 september 2013 16:44:22 schreef Bryan Humphreys:

> Thanks the apache 2 error log is reporting
>
>
> [Mon Sep 23 15:13:29 2013] [error] [client 172.16.34.1] PHP Fatal
> error: Call to undefined function ldap_set_option() in

It seems likely that you are missing the php5-ldap module. I think
simpleSAMLphp's configuration page will indicate the fact that it is missing.

[Bryan Humphreys]

Thanks a million Im getting a bit further

Im receiving the following error now

Error

Incorrect username or password

Either no user with the given username could be found, or the password you gave was wrong. Please check the username and try again.

-----Original Message-----
From: simple...@googlegroups.com [mailto:simple...@googlegroups.com] On Behalf Of Thijs Kinkhorst
Sent: 23 September 2013 15:50
To: simple...@googlegroups.com
Subject: Re: simpleSAMLphp with Active Directory

Op maandag 23 september 2013 16:44:22 schreef Bryan Humphreys:
> Thanks the apache 2 error log is reporting
>
>
> [Mon Sep 23 15:13:29 2013] [error] [client 172.16.34.1] PHP Fatal
> error: Call to undefined function ldap_set_option() in

It seems likely that you are missing the php5-ldap module. I think simpleSAMLphp's configuration page will indicate the fact that it is missing.


--

Thijs Kinkhorst <th...@uvt.nl> - LIS Unix

Universiteit van Tilburg - Library and IT Services * Postbus 90153, 5000 LE
Bezoekadres > Warandelaan 2 * Tel. 013 466 3035 * G 236 * http://www.uvt.nl

[Bryan Humphreys]

Hi Thijs,

I am receiving the following error in the logs

ldap_create
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 10.35.4.1:389
ldap_new_socket: 17
ldap_prepare_socket: 17
ldap_connect_to_host: Trying 10.35.4.1:389
ldap_pvt_connect: fd: 17 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x7f884384edc0 msgid 1
wait4msg ld 0x7f884384edc0 msgid 1 (infinite timeout)
wait4msg continue ld 0x7f884384edc0 msgid 1 all 1
** ld 0x7f884384edc0 Connections:
* host: 10.35.4.1 port: 389 (default)
refcnt: 2 status: Connected
last used: Mon Sep 23 16:17:05 2013


** ld 0x7f884384edc0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x7f884384edc0 request count 1 (abandoned 0)
** ld 0x7f884384edc0 Response Queue:
Empty
ld 0x7f884384edc0 response count 0
ldap_chkResponseList ld 0x7f884384edc0 msgid 1 all 1
ldap_chkResponseList returns ld 0x7f884384edc0 NULL
ldap_int_select
read1msg: ld 0x7f884384edc0 msgid 1 all 1
read1msg: ld 0x7f884384edc0 msgid 1 message type bind
read1msg: ld 0x7f884384edc0 0 new referrals
read1msg: mark request completed, ld 0x7f884384edc0 msgid 1
request done: ld 0x7f884384edc0 msgid 1
res_errno: 49, res_error: <80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_msgfree
ldap_err2string
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed

-----Original Message-----
From: simple...@googlegroups.com [mailto:simple...@googlegroups.com] On Behalf Of Thijs Kinkhorst
Sent: 23 September 2013 15:50
To: simple...@googlegroups.com
Subject: Re: simpleSAMLphp with Active Directory

Op maandag 23 september 2013 16:44:22 schreef Bryan Humphreys:
> Thanks the apache 2 error log is reporting
>
>
> [Mon Sep 23 15:13:29 2013] [error] [client 172.16.34.1] PHP Fatal
> error: Call to undefined function ldap_set_option() in

It seems likely that you are missing the php5-ldap module. I think simpleSAMLphp's configuration page will indicate the fact that it is missing.


--

[Glenn Wearen]

Hi Bryan
At what point are you getting this, after the login page appears perhaps?
Glenn

> --
> You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at http://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/groups/opt_out.

[Bryan Humphreys]

Hi Glenn,
After the login page

Regards
Bryan

[Peter Schober]

* Bryan Humphreys <bryan_h...@corkcity.ie> [2013-09-23 17:19]:

> res_errno: 49, res_error: <80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1>, res_matched: <>

FYI, 49 ist simply the RFC-defined result code for
"invalidCredentials" (i.e., username or password incorrect).

The rest of that line is proprietary to your LDAP implementation but
doesn't add any more information anyway ("data 52e" means "invalid
credentials" according to some resources on the net).

So that all tells you what you alrady knew. Are you're sure the
username (DN or whatever MS-AD accepts instead of that) and password
are correct? Can you connect to MS-AD with other tools, PHP or not?
-peter

[Glenn Wearen]

Have you tried enabling debug logging (http://simplesamlphp.org/docs/1.8/statistics), handled errors will be written to the log file or syslog(unhandled will go apache error log)
Regards
Glenn

[John Danner]

I believe your search.username will need to be the LDAP FQDN of the search user cn=xxx,ou=xxx,dc=xxx

--

[Daniel Tsosie]

Make sure to try

'referrals' => FALSE,

in your authsources.

As per the brilliant patch author, it may be required to interact with AD controllers :)