LDAP Users OU or GROUP

Swinomish · Mar 27, 2024

Hello,

I am trying to configure LDAP for my instance of DadaBik , I cannot seem to get it to connect using and ou or a group

the install guide seems to suggests an ou for the source of the users..

I would prefer to use a AD group and have the users within that group

in either scenario I cannot seem to get a login to work..

I've turned on debugging and get this error

Attempt to bind on ldap://xxxx.xxx.com:389 with user defined by cn=xxxx,XXX IT=ou,dc=XXX,dc=COM. The connection object is: object(LDAP\Connection)#3 (0) { } The bind result is: bool(false)

The script will be terminated

Ive also tried ldap port 389 , and ldaps port 636

with the same results

Any Advice would be appreciated

Thanks,
Sam

System info
PHP Version: 8.2.17
mysql version: 10.11.7-MariaDB
Web server: Apache/2.4.37 (AlmaLinux)

eugenio · Mar 28, 2024

Hello Sam,
the first part of your message is not clear to me. In the documentation about LDAP base dn ($ldap_base_dn_ar config parameter), the base dn reported is just an example.

I don't know if this helps, but V 11.4 has introduced some changes for LDAP (check the changelog ). I paste here the config documentation about the new parameter $ldap_binding_type

Code:

// $ldap_binding_type can be 'classic' (default option) or 'ad' (which stands for Active Directory).
// 'classic' means that the binding will be done using the base dn specified later in $ldap_base_dn_ar, together with the $ldap_username_field and the username specified in the login form, for example something like cn=paul,ou=Users,DC=example,DC=com
// 'ad' is an alternative syntax, the binding will be done using just the username (e.g. "paul") or the username preceded by a prefix and a backslash  (e.g. "mysubtree\paul"). You can set the prefix with $ldap_binding_prexif. Please note that DaDaBIK ASSUMES that USERNAMES ARE UNIQUE
$ldap_binding_type = 'classic';

Best,

Swinomish · Mar 28, 2024

Eugenio,

at your suggestion I tried the 'ad' option and set the ($ldap_base_dn_ar config) parameters with the same results

I have setup LDAP connections before, in those cases there is an LDAP bind account configuration that enables the authentication

it seems from what I have read in the forums that dadabik does not use a LDAP Bind , the user credentials creates the bind and authenticates simultaneously

I get this same error when I put in bad password as well

Attempt to bind on ldap://zeus.xxx.com:389 with user defined by XXX\user. The connection object is: object(LDAP\Connection)#3 (0) { } The bind result is: bool(false)

The script will be terminated

Thnaks
Sam

System info
PHP Version: 8.2.17
mysql version: 10.11.7-MariaDB
Web server: Apache/2.4.37 (AlmaLinux)

eugenio · Mar 29, 2024

Hello,
DaDaBIK uses LDAP bind, but the bind is done with the account you enter in the login form.

Best,

Swinomish · Mar 29, 2024

Hi,

Understood, I've tried both ad and classic

Both Fail, including LDAP ad parameters

---------

Attempt to bind on ldap://zeus.nlc.com:389 with user defined by NLC\sshinn. The connection object is: object(LDAP\Connection)#3 (0) { } The bind result is: bool(false)

The script will be terminated

// LDAP parameters
///////////////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////////////

// enable LDAP authentication (0|1), if 1, an "LDAP authentication" checkbox will be displayed below the log-in form; you can avoid setting the other LDAP parameters if LDAP authentication is disabled; please note that in a DaDaBIK application usernames must be unique, you can't have two users having the same username, even if one is a regular DaDaBK user and the other an LDAP user; please also note that DaDaBIK WON'T WORK properly if you use both LDAP authentication and your own custom users/groups table (not the default one), if you decide to use your own custom users/groups table, $enable_ldap_authentication must be 0
$enable_ldap_authentication = 1;

// if set_ldap_authentication_as_default is 1 (and ldap authentation is enabled), the "LDAP authentication" checkbox is checked by default
$set_ldap_authentication_as_default = 0;

// LDAP host URI, e.g. 'ldap://ldap.yourdomain.net' or 'ldaps://ldap.yourdomain.net'
$ldap_host = 'ldap://zeus.nlc.com';

// LDAP port, 389 is the default one
$ldap_port = '389';

// $ldap_binding_type can be 'classic' (default option) or 'ad' (which stands for Active Directory).
// 'classic' means that the binding will be done using the base dn specified later in $ldap_base_dn_ar, together with the $ldap_username_field and the username specified in the login form, for example something like cn=paul,ou=Users,DC=example,DC=com
// 'ad' is an alternative syntax, the binding will be done using just the username (e.g. "paul") or the username preceded by a prefix and a backslash (e.g. "mysubtree\paul"). You can set the prefix with $ldap_binding_prexif. Please note that DaDaBIK ASSUMES that USERNAMES ARE UNIQUE
$ldap_binding_type = 'ad';

$ldap_binding_prefix = 'NLC\\'; // e.g. if you set this parameter to 'mysubtree\\', $ldap_binding_type to 'ad' and the user fills the username field in the login form with 'paul', the binding will be done with: mysubtree\paul (and the password specified by the user); if $ldap_binding_type is 'classic', this parameter is not cosindered. If any character contained in $ldap_binding_prefix needs to be escaped, you have to provide the string already escaped

// enable the use of ldap_escape for DN (username of the user when used for ldap_bind, attribute values in $ldap_base_dn_ar )
// the details of the escaped function used are in ldap_apply_escape_if_enabled_dn() (file /include/general_functions.php)
// if $enable_ldap_escape_dn is 0, you should provide values correctly escaped
$enable_ldap_escape_dn = 1;

// enable the use of ldap_escape for filter (username of the user when usedas a filter for ldap_search)
// the details of the escaped function used are in ldap_apply_escape_if_enabled_filter() (file /include/general_functions.php)
// if $enable_ldap_escape_filter is 0, you should provide values correctly escaped
$enable_ldap_escape_filter = 1;

// LDAP base dn, e.g. if your base dn is 'ou=Users,dc=yourdomain,dc=net', your settings for this parameter must be

$ldap_base_dn_ar[0]['attribute_name'] = 'ou';
$ldap_base_dn_ar[0]['attribute_value'] = 'NLC IT';
$ldap_base_dn_ar[1]['attribute_name'] = 'dc';
$ldap_base_dn_ar[1]['attribute_value'] = 'nlc';
$ldap_base_dn_ar[2]['attribute_name'] = 'dc';
$ldap_base_dn_ar[2]['attribute_value'] = 'com';

// add as many element as you need
// Please note that under the branch defined by base dn (and also by ldap_binding_prefix, if you use 'ad' binding type) DaDaBIK ASSUMES that USERNAMES (values of $ldap_username_field, see later) ARE UNIQUE, please also note that DaDaBIK doesn't work properly if usernames or base dn attribute values contain forward slashes ("/")

$ldap_base_dn_ar[0]['attribute_name'] = 'NLC IT';
$ldap_base_dn_ar[0]['attribute_value'] = 'ou';

// LDAP default group: after LDAP authentication, the authenticated user is also inserted into the dadabik users table, here you can choose in which group you want to add them by default
$ldap_default_id_group = '2';

// LDAP attribute's name for username, e.g. 'cn' or 'uid'
$ldap_username_field = 'cn';

// enable the local copy of LDAP users data (0|1), if 1, after LDAP authentication, not only the username but also name and email of the user, retrieved from the LDAP server, are copied into the local dadabik users list
$ldap_copy_users_data = 1;

// next three parameters are needed only if $ldap_copy_users_data = 1
// LDAP attribute's name for first name
$ldap_first_name_field = 'givenName';

// LDAP attribute's name for last name
$ldap_last_name_field = 'sn';

// LDAP attribute's name for email
$ldap_email_field = 'mail';

// enable LDAP debug mode: in case the login/bind process doesn't work as expected, you can set this parameter to 1 to see some debug information. Don't set it to 1 in a production application because it can reveal security-related information
$enable_ldap_debug_mode = 1;

Swinomish · Mar 29, 2024

classic LDAP parameters

----------------
Attemp to bind on ldap://zeus.nlc.com:389 with user defined by cn=sshinn,ou=NLC IT,dc=nlc,dc=com. The connection object is: object(LDAP\Connection)#3 (0) { } The bind result is: bool(false)

The script will be terminated

// LDAP parameters
///////////////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////////////

// enable LDAP authentication (0|1), if 1, an "LDAP authentication" checkbox will be displayed below the log-in form; you can avoid setting the other LDAP parameters if LDAP authentication is disabled; please note that in a DaDaBIK application usernames must be unique, you can't have two users having the same username, even if one is a regular DaDaBK user and the other an LDAP user; please also note that DaDaBIK WON'T WORK properly if you use both LDAP authentication and your own custom users/groups table (not the default one), if you decide to use your own custom users/groups table, $enable_ldap_authentication must be 0
$enable_ldap_authentication = 1;

// if set_ldap_authentication_as_default is 1 (and ldap authentation is enabled), the "LDAP authentication" checkbox is checked by default
$set_ldap_authentication_as_default = 0;

// LDAP host URI, e.g. 'ldap://ldap.yourdomain.net' or 'ldaps://ldap.yourdomain.net'
$ldap_host = 'ldap://zeus.nlc.com';

// LDAP port, 389 is the default one
$ldap_port = '389';

// $ldap_binding_type can be 'classic' (default option) or 'ad' (which stands for Active Directory).
// 'classic' means that the binding will be done using the base dn specified later in $ldap_base_dn_ar, together with the $ldap_username_field and the username specified in the login form, for example something like cn=paul,ou=Users,DC=example,DC=com
// 'ad' is an alternative syntax, the binding will be done using just the username (e.g. "paul") or the username preceded by a prefix and a backslash (e.g. "mysubtree\paul"). You can set the prefix with $ldap_binding_prexif. Please note that DaDaBIK ASSUMES that USERNAMES ARE UNIQUE
$ldap_binding_type = 'classic';

$ldap_binding_prefix = 'NLC\\'; // e.g. if you set this parameter to 'mysubtree\\', $ldap_binding_type to 'ad' and the user fills the username field in the login form with 'paul', the binding will be done with: mysubtree\paul (and the password specified by the user); if $ldap_binding_type is 'classic', this parameter is not cosindered. If any character contained in $ldap_binding_prefix needs to be escaped, you have to provide the string already escaped

// enable the use of ldap_escape for DN (username of the user when used for ldap_bind, attribute values in $ldap_base_dn_ar )
// the details of the escaped function used are in ldap_apply_escape_if_enabled_dn() (file /include/general_functions.php)
// if $enable_ldap_escape_dn is 0, you should provide values correctly escaped
$enable_ldap_escape_dn = 1;

// enable the use of ldap_escape for filter (username of the user when usedas a filter for ldap_search)
// the details of the escaped function used are in ldap_apply_escape_if_enabled_filter() (file /include/general_functions.php)
// if $enable_ldap_escape_filter is 0, you should provide values correctly escaped
$enable_ldap_escape_filter = 1;

// LDAP base dn, e.g. if your base dn is 'ou=Users,dc=yourdomain,dc=net', your settings for this parameter must be

$ldap_base_dn_ar[0]['attribute_name'] = 'ou';
$ldap_base_dn_ar[0]['attribute_value'] = 'NLC IT';
$ldap_base_dn_ar[1]['attribute_name'] = 'dc';
$ldap_base_dn_ar[1]['attribute_value'] = 'nlc';
$ldap_base_dn_ar[2]['attribute_name'] = 'dc';
$ldap_base_dn_ar[2]['attribute_value'] = 'com';

// add as many element as you need
// Please note that under the branch defined by base dn (and also by ldap_binding_prefix, if you use 'ad' binding type) DaDaBIK ASSUMES that USERNAMES (values of $ldap_username_field, see later) ARE UNIQUE, please also note that DaDaBIK doesn't work properly if usernames or base dn attribute values contain forward slashes ("/")

// $ldap_base_dn_ar[0]['attribute_name'] = 'ou';
// $ldap_base_dn_ar[0]['attribute_value'] = 'NLC IT';

// LDAP default group: after LDAP authentication, the authenticated user is also inserted into the dadabik users table, here you can choose in which group you want to add them by default
$ldap_default_id_group = '2';

// LDAP attribute's name for username, e.g. 'cn' or 'uid'
$ldap_username_field = 'cn';

// enable the local copy of LDAP users data (0|1), if 1, after LDAP authentication, not only the username but also name and email of the user, retrieved from the LDAP server, are copied into the local dadabik users list
$ldap_copy_users_data = 1;

// next three parameters are needed only if $ldap_copy_users_data = 1
// LDAP attribute's name for first name
$ldap_first_name_field = 'givenName';

// LDAP attribute's name for last name
$ldap_last_name_field = 'sn';

// LDAP attribute's name for email
$ldap_email_field = 'mail';

// enable LDAP debug mode: in case the login/bind process doesn't work as expected, you can set this parameter to 1 to see some debug information. Don't set it to 1 in a production application because it can reveal security-related information
$enable_ldap_debug_mode = 1;

eugenio · Mar 29, 2024

This means that the user sshinn is not allowed to bind and/or the server where DaDaBIK is running cannot reach (for network or other issues) ldap://zeus.nlc.com:389

Best,

Swinomish · Mar 29, 2024

I can connect from dadabik server to LDAP server using SSH with LDAP search

it list all of the user group memberships, far to many to post here

[root@matrix ~]# ldapsearch -x -h zeus.nlc.com -p 389 -D "sshinn@nlc.com" -W -b "dc=nlc,dc=com" cn
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=nlc,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: cn
#

# nlc.com
dn: DC=nlc,DC=com

# NLC IT Users, nlc.com
dn: OU=NLC IT Users,DC=nlc,DC=com

eugenio · Mar 30, 2024

Are you executing ldapsearch from the same server where dadabik is running?
I would test the PHP LDAP binding capabilities by running, on the same server, a generic binding script in PHP, you can find something here:

PHP: ldap_bind - Manual

www.php.net

Best,

Swinomish · Apr 2, 2024

I've run a test script. I get this result

Connection successful
LDAP bind failed...
still stumped but not giving up yet

PHP Version 8.2.17 (info)

LDAP Section

ldap

LDAP Support	enabled
Total Links	0/unlimited
API Version	3001
Vendor Name	OpenLDAP
Vendor Version	20446
SASL Support	Enabled

Directive	Local Value	Master Value
ldap.max_links	Unlimited	Unlimited

Thanks,
Sam

System info
PHP Version: 8.2.17
mysql version: 10.11.7-MariaDB
Web server: Apache/2.4.37 (AlmaLinux)

eugenio · Apr 3, 2024

Hello,
this confirm that PHP cannot reach the server and/or bind using the sshinn user.

Best,

LDAP Users OU or GROUP

Swinomish

New member

eugenio

Administrator

Swinomish

New member

eugenio

Administrator

Swinomish

New member

Swinomish

New member

eugenio

Administrator

Swinomish

New member

eugenio

Administrator

PHP: ldap_bind - Manual

Swinomish

New member

PHP Version 8.2.17 (info)

ldap

eugenio

Administrator

LDAP Users OU or GROUP

New member

Administrator

New member

Administrator

New member

New member

Administrator

New member

Administrator

New member

PHP Version 8.2.17 (info)​

ldap​

Administrator

PHP Version 8.2.17 (info)

ldap