Loading...
 
LDAP / Active directory

LDAP / Active directory


Need help in setting up LDAP with Active Directory

I'm using TikiWiki 1.10 beta version and I can't get it working with PEAR::Auth
LDAP Host: IP of win server with active directory
LDAP Port: 389
LDAP Scope: sub
LDAP Base DN: dc=company,dc=lv
LDAP User DN: ou=Users
LDAP User Attribute: sAMAccountName
LDAP User OC: *
LDAP Group DN: blank
LDAP Group Attribute: cn
LDAP Group OC: uniqueMember
LDAP Member Attribute: uniqueMember
LDAP Member Is DN: n
LDAP Admin User: username
LDAP Admin Pwd: userpassword
LDAP Version: 3
LDAP Realname Attribute: displayName


I'm using PHP 5.2.6 with OpenLDAP, MySQL 5.0.45, Apache 2.2.4, Windows XP SP3.

Ans when I debugged I came to error msg - "Couldn't not bind LDAP server "

United States

Ice_Raven, can you try specifying a DN for the "LDAP Admin user"?

Also, do you see any evidence on the security log of the LDAP Admin user trying to authenticate?

\\Greg

Server log shows that authentication succeeded :/

I've managed to connect to Active directory(stopped receiving Could not bind LDAP.. ) , but i've get that user is invalid neutral
My connection settings now are:
LDAP Host: Server IP
LDAP Port: 389
LDAP Scope: sub
LDAP Base DN: cn=Users,dc=company,dc=com
LDAP User Attribute: sAMAccountName
LDAP User OC: User
LDAP Member Is DN: n
LDAP Admin User: adsearch adsearch (this is username, i think so, cause admin is offline)
LDAP Admin Pwd: password
LDAP Version: 3
LDAP Realname Attribute: displayName

Well i've managed to get it working with these settings, but there was some bug.
Even if i've found a user and it's password is correct, parames returned from list($isvalid, $user, $error) = $userlib->validate_user($user, $pass, $challenge, $response); $isvalid was always false. in userlib function validate_user there was no check that user is authenticated by ldap and it always returned false. I've fixed it by adding
elseif ($userAuth && $userAuthPresent)
return array($userAuth, $user, $result);
in branch // if the user was logged into Auth but not found in Tiki
elseif ($userAuth && !$userTikiPresent)

LDAP Host: Server IP
LDAP Port: 389
LDAP Scope: sub
LDAP Base DN: cn=Users,dc=company,dc=com
LDAP User Attribute: sAMAccountName
LDAP User OC: User
LDAP Member Is DN: n
LDAP Admin User: username (display name)
LDAP Admin Pwd: password
LDAP Version: 3
LDAP Realname Attribute: displayName


-

If i understood the configuration correct TikiWiki created a new user in its db by copying it from LDAP if Create user if not in Tiki? is false, then a user couldn't login in system by using LDAP.


All i know from our admin is that Active directory is configured by default settings :/

Where exactly did you find that coding - it's listed differently for my userslib.php.

Image
Copy to clipboard
// next see if we need to check LDAP else { // check the user account $result = $this->validate_user_auth($user, $pass); switch ($result) { case USER_VALID: $userAuth = true; $userAuthPresent = true; break; case PASSWORD_INCORRECT: $userAuthPresent = true; break; } // start off easy // if the user verified in Tiki and Auth, log in if ($userAuth && $userTiki) { return array($this->update_lastlogin($user), $user, $result); } // if the user wasn't found in either system, just fail elseif (!$userTikiPresent && !$userAuthPresent) { return array(false, $user, $result); } // if the user was logged into Tiki but not found in Auth elseif ($userTiki && !$userAuthPresent) { // see if we can create a new account if ($create_auth) { // need to make this better! ********************************************************* $result = $this->create_user_auth($user, $pass); // if it worked ok, just log in if ($result == USER_VALID) // before we log in, update the login counter return array($this->update_lastlogin($user), $user, $result); // if the server didn't work, do something! elseif ($result == SERVER_ERROR) { // check the notification status for this type of error return array(false, $user, $result); } // otherwise don't log in. else return array(false, $user, $result); } // otherwise else // just say no! return array(false, $user, $result); } // if the user was logged into Auth but not found in Tiki elseif ($userAuth && !$userTikiPresent) { // see if we can create a new account if ($create_tiki) { // need to make this better! ********************************************************* $result = $this->add_user($user, $pass, ''); // if it worked ok, just log in if ($result == USER_VALID) { // before we log in, update the login counter return array($this->update_lastlogin($user), $user, $result); } // if the server didn't work, do something! elseif ($result == SERVER_ERROR) { // check the notification status for this type of error return array(false, $user, $result); } // otherwise don't log in. else return array(false, $user, $result); } // otherwise else // just say no! return array(false, $user, $result); } // if the user was logged into Auth and found in Tiki (no password in Tiki user table necessary) elseif ($userAuth && $userTikiPresent) return array($this->update_lastlogin($user), $user, $result); } // we will never get here return array(false, $user, $result); }


?

I'm pretty new to the game, but I would definitely like to know how you got LDAP working if at all possible.


United States

ejohnson - a couple questions

- what version of tikiwiki are you running?
- assuming you are just trying to login, what errors are you seeing?
- is there anything in the LDAP log?
- what LDAP are you using
- Can you post your config here?

\\Greg

I'm running 1.10b.

I'm seeing "Invalid password" no matter what user I try (except for admin).

Where would I find the LDAP log?

I believe I'm using LDAP v3 - is there a simple check?

I'm not sure which config you are asking for?

For my Pear::Auth I have:

Create user if not in Tiki? y
Create user if not in Auth? n
Just use Tiki auth for admin? y
LDAP URL: 192.168.1.6
LDAP Host: _blank_
LDAP Port: _blank_
LDAP Scope: sub
LDAP Base DN: dc=***,dc=local
LDAP User DN: OU=***,OU=***,OU=***
LDAP User Attribute: sAMAccountName
LDAP User OC: *
LDAP Group DN: _blank_
LDAP Group Attribute: cn
LDAP Group OC: _blank_
LDAP Member Attribute: _blank_
LDAP Member Is DN: n
LDAP Admin User: _blank_
LDAP Admin Pwd: _blank_
LDAP Version: 3
LDAP Realname Attribute: name

My issue so far is that tikiwiki doesn't seem to be binding correctly.

Using ldp.exe, I can successfully connect - but I then have to explicitly bind. Using MS Network Monitor 3.1 I see the following happen everytime:

LDAP: Bind Request, MessageID: 1, Version: 3
LDAP: Bind Response, MessageID: 1, Status: Success
LDAP: Search Request, MessageID: 2, BaseObject: OU=***,OU=***,OU=***,dc=***,dc=local, SearchScope: WholeSubtree, SearchAlias: neverDerefAliases
LDAP: search Result Done, MessageID: 2, Status: Operations Error
LDAP: Unbind Request, MessageID: 3


I've tried using the Admin password, but not with the OU's - not sure if that matters.

United States

ejohnson:

Sorry for not being clearer. When I asked for logs, I was asking whether the ldap server was telling you anything (failed logins, etc)

Looking closer, it appears you are using Active Directory. TIf so, that's a special case. AD does not allow anonymous lookups in the directory by default. in this case you must specify the admin user DN & password. (Note: the user you enter there does NOT need admin privileges in AD - a simple user account will do.)

It's now working when I entered my user name as ***\ejohnson. I'm wondering why it might need that protocol.

Thanks for all your help! I didn't realize that I needed a user in the admin part - it might of worked yesterday had I known this and the correct AD structure.


United States

Glad its working!

There is a doc link for LDAP that discusses the AD issue. Check the configuration page on your tiki install and click the ? on the Pear:login page.

\\Greg


Is there a bug with 1.9.11? I'm using the exact same parameters, yet it is not working (minus the version and displayName).


If so, I think I'll stick with 1.10b.


Thanks for the reply.

I ended up trying 2.0 (as of today) and I got it to bind but still not work.
a little frustrated but I'm going to continue at it.


Upcoming Events

1)  18 Apr 2024 14:00 GMT-0000
Tiki Roundtable Meeting
2)  16 May 2024 14:00 GMT-0000
Tiki Roundtable Meeting
3)  20 Jun 2024 14:00 GMT-0000
Tiki Roundtable Meeting
4)  18 Jul 2024 14:00 GMT-0000
Tiki Roundtable Meeting
5)  15 Aug 2024 14:00 GMT-0000
Tiki Roundtable Meeting
6)  19 Sep 2024 14:00 GMT-0000
Tiki Roundtable Meeting
7) 
Tiki birthday
8)  17 Oct 2024 14:00 GMT-0000
Tiki Roundtable Meeting
9)  21 Nov 2024 14:00 GMT-0000
Tiki Roundtable Meeting
10)  19 Dec 2024 14:00 GMT-0000
Tiki Roundtable Meeting