MantisBT - v3.0 Release
View Issue Details
0000947v3.0 Release[All Projects] Generalpublic2011-09-01 10:182013-08-28 11:25
Reportergracedman 
Assigned Tocaseydk 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version3.0.0 
Summary0000947: LDAP authentication fails if the BINDDN is given as a complete DN
DescriptionWe have a bug in the LDAP code. Edit web2project-2.4/classes/w2p/Authenticators/LDAP.class.php by changing line 53 from:
$ldap_bind_dn = 'CN='.$this->ldap_search_user.',OU=users,'.$this->base_dn;
to:
$ldap_bind_dn = $this->ldap_search_user;

I don't know if that is the proper fixed but it worked well enough for us to be able to get our work done. It looks like the logic assumes we are using an MS Active Directory server and that we have only supplied a short name. In our case, we are using RedHat Directory Server and we provide the complete DN of the ldap_search_user.
TagsNo tags attached.
related to 0000932closed caseydk Pending Requests Binding LDAP with a null DN string 
has duplicate 0001143closed caseydk Pending Requests LDAP does not work 
has duplicate 0001110closed  Pending Requests Active Directory error 
Attached Files

Notes
(0002192)
GrandmaMoses   
2011-09-07 04:02   
LDAP login when binding to Active Directory has not worked properly since v2.2.

Rather than logging a new bug I'll post my comments here.

Please see my forum post at http://forums.web2project.net/viewtopic.php?p=12673#12673.

In the posting I've given a complete description of the problem and the errors I get.

Many thanks
(0002193)
fulda   
2011-09-07 11:06   
I installed a fresh v2.4 and modified it to bind, but it fails to create the user
(0002194)
GrandmaMoses   
2011-09-07 22:31   
Yes it seems there is an SQL sytax problem when creating a new user or if your password changes. I can bind and login if I upgrade from v2.2 and login with a user already in the W2p DB. Once the password in AD changes then login fails. Error details in my forum post above.

Sorry I'm not a programmer so can't help further.
(0002198)
baturin   
2011-09-11 04:17   
I can confirm this bug.

The following errors are displayed
ERROR: ...classes/w2p/Database/Query.class.php(1121) : query failed(SELECT user_username FROM ((`users` AS users)) WHERE user_id = ) - error was: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
Backtrace:
0 ...classes/w2p/Database/Query.class.php:1121 dprint()
1 ...classes/w2p/Extensions/Permissions.class.php:467 exec()
2 ...classes/w2p/Authenticators/LDAP.class.php:165 insertUserRole()
3 ...classes/w2p/Authenticators/LDAP.class.php:91 createsqluser()
4 ...classes/w2p/Core/CAppUI.class.php:825 authenticate()
5 ...index.php:125 login()
ERROR: ...Extensions/Permissions.class.php(469) : Cannot add role, user does not exist!
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
Backtrace:
0 ...classes/w2p/Extensions/Permissions.class.php:469 dprint()
1 ...classes/w2p/Authenticators/LDAP.class.php:165 insertUserRole()
2 ...classes/w2p/Authenticators/LDAP.class.php:91 createsqluser()
3 ...classes/w2p/Core/CAppUI.class.php:825 authenticate()
4 ...index.php:125 login()
(0002357)
fexadom   
2011-12-19 08:16   
I can confirm this bug too. I installed a fresh v2.4 and modified it to bind, but it fails to create the user. I got this error: /classes/w2p/Database/Query.class.php(1121): query failed(SELECT user_username FROM ((`users` AS users)) WHERE user_id = ) - error was: <span style="color:red">You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1</span>
(0002381)
tulanian   
2012-01-16 00:48   
I can confirm this bug, too, and get the same errors listed previously.
(0002383)
Rocko   
2012-01-25 11:28   
Hello

I can confirm this bug, too.

Please, help us.
(0002384)
Rocko   
2012-01-25 12:28   
Hello

The solution is modify, web2project-2.4/classes/w2p/Authenticators/LDAP.class.php

function createsqluser changes
public function createsqluser($username, $password, $ldap_attribs = array()) {
      global $AppUI, $db;
      $hash_pass = MD5($password);

      if (!count($ldap_attribs) == 0) {
         // Contact information based on the inetOrgPerson class schema
                  $c = new CContact();
         $c->contact_first_name = $ldap_attribs['givenname'][0];
         $c->contact_last_name = $ldap_attribs['sn'][0];
         $c->contact_city = $ldap_attribs['l'][0];
         $c->contact_country = $ldap_attribs['country'][0];
         $c->contact_state = $ldap_attribs['st'][0];
         $c->contact_zip = $ldap_attribs['postalcode'][0];
         $c->contact_job = $ldap_attribs['title'][0];
            $c->contact_email = $ldap_attribs['mail'][0];
            $c->contact_phone = $ldap_attribs['telephonenumber'][0];
            $c->contact_owner = $AppUI->user_id;
         $c->contact_display_name = $ldap_attribs['displayName'];
         $c->contact_order_by = $ldap_attribs['displayName'];
         $c->contact_company = 24;
          
         //query to get department ID from W2P database...
          
         $q = new w2p_Database_Query;
         $q->addTable('departments');
         $q->addQuery('dept_id');
         $q->addWhere('dept_name = "' . $ldap_attribs['department'][0].'";');
         if (!$q->exec()) {
         die($AppUI->_('Failed to get departments'));
         }
         else
         {
         $dept = $q->fetchRow();
         $c->contact_department = $dept['dept_id'];
         }
         $q->clear();
         $contactArray = array('phone_mobile' => $ldap_attribs['mobile'][0]);
            $c->setContactMethods($contactArray);
            $c->store($AppUI);
      }
      $contact_id = ($c->contact_id == null) ? 'NULL' : $c->contact_id;
    
    
      $q = new w2p_Database_Query;
      $q->addTable('users');
      $q->addInsert('user_username', $username);
      $q->addInsert('user_password', $hash_pass);
      $q->addInsert('user_type', '0');
      $q->addInsert('user_contact', $c->contact_id);
      if (!$q->exec()) {
         die($AppUI->_('Failed to create user credentials'));
      }
       
      $user_id = $db->Insert_ID();
      $this->user_id = $user_id;
      $q->clear();
    
      $acl = &$AppUI->acl();
      $acl->insertUserRole($acl->get_group_id('normal'), $this->user_id);

   }

source:
http://forums.web2project.net/viewtopic.php?t=3590&sid=84770cb20530a2e70f8fbc665f240376
(0002630)
caseydk   
2012-08-07 21:09   
I've removed myself from assignment because I don't use LDAP or have a server to test against to validate these solutions currently.. trying to figure out an interim solution.
(0002675)
caseydk   
2012-10-28 20:22   
If you insert this:

$ldap_bind_dn = $this->ldap_search_user;

into line 66 of the current development, I *think* this should work. For context, that should be immediately before this line:

if ($bindok = ldap_bind($rs, $ldap_bind_dn, $ldap_bind_pw)) {
(0002689)
GrandmaMoses   
2012-11-04 10:07   
I think you've cracked it!

You have to insert "$ldap_bind_dn = $this->ldap_search_user;" into line 65 of LDAP.Class.php (current github ver downloaded 04/11/2012.

All Working now authenticating against active directory.

My settings in lab environment that work:

LDAP Base DN --> dc=test,dc=domain,dc=com
LDAP Host --> servername, FQDN or IP of domain controller
LDAP Port --> 389
LDAP Search User Password --> *******
LDAP Search User --> ldap
LDAP User Filter --> sAMAccountName=%USERNAME%
LDAP Version --> 3
Full LDAP Connect String -->

These settings seem to work irrespective of the container or OU of the LDAP search user or user account being authenticated.

Thanks Keith!
(0002693)
caseydk   
2012-11-04 17:50   
Resolved: https://github.com/caseysoftware/web2project/pull/161

Issue History
2011-09-01 10:18gracedmanNew Issue
2011-09-07 04:02GrandmaMosesNote Added: 0002192
2011-09-07 11:06fuldaNote Added: 0002193
2011-09-07 22:31GrandmaMosesNote Added: 0002194
2011-09-11 04:17baturinNote Added: 0002198
2011-09-11 20:10caseydkRelationship addedrelated to 0000932
2011-09-27 23:18caseydkProjectv2.4 Release (Closed) => v3.0 Release
2011-12-19 08:16fexadomNote Added: 0002357
2011-12-19 23:51caseydkStatusnew => assigned
2011-12-19 23:51caseydkAssigned To => caseydk
2012-01-16 00:48tulanianNote Added: 0002381
2012-01-25 11:28RockoNote Added: 0002383
2012-01-25 12:28RockoNote Added: 0002384
2012-07-29 10:16caseydkRelationship addedhas duplicate 0001143
2012-08-07 21:08caseydkAssigned Tocaseydk =>
2012-08-07 21:09caseydkNote Added: 0002630
2012-08-07 21:09caseydkStatusassigned => acknowledged
2012-10-28 20:20caseydkRelationship addedhas duplicate 0001110
2012-10-28 20:22caseydkNote Added: 0002675
2012-10-28 20:22caseydkStatusacknowledged => feedback
2012-11-04 10:07GrandmaMosesNote Added: 0002689
2012-11-04 17:50caseydkNote Added: 0002693
2012-11-04 17:50caseydkStatusfeedback => resolved
2012-11-04 17:50caseydkResolutionopen => fixed
2012-11-04 17:50caseydkAssigned To => caseydk
2013-08-28 11:14caseydkFixed in Version => 3.0.0
2013-08-28 11:25caseydkStatusresolved => closed