0000770: LDAP Login broken in 2.3 - MantisBT

2022-10-05 18:44 PDT

View Issue Details [ Jump to Notes ]

[ Issue History ] [ Print ]

ID

Project

Category

View Status

Date Submitted

Last Update

0000770

v2.4 Release (Closed)

[All Projects] General

public

2011-04-09 14:40

2011-08-16 23:49

Reporter

bethgocs

Assigned To

caseydk

Priority

urgent

Severity

crash

Reproducibility

always

Status

closed

Resolution

fixed

Product Version

Target Version

Fixed in Version

2.4

Summary

0000770: LDAP Login broken in 2.3

Description

Hello,

after Upgrading to Version 2.3 my LDAP Auth is broken.

Apache Log shows: PHP Warning: ldap_bind() [<a href='function.ldap-bind'>function.ldap-bind</a>]: Unable to bind to server: Invalid credentials in /var/www/w2p/classes/w2p/Authenticators/LDAP.class.php on line 56

Any Ideas?

Additional Information

Copying classes/w2p/Authenticators/LDPA.class.php from Version 2.2 to my recent installatin solves the problem.

Tags

No tags attached.

Attached Files

Relationships

Relationships

Notes
~0001866 TekMason (reporter) 2011-04-13 19:13	I have some information to contribute to this issue. Packet captures of the communications between my w2p server and my Active Directory (LDAP) server show that there is extra string data being tacked onto the start and endo of the LDAP Search user string. My LDAP search user is currently set (the same as it is in my old LDAP working 1.2.2 install) to: CN=LDAPUser,CN=Users,DC=int,DC=mydomain,DC=com The packet capture shows that w2p is sending this name: CN=CN=LDAPUser,CN=Users,DC=int,DC=mydomain,DC=com,OU=users,DC=int,DC=mydomain,DC=com That user name will not work as the packet capture shows with a "invalidCredentials" response from the LDAP server. I modified line 53 of from $ldap_bind_dn = 'CN='.$this->ldap_search_user.',OU=users,'.$this->base_dn; to $ldap_bind_dn = $this->ldap_search_user; Not the the LDAP Search user binds successfully. It looks like this kills hurdle 1. Hopefully it doesn't break something else, Unfortunately I know nothing about the w2p code base. The problem Now -LDAP Search User successfully binds to LDAP server -does a search for sAMAccountName=testuser1 where testuser1 is the userfor the username at the w2p login screen. -gets the results back on testuser1 that includes the full object name, which in my case is "CN=Test User1,OU=IT,OU=User Accounts,DC=int,DC=mydomain,DC=com" There is a second (successful) bind request for the LDAP Search User then an unbind request and that's it. This second bind request SHOULD be a test to see if the password entered at the login screen was valid. It should be trying a bind with the full object name of the user that was entered on the w2p name and the password!

~0002070 caseydk (administrator) 2011-07-23 19:07	Alright, I've added a configuration value called "ldap_complete_string" which - if filled in - will override the normal connection string & handler and use it directly. The way this is written, all existing settings with existing installs should still work as expected. Resolved in r2006 & 2007;

Notes

Date Modified	Username	Field	Change
Issue History
2011-04-09 14:40	bethgocs	New Issue
2011-04-09 22:08	caseydk	Priority	normal => high
2011-04-13 06:49	caseydk	Project	v2.3 Release (Closed) => v2.4 Release (Closed)
2011-04-13 19:13	TekMason	Note Added: 0001866
2011-07-03 23:28	caseydk	Priority	high => urgent
2011-07-03 23:28	caseydk	Severity	major => crash
2011-07-03 23:28	caseydk	Status	new => assigned
2011-07-03 23:28	caseydk	Assigned To	=> caseydk
2011-07-23 19:07	caseydk	Note Added: 0002070
2011-07-23 19:07	caseydk	Status	assigned => resolved
2011-07-23 19:07	caseydk	Resolution	open => fixed
2011-08-16 23:49	caseydk	Status	resolved => closed
2011-08-16 23:49	caseydk	Fixed in Version	=> 2.4

Issue History