Anonymous Login
2022-05-25 12:40 PDT
  

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000947v3.0 Release[All Projects] Generalpublic2011-09-01 10:182013-08-28 11:25
Reportergracedman 
Assigned Tocaseydk 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
Product Version 
Target VersionFixed in Version3.0.0 
Summary0000947: LDAP authentication fails if the BINDDN is given as a complete DN
DescriptionWe have a bug in the LDAP code. Edit web2project-2.4/classes/w2p/Authenticators/LDAP.class.php by changing line 53 from:
$ldap_bind_dn = 'CN='.$this->ldap_search_user.',OU=users,'.$this->base_dn;
to:
$ldap_bind_dn = $this->ldap_search_user;

I don't know if that is the proper fixed but it worked well enough for us to be able to get our work done. It looks like the logic assumes we are using an MS Active Directory server and that we have only supplied a short name. In our case, we are using RedHat Directory Server and we provide the complete DN of the ldap_search_user.
TagsNo tags attached.
Attached Files

-Relationships
related to 0000932closedcaseydk Pending Requests Binding LDAP with a null DN string 
has duplicate 0001143closedcaseydk Pending Requests LDAP does not work 
has duplicate 0001110closed Pending Requests Active Directory error 
+Relationships

-Notes

~0002192

GrandmaMoses (reporter)

2011-09-07 04:02

 LDAP login when binding to Active Directory has not worked properly since v2.2.

Rather than logging a new bug I'll post my comments here.

Please see my forum post at http://forums.web2project.net/viewtopic.php?p=12673#12673.

In the posting I've given a complete description of the problem and the errors I get.

Many thanks

~0002193

fulda (reporter)

2011-09-07 11:06

 I installed a fresh v2.4 and modified it to bind, but it fails to create the user

~0002194

GrandmaMoses (reporter)

2011-09-07 22:31

 Yes it seems there is an SQL sytax problem when creating a new user or if your password changes. I can bind and login if I upgrade from v2.2 and login with a user already in the W2p DB. Once the password in AD changes then login fails. Error details in my forum post above.

Sorry I'm not a programmer so can't help further.

~0002198

baturin (reporter)

2011-09-11 04:17

 I can confirm this bug.

The following errors are displayed
ERROR: ...classes/w2p/Database/Query.class.php(1121) : query failed(SELECT user_username FROM ((`users` AS users)) WHERE user_id = ) - error was: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
Backtrace:
0 ...classes/w2p/Database/Query.class.php:1121 dprint()
1 ...classes/w2p/Extensions/Permissions.class.php:467 exec()
2 ...classes/w2p/Authenticators/LDAP.class.php:165 insertUserRole()
3 ...classes/w2p/Authenticators/LDAP.class.php:91 createsqluser()
4 ...classes/w2p/Core/CAppUI.class.php:825 authenticate()
5 ...index.php:125 login()
ERROR: ...Extensions/Permissions.class.php(469) : Cannot add role, user does not exist!
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
Backtrace:
0 ...classes/w2p/Extensions/Permissions.class.php:469 dprint()
1 ...classes/w2p/Authenticators/LDAP.class.php:165 insertUserRole()
2 ...classes/w2p/Authenticators/LDAP.class.php:91 createsqluser()
3 ...classes/w2p/Core/CAppUI.class.php:825 authenticate()
4 ...index.php:125 login()

~0002357

fexadom (reporter)

2011-12-19 08:16

 I can confirm this bug too. I installed a fresh v2.4 and modified it to bind, but it fails to create the user. I got this error: /classes/w2p/Database/Query.class.php(1121): query failed(SELECT user_username FROM ((`users` AS users)) WHERE user_id = ) - error was: <span style="color:red">You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1</span>

~0002381

tulanian (reporter)

2012-01-16 00:48

 I can confirm this bug, too, and get the same errors listed previously.

~0002383

Rocko (reporter)

2012-01-25 11:28

 Hello

I can confirm this bug, too.

Please, help us.

~0002384

Rocko (reporter)

2012-01-25 12:28

 Hello

The solution is modify, web2project-2.4/classes/w2p/Authenticators/LDAP.class.php

function createsqluser changes
public function createsqluser($username, $password, $ldap_attribs = array()) {
      global $AppUI, $db;
      $hash_pass = MD5($password);

      if (!count($ldap_attribs) == 0) {
         // Contact information based on the inetOrgPerson class schema
                  $c = new CContact();
         $c->contact_first_name = $ldap_attribs['givenname'][0];
         $c->contact_last_name = $ldap_attribs['sn'][0];
         $c->contact_city = $ldap_attribs['l'][0];
         $c->contact_country = $ldap_attribs['country'][0];
         $c->contact_state = $ldap_attribs['st'][0];
         $c->contact_zip = $ldap_attribs['postalcode'][0];
         $c->contact_job = $ldap_attribs['title'][0];
            $c->contact_email = $ldap_attribs['mail'][0];
            $c->contact_phone = $ldap_attribs['telephonenumber'][0];
            $c->contact_owner = $AppUI->user_id;
         $c->contact_display_name = $ldap_attribs['displayName'];
         $c->contact_order_by = $ldap_attribs['displayName'];
         $c->contact_company = 24;
          
         //query to get department ID from W2P database...
          
         $q = new w2p_Database_Query;
         $q->addTable('departments');
         $q->addQuery('dept_id');
         $q->addWhere('dept_name = "' . $ldap_attribs['department'][0].'";');
         if (!$q->exec()) {
         die($AppUI->_('Failed to get departments'));
         }
         else
         {
         $dept = $q->fetchRow();
         $c->contact_department = $dept['dept_id'];
         }
         $q->clear();
         $contactArray = array('phone_mobile' => $ldap_attribs['mobile'][0]);
            $c->setContactMethods($contactArray);
            $c->store($AppUI);
      }
      $contact_id = ($c->contact_id == null) ? 'NULL' : $c->contact_id;
    
    
      $q = new w2p_Database_Query;
      $q->addTable('users');
      $q->addInsert('user_username', $username);
      $q->addInsert('user_password', $hash_pass);
      $q->addInsert('user_type', '0');
      $q->addInsert('user_contact', $c->contact_id);
      if (!$q->exec()) {
         die($AppUI->_('Failed to create user credentials'));
      }
       
      $user_id = $db->Insert_ID();
      $this->user_id = $user_id;
      $q->clear();
    
      $acl = &$AppUI->acl();
      $acl->insertUserRole($acl->get_group_id('normal'), $this->user_id);

   }

source:
http://forums.web2project.net/viewtopic.php?t=3590&sid=84770cb20530a2e70f8fbc665f240376

~0002630

caseydk (administrator)

2012-08-07 21:09

 I've removed myself from assignment because I don't use LDAP or have a server to test against to validate these solutions currently.. trying to figure out an interim solution.

~0002675

caseydk (administrator)

2012-10-28 20:22

 If you insert this:

$ldap_bind_dn = $this->ldap_search_user;

into line 66 of the current development, I *think* this should work. For context, that should be immediately before this line:

if ($bindok = ldap_bind($rs, $ldap_bind_dn, $ldap_bind_pw)) {

~0002689

GrandmaMoses (reporter)

2012-11-04 10:07

 I think you've cracked it!

You have to insert "$ldap_bind_dn = $this->ldap_search_user;" into line 65 of LDAP.Class.php (current github ver downloaded 04/11/2012.

All Working now authenticating against active directory.

My settings in lab environment that work:

LDAP Base DN --> dc=test,dc=domain,dc=com
LDAP Host --> servername, FQDN or IP of domain controller
LDAP Port --> 389
LDAP Search User Password --> *******
LDAP Search User --> ldap
LDAP User Filter --> sAMAccountName=%USERNAME%
LDAP Version --> 3
Full LDAP Connect String -->

These settings seem to work irrespective of the container or OU of the LDAP search user or user account being authenticated.

Thanks Keith!

~0002693

caseydk (administrator)

2012-11-04 17:50

 Resolved: https://github.com/caseysoftware/web2project/pull/161
+Notes

-Issue History
Date Modified Username Field Change
2011-09-01 10:18 gracedman New Issue
2011-09-07 04:02 GrandmaMoses Note Added: 0002192
2011-09-07 11:06 fulda Note Added: 0002193
2011-09-07 22:31 GrandmaMoses Note Added: 0002194
2011-09-11 04:17 baturin Note Added: 0002198
2011-09-11 20:10 caseydk Relationship added related to 0000932
2011-09-27 23:18 caseydk Project v2.4 Release (Closed) => v3.0 Release
2011-12-19 08:16 fexadom Note Added: 0002357
2011-12-19 23:51 caseydk Status new => assigned
2011-12-19 23:51 caseydk Assigned To => caseydk
2012-01-16 00:48 tulanian Note Added: 0002381
2012-01-25 11:28 Rocko Note Added: 0002383
2012-01-25 12:28 Rocko Note Added: 0002384
2012-07-29 10:16 caseydk Relationship added has duplicate 0001143
2012-08-07 21:08 caseydk Assigned To caseydk =>
2012-08-07 21:09 caseydk Note Added: 0002630
2012-08-07 21:09 caseydk Status assigned => acknowledged
2012-10-28 20:20 caseydk Relationship added has duplicate 0001110
2012-10-28 20:22 caseydk Note Added: 0002675
2012-10-28 20:22 caseydk Status acknowledged => feedback
2012-11-04 10:07 GrandmaMoses Note Added: 0002689
2012-11-04 17:50 caseydk Note Added: 0002693
2012-11-04 17:50 caseydk Status feedback => resolved
2012-11-04 17:50 caseydk Resolution open => fixed
2012-11-04 17:50 caseydk Assigned To => caseydk
2013-08-28 11:14 caseydk Fixed in Version => 3.0.0
2013-08-28 11:25 caseydk Status resolved => closed
+Issue History