How to connect to OpenLDAP using adldap2 ?

[paszczus]

Hello,
I am trying to connect to LDAP server (running on OpenLDAP instead of Microsoft AD) but i am getting an error with bindAsAdministrator:

[2016-05-18 14:49:36] local.ERROR: exception 'Adldap\Exceptions\Auth\BindException' with message 'Invalid DN syntax' in /web/test/vendor/adldap2/adldap2/src/Auth/Guard.php:91
Stack trace:

0 /web/test/vendor/adldap2/adldap2/src/Auth/Guard.php(107): Adldap\Auth\Guard->bind('root', 'secret', '', 'domain.tldl')

1 /web/test/vendor/adldap2/adldap2/src/Connections/Provider.php(184): Adldap\Auth\Guard->bindAsAdministrator()

2 /web/test/vendor/adldap2/adldap2-laravel/src/AdldapServiceProvider.php(88): Adldap\Connections\Provider->connect()

3 /web/test/vendor/adldap2/adldap2-laravel/src/AdldapServiceProvider.php(48): Adldap\Laravel\AdldapServiceProvider->addProviders(Object(Adldap\Adldap), Array)

4 /web/test/vendor/laravel/framework/src/Illuminate/Container/Container.php(735): Adldap\Laravel\AdldapServiceProvider->Adldap\Laravel{closure}(Object(Illuminate\Foundation\Application), Array)

Is there a way to connect to OpenLDAP using adldap2? My user for conncet to ad is: cn=root,dc=foo,dc=bar instead of root@domain.tld.

[stevebauman]

Hi @paszczus,

At the moment, OpenLDAP isn't supported (see root Adldap2 repository requirements). However some functionality should still work.

I believe binding to OpenLDAP requires usernames to be full DN's. Try using the full distinguished name of your administrator to bind rather than the domains suffix. For example, in your configuration:

// Set the account suffix to blank.
'account_suffix' => '',

// Set the admin username to the full DN of the account.
'admin_username' => 'cn=root,dc=foo,dc=bar',
'admin_password' => 'secret',

This is most likely why you're getting back the error Invalid DN syntax.

[paszczus]

Thank you @stevebauman! Now i do not have any errors, but i am unable to login. Is there a way to debug why?

BTW: What we need to do is a portal for migrating from OpenLDAP to Active Directory, so we need to be able to change OpenLDAP AND Active Directory attributes in same project. Is this possible at current version?

[paszczus]

Ok i found the reason why it is not working.
In OpenLDAP logs i see:

filter: (&(objectClass=person)(?objectcategory=person)(mail=foo@bar.coml))

while there is no such "objectClass=person" in my LDAP - we have inetPersonOrg.
I was trying to use ADLDAP_LIMITATION_FILTER to change this filter but it only add my filter to previous one.

I have changed person to inetPersonOrg in vendor/adldap2/adldap2/src/Schemas/ActiveDirectory.php but i still cannot connect because of "Bad character in search filter" : ?objectcategory=person

[Albvadi]

Hi,
I´m not an expert, but I think you can try with Schemas..

Try to create the provider from this form:
$provider = new \Adldap\Connections\Provider($config, new \Adldap\Connections\Ldap, new \Adldap\Schemas\OpenLDAP);

I´m not sure if it´s the right way...

[paszczus]

Thank you @Albvadi ! I have changed 'schema' in adldap.conf and now authorization in openldap logs looks better, but still i am unable to login:

May 24 13:46:47 ldap slapd[27071]: => access_allowed: read access to "mail=test@foo.bar,vd=foo.bar,o=hosting,dc=foo,dc=bar" "eduPersonEntitlement" requested
May 24 13:46:47 ldap slapd[27071]: conn=259853 op=1 ENTRY dn="mail=test@foo.bar,vd=foo.bar,o=hosting,dc=foo,dc=bar"
May 24 13:46:47 ldap slapd[27071]: >>> dnPrettyNormal: <test@foo.bar>
May 24 13:46:47 ldap slapd[27071]: conn=259853 op=2 do_bind: invalid dn (test@foo.bar)

[Albvadi]

In Laravel, the default field for login is email instead username and in the 2º line of the last log, the DN is setting with "mail=". It´s correct??

If not, if you are using the username, you need change this first.

I´m beggining a Laravel App too and I follow the brilliant Quick Start - From Scratch and works like a charm...

P.D: Sorry for my last comment... I mixed this repo and ADldap2 original repo and points you to set the provider...
The correct way it´s yours, modifying adldap.php in config and set schema...

[paszczus]

I have started from scratch and changed 'email' to 'username' same as in howto that you have provided but still no luck.
My users are using 'mail' attribute as usernames, so proper full dn for me is:

mail=paszczus@foo.bar,vd=foo.bar,o=hosting,dc=foo,dc=bar

[stevebauman]

@paszczus, if you're using OpenLDAP, you'll most likely need to configure your prefix and suffix in the configuration to encapsulate the users email.

For example:

// config/adldap.php

'account_prefix' => 'mail='

'account_suffix' => ',vd=foo.bar,o=hosting,dc=foo,dc=bar',

[chrispelzer]

@paszczus I just finished implementing the auth with laravel with OpenLDAP binding with the user's ldap credentials only.

If you can run a ldapsearch from command line or use http://php.net/manual/en/function.ldap-get-dn.php to get the DN for the user you are trying to authenticate for it will be the DN you'd need to split for the prefix and suffix.

I don't know if you're running into the same issue I did at first. Our group accounts and individual accounts have different DNs completely. I didn't notice until I tested both and one would auth and the other didn't depending on the DNs returned from the ldapsearch/ldap_get_dn() from above.

For the config/adldap.php file set the following:

'schema' => Adldap\Schemas\OpenLDAP::class,
'base_dn' => 'dc=foo,dc=bar', // just your DCs from the account_suffix
// for the account_prefix and suffix make sure it really is the DN you, if you can get the DN from the ldapsearch or ldap_get_dn() from above
'account_prefix' => 'mail='
'account_suffix' => ',vd=foo.bar,o=hosting,dc=foo,dc=bar',
'admin_account_suffix' => '', // don't set a admin account suffix
// setting admin username/password to null only binds as the user
'admin_username' => env('ADLDAP_ADMIN_USERNAME', null), 
'admin_password' => env('ADLDAP_ADMIN_PASSWORD', null),

For the config/adldap_auth.php file set the following:

    // email is the unique User model attribute you are authenicating with in the users table
    // mail is the attribute from the ldap that you are matching the email with to authenticate
    'username_attribute' => ['email' => 'mail'],

    // I left LIMITATION_FILTER blank and it still worked for me
    'limitation_filter' => env('ADLDAP_LIMITATION_FILTER', ''),

    // login attribute should be your attribute from ldap that you are authenticating with
    'login_attribute' => env('ADLDAP_LOGIN_ATTRIBUTE', 'mail'),

[paszczus]

Thank you guys!
After many testing i have figured out that i need to use account_prefix and suffix for users, but for root account i do not want to use it, so i have to put blank space in admin_account_suffix - without it my account_suffix was added.

There is another problem with this, since i am using many domains i cannot staticly set vd=foo.bar cause other users from other.foo.bar domain will be not able to login.