ldap direct authentication

[swilfreed]

Bug

dolibarr can't connect to distant ldapserver with conf.php information

Environment

• Version: 11.01
• OS: Centos 7
• Web server: nginx 1.16.1
• PHP: 7.3.11
• Database: postgresql 11.7

Expected and actual behavior

*we would like to authenticate user to existing ldap server like other services. *
thing ok: - *dolibarr ldap module is configured and can browse the ldap users *
- we can import account

thing nok: - dolibarr can not authenticate ldap user using conf.php
: - * dolibarr seem not used the ldapfilter during account synchronization*

Steps to reproduce the behavior

• install dolibarr with the documentation
• fill conf.php with the ldap information as documentation want
• test authentication

Attached files (Screenshots, screencasts, dolibarr.log, debugging informations…)

php dolibarr config file conf.php (ldap part)

$dolibarr_main_authentication='ldap,dolibarr';
$dolibarr_main_auth_ldap_host=‘ldaps://ldapserv.local.example.com'; try this too ‘ldapserv.local.example.com’;
$dolibarr_main_auth_ldap_port=‘636’;
$dolibarr_main_auth_ldap_version='3';
$dolibarr_main_auth_ldap_servertype='openldap';
$dolibarr_main_auth_ldap_login_attribute='uid';
$dolibarr_main_auth_ldap_dn='cn=users,cn=accounts,dc=local,dc=example,dc=com';
$dolibarr_main_auth_ldap_debug='true';
$dolibarr_main_auth_ldap_admin_login='uid=admin,cn=users,cn=accounts,dc=local,dc=example,dc=com';
$dolibarr_main_auth_ldap_admin_pass='My_ldapPass_is_inclear';

we try with this variable too
$dolibarr_main_auth_ldap_host=‘ldapserv.local.example.com’;

file dolibarr.log extract when try to connect thru ldap

--- Access to /htdocs/index.php - action= - actionlogin= - showing the login form and exit
--- End access to /htdocs/index.php
checkLoginPassEntity usertotest=djhon entitytotest=1 authmode=ldap,dolibarr
functions_ldap::check_user_password_ldap usertotest=djhon passwordtotest=************ entitytotest=1
functions_ldap::check_user_password_ldap Server:ldaps://ldapserver.local.example.com, Port:‘636’, Protocol:3, Type:openldap
unctions_ldap::check_user_password_ldap uid/samacountname=uid, dn=cn=users,cn=accounts,dc=local,dc=example,dc=com, Admin:uid=admin,cn=users,cn=accounts,dc=local,dc=example,dc=com, Pass:My_ldapPass_is_inclear
**Ldap::connect_bind return=-1 - Failed to connect to LDAP**
**Ldap::connect_bind return=-1 - Failed to connect to LDAP: Failed to connect to LDAP**
functions_ldap::check_user_password_ldap Authentication KO failed to connect to LDAP for 'djhon'
functions_dolibarr::check_user_password_dolibarr usertotest=djhon passwordtotest=************ entitytotest=1
functions_dolibarr::check_user_password_dolibarr Authentication KO user not found for 'djhon'
--- Access to /htdocs/index.php - action= - actionlogin=login - showing the login form and exit
--- End access to /htdocs/index.php

DEBUG mode active in browser

DEBUG: Logging LDAP steps
DEBUG: Server:ldaps://ldapserver.local.example.com, Port:‘636’, Protocol:3, Type:openldap
DEBUG: uid/samacountname=uid, dn=cn=users,cn=accounts,dc=local,dc=example,dc=com, Admin:uid=admin,cn=users,cn=accounts,dc=local,dc=example,dc=com, Pass:My_ldapPass_is_inclear
DEBUG: Failed to connect to LDAP

debugging
during debugging steps it seems the operation failed when it go through the
function connect_bind() in core/class/ldap.class.php
I keep searching a workaround to this POC station
#8413 have been updated with#8420 and concern old version

[hregis]

@swilfreed
Have you activated and configured the LDAP module in Dolibarr?
and have you created / imported your users from ldap to dolibarr?

[hregis]

@swilfreed

this user is your "bind user" of your openldap server ?
normally the "bind user" is not in the CN of other users, it is rather more at the root level "dc=local, dc=example, dc=com"

$dolibarr_main_auth_ldap_admin_login='uid=admin,cn=users,cn=accounts,dc=local,dc=example,dc=com';

[swilfreed]

@hregis

1. dollibar ldap module is activated and user imported with sync_users_ldap2dolibarr.php
   only account authentication is nok

2. $dolibarr_main_auth_ldap_admin_login is my bind user , it's have the right to browse the ldap directory. we have many apps configured with this user.
   dollibar ldap module is configured with this user and we succeed to sync accounts.
   when we try to authenticate with ldap no network traffic leave the dolibar server.

i make a basic php script to test bind user connection and it's ok.
the script test the syntax condition with ldap_connect() and the real connection with ldap_bind()

[swilfreed]

come back during #stayathome for some debug.

in order to use the "ldaphost + port" without doubt to connect_bind()
because
serverPing() have a regexp
and it’s seem connect bind never receive the "ldaphost + port" information.

I make an explicit change in those lines , file core/class/ldap.class.php

191 < if ($this->serverPing($host, $this->serverPort) === true) {
192 < $this->connection = ldap_connect($host, $this->serverPort);
193 < }
194 < else continue;
<
---
> # if ($this->serverPing($host, $this->serverPort) === true) {
> # $this->connection = ldap_connect($host, $this->serverPort);
> # }
> # else continue;
> $ldaphost = "ldaps://ldapserv.local.example.com";
> $ldapport = "636";
> $this->connection = ldap_connect($ldaphost,$ldapport);

result:

• the ldap user can connect to dolibarr.
• we keep syncing ldap accounts.

it's seem connect_bind() doest not receive ldap host+port when login from 'login form box" .
could someone have same behaviour?
I could make some test to help the debug process. thanks

[popindavibe]

Between the design of the LDAP module, this issue and the filter which needs () in conf.php but not in the web interface, I hardly ever spent so much time to get an LDAP connection working.

Don't get me wrong, I'm glad it's there, but there is a both a lack of documentation and bugs. I'm still looking for how to ensure that you get a Starttls connection on port 389 during authentication (I settled for 636 with the above workaround).

[github-actions]

This issue is stale because it has been open 1 year with no activity. If this is a bug, please comment to confirm it is still present on latest stable version. if this is a feature request, please comment to notify the request is still relevant and not yet covered by latest stable version. This issue may be closed automatically by stale bot in 10 days (you should still be able to re-open it if required).

[pierfu]

Hello,
maybe not the problem here, maybe yes.
I spent hours trying to fix the same situation : i could get LDAP accounts when creating new accounts in Dolibarr, but never could authenticate after that - and didn't see anything in LDAP server log when i was trying.
I finally saw a stupid word error in conf.php :
$dolibarr_main_authentification='ldap,dolibarr';
instead of :
$dolibarr_main_authentication='ldap,dolibarr';
Nothing was visible in logs, the variable was just ignored.
Once fixed, LDAP auth. works.
Typical french developper (?) error, at least i could not find it in last version !

[popindavibe]

I believe version 15.3 works for me, without the fixes. I can double check if needed. -- Sent from K9-Mail

…

On 20 October 2022 11:15:01 CEST, Pierre Fumet ***@***.***> wrote: Hello, maybe not the problem here, maybe yes. I spent hours trying to fix the same situation : i could get LDAP accounts when creating new accounts in Dolibarr, but never could authenticate after that - and didn't see anything in LDAP server log when i was trying. I finally saw a stupid word error in conf.php : `$dolibarr_main_authentification='ldap,dolibarr';` instead of : `$dolibarr_main_authentication='ldap,dolibarr';` Nothing was visible in logs, the variable was just ignored. Once fixed, LDAP auth. works. Typical french developper (?) error, at least i could not find it in last version ! -- Reply to this email directly or view it on GitHub: #13314 (comment) You are receiving this because you commented. Message ID: ***@***.***>