Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Login LDAP error after FileSender (2.48) & SimpleSAMLphp (2.2.2) upgrade #1939

Closed
quentin-rey opened this issue Jun 19, 2024 · 5 comments
Closed

Login LDAP error after FileSender (2.48) & SimpleSAMLphp (2.2.2) upgrade #1939

quentin-rey opened this issue Jun 19, 2024 · 5 comments
Labels
saml

Comments

@quentin-rey
Copy link

Hello,

I upgraded FileSender to 2.48. Following that, I wanted to upgrade SimpleSAMLphp, which with version 2 changes a bit the way it works.

I managed to configure it and test my LDAP connection.

However, when I configured it with FileSender, it didn't work.
By default FileSender seems to refer to the SAML module, whereas I'm using LDAP.

The link for my login button :
https://myfilesender/simplesaml/module.php/saml/sp/login/filesender-ldap?ReturnTo=....

My FileSender config.php (SAML part):

$config['auth_sp_saml_simplesamlphp_url'] ='https://myfilesender/simplesaml/'; 
$config['auth_sp_saml_simplesamlphp_location'] ='/opt/filesender/simplesaml/';
$config['auth_sp_saml_uid_attribute'] = 'sAMAccountName';
$config['auth_sp_saml_authentication_source'] = 'filesender-ldap';

My SimpleSAMLphp authsource:

...
'filesender-ldap' => [
    'ldap:Ldap',
    'connection_string' => 'ldap://myldap.mydomain.fr',
    'encryption' => 'none',
    'version' => 3,
    'ldap.debug' => false,
    'options' => [
        'referrals' => 0x00,
        'network_timeout' => 3,
    ],
    'connector' => '\SimpleSAML\Module\ldap\Connector\Ldap',
    'attributes' => [
        'sAMAccountName',
        'mail'
    ],
    'attributes.binary' => [
        'jpegPhoto',
        'objectGUID',
        'objectSid',
        'mS-DS-ConsistencyGuid'
    ],
    'dnpattern' => 'uid=%username%,ou=people,dc=example,dc=org',
    'search.enable' => true,
    'search.base' => [
        'OU=...',
        'OU=...'
    ],
    'search.scope' => 'sub',
    'search.attributes' => ['sAMAccountName', 'mail'],
    'search.filter' => '(&(objectClass=person)(objectClass=user))',
    'search.username' => 'MYUSER',
    'search.password' => 'MYPWD',
]
...

Thank you in advance for your help!
@monkeyiq
Copy link
Contributor

FileSender is using The SimpleSAML\Auth\Simple API to SSP passing in your selected authentication source:

filesender/classes/auth/AuthSPSaml.class.php

Line 297 in 461ccb2

self::$simplesamlphp_auth_simple = new SimpleSAML\Auth\Simple(self::$config['authentication_source']);

The URL used to login is obtained from that API:

filesender/classes/auth/AuthSPSaml.class.php

Line 235 in 461ccb2

), self::$simplesamlphp_auth_simple->getLoginURL($target));

That SSP Simple object should give a link to where it will handle the login:

https://github.com/simplesamlphp/simplesamlphp/blob/c23e0f3b02590682e4a7e1e9d40ebe4ea30b3ccd/src/SimpleSAML/Auth/Simple.php#L319

This is where your module.php/saml/sp/login is coming from. What is the failing error you see when you try to login?

@quentin-rey
Copy link
Author

quentin-rey commented Jun 20, 2024
edited
Loading

Thanks for you reply!

The error is:
SimpleSAML\Error\NotFound: The requested page 'https://myfilesender/simplesaml/module.php/saml/sp/login/filesender-ldap?ReturnTo=... could not be found. The module 'saml' was either not found, or wasn't enabled.

I've activated the ldap module, and the saml module isn't activated.

@quentin-rey
Copy link
Author

quentin-rey commented Jun 21, 2024
edited
Loading

If I understand correctly, FileSender is based on the configuration file, which in this case specifies:
$config['auth_sp_saml_authentication_source'] = 'filesender-ldap';
This gives the API call:
self::$simplesamlphp_auth_simple = new SimpleSAML\Auth\Simple(self::$config['filesender-ldap']);

However, when it built the URL, it built it with the saml module instead of the ldap module: https://myfilesender/simplesaml/module.php/saml/sp/login/filesender-ldap

I think I'm not far from the truth, but I can't find the source of the error 😬

@quentin-rey
Copy link
Author

quentin-rey commented Jun 26, 2024
edited
Loading

https://github.com/simplesamlphp/simplesamlphp/blob/c23e0f3b02590682e4a7e1e9d40ebe4ea30b3ccd/src/SimpleSAML/Auth/Simple.php#L319

This is where your module.php/saml/sp/login is coming from.

I hadn't seen it properly! SimpleSAMLphp builds its URL with saml/sp/login in all cases. So how do I use ldap?

public function getLoginURL(?string $returnTo = null): string
    {
        if ($returnTo === null) {
            $httpUtils = new Utils\HTTP();
            $returnTo = $httpUtils->getSelfURL();
        }

        $login = Module::getModuleURL('saml/sp/login/' . urlencode($this->authSource), [
            'ReturnTo' => $returnTo,
        ]);

        return $login;
    }

I opened an issue on the SimpleSAMLphp repo:

@monkeyiq monkeyiq added the saml label Jun 26, 2024
@quentin-rey
Copy link
Author

After checking, this is a misuse of ldap with SimpleSAMLphp. I decided to use SimpleSAMLphp as an SP, coupled with the Keycloak IdP.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
saml
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@monkeyiq @quentin-rey