Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Need help with Active Directory Auth #1264

Open
marquesmatheus opened this issue Nov 13, 2018 · 13 comments

Comments

2 participants
@marquesmatheus
Copy link

commented Nov 13, 2018

Hi, i need some help to connect kimai using Active directory.

I've changed the autoconf.php to activeDirectory and set up the auth.php like that:

`'ldap://dc.mydomain',` 'enhancedIdentityPrivacy' => 'false', ); ?>

It's giving me the error "No user with that information `found".

On log: /var/log/apache2/ts.joaopauloii/error.log

Tue Nov 13 10:55:07.636355 2018] [:error] [pid 25708] [client 10.0.65.2:35874] PHP Warning: ldap_search(): Search: Operations error in /var/www/kimai-ts/libraries/Kimai/Auth/Ldapadvanced.php on line 256, referer: http://ts.xxxx/index.php

I'm using my AD username from local network. What am i missing?

Thx again

@marquesmatheus

This comment has been minimized.

Copy link
Author

commented Nov 13, 2018

Tested here setting:

var_dump($usernameAttribute),
	var_dump($mailAttribute),
	var_dump($commonNameAttribute),
	var_dump($earchBase),
	var_dump($host),
	var_dump($bindDN),

All information came NULL...

@kevinpapst

This comment has been minimized.

Copy link
Member

commented Nov 13, 2018

None of us has access to AD, so we can only help debugging a possible misconfiguration on your end. You already checked the documentation?
Please show the relevant configs correctly.

@marquesmatheus

This comment has been minimized.

Copy link
Author

commented Nov 13, 2018

Sure, i've checked the documentation, what configs do you need?

@marquesmatheus

This comment has been minimized.

Copy link
Author

commented Nov 13, 2018

The server that i installed the kimai was on a debian 9.
It has a valid ip for the local network, on my AD server it has too a valid host AAA name.
I can ping and communicates with both of them.
The domain address is dc.somedomain
The doubt that i have is, this kind of auth from kimai using ActiveDirectory, is just pointing the kimai to the AD address and it will catch and validates the user and password from AD itself ?

Tried to config using ldapadvanced but with no sucess too...

@kevinpapst

This comment has been minimized.

Copy link
Member

commented Nov 13, 2018

Please show us all Kimai configurations that you applied regarding the AD

@marquesmatheus

This comment has been minimized.

Copy link
Author

commented Nov 13, 2018

With this example i can connect to AD
`<?php
if(isset($_POST['username']) && isset($_POST['password'])){

   $adServer = "ldap://dc.somedomain";
    	
   $ldap = ldap_connect($adServer);
   $username = $_POST['username'];
   $password = $_POST['password'];

   $ldaprdn = 'domain' . "\\" . $username;
       ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
       ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);

    $bind = @ldap_bind($ldap, $ldaprdn, $password);

    if ($bind) {
        $filter="(sAMAccountName=$username)";
        $result = ldap_search($ldap,"dc=domain",$filter);
        ldap_sort($ldap,$result,"sn");
        $info = ldap_get_entries($ldap, $result);
       // for ($i=0; $i<$info["count"]; $i++)
	//		            {
      //  if($info['count'] > 1)

//break;

echo "

You are accessing ". $info[$i]["sn"][0] .", " . $info[$i]["givenname"][0] ."
(" . $info[$i]["samaccountname"][0] .")

\n";

echo '

';
var_dump($info);
echo '
';
$userDn = $info[$i]["distinguishedname"][0];
//}
@ldap_close($ldap);
} else {
$msg = "Invalid email address / password";
echo $msg;
}

}else{
?>

Username: Password: `
@marquesmatheus

This comment has been minimized.

Copy link
Author

commented Nov 13, 2018

The only configurations that i made was:

Setting the $authenticator = "activeDirectory"; on the autoconf.php

And setting the auth.php:

<?php
return array(
	    'host' => 'ldap://dc.somedomain',
	        'enhancedIdentityPrivacy' => 'false',
	);
?>
@marquesmatheus

This comment has been minimized.

Copy link
Author

commented Nov 14, 2018

Any sugestions?

@kevinpapst

This comment has been minimized.

Copy link
Member

commented Nov 14, 2018

You have a lot of config options, as stated in the docs: https://www.kimai.org/documentation/authenticator/

As this class is a subclass of the LDAP-Advanced authenticator (see above), you can set all Configuration-parameters from there as well, for example the host:

Your test script uses the searchBase dc=domain, but you haven't configured it in auth.php.
You can use all options from the "Advanced LDAP-Authentication", check the docs and try to find the needed configuration.

@marquesmatheus

This comment has been minimized.

Copy link
Author

commented Nov 14, 2018

As i said, i'm using the autoconf.php auth "activeDirectory", the auth.php file i wrote on my last post. Even using the activeDirectory auth on autoconf.php and setting the lines on auth.php is there needed to write on other file or more config to be inserted somewhere?.

I will try to use now LDAP the advanced option, just made it 2 days ago without success too :(.

@marquesmatheus

This comment has been minimized.

Copy link
Author

commented Nov 14, 2018

LDAP Advanced configs files:

1 - autoconf.php
$authenticator = "ldapadvanced";

2 - auth.php
<?php return array( 'host' => 'ldap://dc.testdomain', 'bindDN' => 'CN=Matheus Ferreira Perrenoud Marques,OU=CPD,OU=TI,DC=testdomain', 'bindPW' => 'mypassword', 'searchBase' => 'dc=testdomain,dc=example,c=org', 'userFilter' => 'uid=%s', 'groupFilter' => 'memberUid=%1$s', 'usernameAttribute' => 'uid', 'commonNameAttribute' => 'cn', 'groupidAttribute' => 'cn', 'mailAttribute' => 'mail', 'allowedGroupIds' => array('kimai-access'), 'forceLowercase' => true, 'nonLdapAcounts' => array('admin'), 'autocreateUsers' => true, 'defaultGlobalRoleName' => 'User', 'defaultGroupMemberships' => array('Users' => 'User'), ); ?>

3 - Error
[Wed Nov 14 13:50:27.319866 2018] [:error] [pid 29895] [client 10.0.65.2:48130] PHP Warning: ldap_search(): Search: Operations error in /var/www/kimai-ts/libraries/Kimai/Auth/Ldapadvanced.php on line 262, referer: http://ts.joaopauloii/index.php

4 - My LDAP url with this user:
ldap://server:389/CN=Matheus%20Ferreira%20Perrenoud%20Marques,OU=CPD,OU=TI,DC=testdomain

@marquesmatheus

This comment has been minimized.

Copy link
Author

commented Nov 14, 2018

Front end error:
No user with that information found

I'm using my local network login as an example testelogin and my password.
Do i need to set my domain before my user, like testdomain.testlogin on the login screen or just the network login is ok?

@kevinpapst

This comment has been minimized.

Copy link
Member

commented Nov 14, 2018

Maybe someone else can jump in.
I can just help you as far as setting up the authenticator and checking obvious setup problems.
You can use the activeDirectoy authenticator. It extends the LDAPadvanced authenticator => so you can use all config parameters from the "ldap advanced" as well.

The config is somewhat wrong or the LDAP-advancerd authenticator uses an incompatible approach.
Please replace ldap_search it var_dump in https://github.com/kimai/kimai/blob/master/libraries/Kimai/Auth/Ldapadvanced.php#L245 and check if the values are the ones you expect to be used.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.