Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create Ldap user directly at Teampass DB #1541

Closed
andresguisado opened this issue Oct 9, 2016 · 5 comments
Closed

Create Ldap user directly at Teampass DB #1541

andresguisado opened this issue Oct 9, 2016 · 5 comments

Comments

@andresguisado
Copy link

andresguisado commented Oct 9, 2016
edited
Loading

Steps to reproduce

  1. Poxix / OpenLDAP (RFC2307) - Ldap configuration:
    • Ldap server type: Poxix / OpenLDAP (RFC2307) Search Based
    • LDAP base DN for your domain: dc=example,dc=com
    • LDAP account suffix for your domain: ou=People
    • LDAP domain controller(s): server01
    • Use LDAP through SSL (LDAPS): NO
    • Use LDAP through TLS: NO
    • Teampass local users only: NO
  2. Try to log in and it doesn't work.

Expected behaviour

Ldap login should work.
Teampass should create ldap user in the Database at the first ldap login attempt.

Actual behaviour

Ldap login doesn't work. It seems to be because of ldap user doesn't exist in database.
If ldap user doesn't exist in Teampass DB in advanced, Ldap login doesn't work.
If ldap user exists in Teampass DB, Ldap login works.

Server configuration

Operating system:Centos7

Web server: Apache 2.4

Database: mysql 5.7

**PHP version:**PHP 5.6

Teampass version: v.2.1.26 (final release)

Updated from an older Teampass or fresh install: Fresh Install

Client configuration

**Browser:**Chrome Version 53.0.2785.143 (64-bit)

Operating system: Mac

Logs

LDAP log

* Ldap Log if user doesn't exist in Teampass in advanced and then ldap login failed:

Oct  9 15:14:39 server01 slapd[18870]: conn=1690 fd=30 ACCEPT from IP=X.X.X.X:43988 (IP=0.0.0.0:389)
Oct  9 15:14:39 server01 slapd[18870]: conn=1690 op=0 BIND dn="uid=test.ldap,ou=People,dc=example,dc=com" method=128
Oct  9 15:14:39 server01 slapd[18870]: conn=1690 op=0 BIND dn="uid=test.ldap,ou=People,dc=example,dc=com" mech=SIMPLE ssf=0
Oct  9 15:14:39 server01 slapd[18870]: conn=1690 op=0 RESULT tag=97 err=0 text=
Oct  9 15:14:39 server01 slapd[18870]: conn=1690 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(&(?objectCategory=person)(?samaccountname=uid=test.ldap))"
Oct  9 15:14:39 server01 slapd[18870]: conn=1690 op=1 SRCH attr=mail givenname sn objectsid
Oct  9 15:14:39 server01 slapd[18870]: conn=1690 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
Oct  9 15:14:39 server01 slapd[18870]: conn=1690 op=2 UNBIND
Oct  9 15:14:39 server01 slapd[18870]: conn=1690 fd=30 closed


* Ldap Log if user exists in Teampass in advanced and then ldap login is successful:

Oct  9 15:25:42 server01 slapd[18870]: conn=1691 fd=30 ACCEPT from IP=X.X.X.X:44034 (IP=0.0.0.0:389)
Oct  9 15:25:42 server01 slapd[18870]: conn=1691 op=0 BIND dn="uid=test.ldap,ou=People,dc=example,dc=com" method=128
Oct  9 15:25:42 server01 slapd[18870]: conn=1691 op=0 BIND dn="uid=test.ldap,ou=People,dc=example,dc=com" mech=SIMPLE ssf=0
Oct  9 15:25:42 server01 slapd[18870]: conn=1691 op=0 RESULT tag=97 err=0 text=
Oct  9 15:25:42 server01 slapd[18870]: conn=1691 op=1 UNBIND
Oct  9 15:25:42 server01 slapd[18870]: conn=1691 fd=30 closed

Webserver log

No errors.
@andresguisado
Copy link
Author

Any help?

The main issue seems to be the ldap user doesn't exist in advance in the Teampass DB.

Is there any configuration to say to Teampass to create the ldap user in the first login if it doesn't exist in the DB?

Thanks.

@andresguisado
Copy link
Author

I have read this issue:

#1153

At v2.1.25 version was implemented a feature to create a user in Teampass DB directly when the user who tries to log in doesn't exist within DB.

it seems at v.2.1.26 it is not implemented?

Thanks.

@andresguisado andresguisado changed the title Ldap login doesn't work - Poxix / OpenLDAP (RFC2307) Create Ldap user directly at Teampass DB Nov 1, 2016
@andresguisado
Copy link
Author

I have set "Teampass local users only" off in"LDAP settings" and when I try to access with ldap user which doesn't exist in Teampass DB it gets an infinite load looping, firebug says : 500 Internal Server Error but not errrors.

At the logs server:

[Tue Nov 01 11:51:10.122572 2016] [:error] [pid 29913] [client X.X.X.X:22602] PHP Fatal error: Call to a member function user() on null in /var/www/html/teampass/sources/identify.php on line 395, referer: https://xxxxx/index.php?page=items

Thanks.

@andresguisado
Copy link
Author

I was using "posix-search" instead of Active Directory so you forget above details despite thisI am getting same load looping but without any error this time when I tried to log in with ldap user which doesn't exist in Teampass DB..:-(

@cheribral
Copy link

The issue here seems to be that user information for new users comes from $adldap. This variable is never defined in sources/identify.php when set to posix-search because the definition doesn't occur in the conditional block for:
if ($_SESSION['settings']['ldap_type'] == 'posix-search')

When ldap_type is just 'posix', the variable is set, but user information is populated with
$user_info_from_ad = $adldap->user()->info($auth_username, array("mail", "givenname", "sn"));

However, this sends the wrong type of query to an openldap server. What I see is
(&(?objectCategory=person)(?samaccountname=uid=...))

This should simply pull the needed attributes from the dn which was already found, and which shows up in the debug file. I haven't read enough about the AD library used here to know if a different function could be used, nor do I know why the posix ldap stuff is mixed in with the AD code, so I'm not sure what the best fix is.

For the meantime, I've worked around it by using posix-search and patching the code like this:

--- sources/identify.php.a  2016-11-04 06:51:01.912549783 +0000
+++ sources/identify.php    2016-11-04 06:51:08.843551448 +0000
@@ -233,7 +233,7 @@
                 }
                 if ($ldapbind) {
                     $filter="(&(" . $_SESSION['settings']['ldap_user_attribute']. "=$username)(objectClass=" . $_SESSION['settings']['ldap_object_class'] ."))";
-                    $result=ldap_search($ldapconn, $_SESSION['settings']['ldap_search_base'], $filter, array('dn'));
+                    $result=ldap_search($ldapconn, $_SESSION['settings']['ldap_search_base'], $filter, array('dn','givenname','sn','mail'));
                     if (isset($_SESSION['settings']['ldap_usergroup'])) {
                        $filter_group = "memberUid=".$username;
                        $result_group = ldap_search($ldapconn, $_SESSION['settings']['ldap_usergroup'],$filter_group, array('dn'));
@@ -392,7 +392,12 @@
         $data['pw'] = $pwdlib->createPasswordHash($passwordClear);  // create passwordhash

         // get user info from LDAP
-        $user_info_from_ad = $adldap->user()->info($auth_username, array("mail", "givenname", "sn"));
+        if ($_SESSION['settings']['ldap_type'] == 'posix-search') {
+            $user_info_from_ad = $result;
+        } else {
+            $user_info_from_ad = $adldap->user()->info($auth_username, array("mail", "givenname", "sn"));
+        }

         DB::insert(
             prefix_table('users'),

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nilsteampassnet @cheribral @andresguisado