Search LDAP Error.

[jilabaca]

Some time ago I installed SKA and it worked for me, but the access had it defined to a certain OU of my Active Directory, I want to expand the Scope of search but I have an error.

My config is this way

; LDAP subtree containing USER entries
dn_user = "DC=mydomain,DC=cl"
; LDAP subtree containing GROUP entries
dn_group = "DC=mydomain,DC=cl"

Checking I saw that they use the user_id as filter in ldap_search, and debug how that filter arrived and it arrives in this way,

string(26) "sAMAccountName=rgiusti.bbr"

but since the DN is global and not a specific OU, it does not find the user:

[17-Jul-2018 20:15:44 America/Santiago] 1531872944: exception 'ErrorException' with message 'ldap_search(): Search: Operations error' in /opt/rh/httpd24/root/var/www/ssh-key-authority/ldap.php:55
1531872944: Stack trace:
1531872944: #0 [internal function]: exception_error_handler(2, 'ldap_search(): ...', '/opt/rh/httpd24...', 55, Array)
1531872944: #1 /opt/rh/httpd24/root/var/www/ssh-key-authority/ldap.php(55): ldap_search(Resource id #23, 'DC=mydomain,DC=cl', 'sAMAccountName=...', Array)
1531872944: #2 /opt/rh/httpd24/root/var/www/ssh-key-authority/model/user.php(311): LDAP->search('DC=mydomain,DC=cl', 'sAMAccountName=...', Array)
1531872944: #3 /opt/rh/httpd24/root/var/www/ssh-key-authority/model/userdirectory.php(99): User->get_details_from_ldap()
1531872944: #4 /opt/rh/httpd24/root/var/www/ssh-key-authority/requesthandler.php(24): UserDirectory->get_user_by_uid('rgiusti.bbr')
1531872944: #5 /opt/rh/httpd24/root/var/www/ssh-key-authority/public_html/init.php(18): require('/opt/rh/httpd24...')
1531872944: #6 {main}

Any way to make the search be in all the OUs of my Active Directory tree?

Thank you very much!

[thomas-pike]

Hi

The PHP ldap_search function does search using LDAP_SCOPE_SUBTREE, which means it should find entries no matter how far along the tree they are. The fact that the ldap_search function is getting Search: Operations error suggests that something else is going on here. At a guess, perhaps the user you are binding as does not have access to the full tree.

[jilabaca]

It's weird, because the Apache VirtualHost authentication is also using LDAP and it's the same user that I have in the config.ini, and the LDAP URL is the following:

AuthLDAPURL "ldap://ad.mydomain.cl:389/dc=mydomain,dc=cl?sAMAccountName?sub?(objectClass=user)"

Now using the account that is in the group ska-administrator in my Active Directory, I can easily enter the page as an administrator, the problem is when another normal user wants to enter to enter your key and make access requests.

Any ideas that you can give me to continue reviewing? I would thank you a lot

[jilabaca]

this is my LDAP configuration

[ldap]
; Address to connect to LDAP server
host = ldap://antares.mydomain.cl:389
; Use StartTLS for connection security (recommended if using ldap:// instead
; of ldaps:// above)
starttls = 0
; LDAP subtree containing USER entries
dn_user = "DC=inacap,DC=cl"
; LDAP subtree containing GROUP entries
dn_group = "DC=mydomain,DC=cl"

; Leave bind_dn empty if binding is not required
bind_dn = consweb@mydomain.cl
bind_password = XXXXXX

; User attributes
user_id = sAMAccountName
user_name = cn
user_email = mail
;user_superior = superioremployee

; If inactive users exist in your LDAP directory, filter with the following
; settings:
; Field to filter on:
;user_active = organizationalstatus
; Use *one* of user_active_true or user_active_false
; user_active_true means user is active if the user_active field equals its
; value
;user_active_true = 'current'
; user_active_false means user is active if the user_active field does not
; equal its value
;user_active_false = 'former'

; Group membership attributes. Examples below are for typical setups:
;
; POSIX groups
;  group_member = memberUid
;  group_member_value = uid
;
; Group-of-names groups
;  group_member = member
;  group_member_value = dn
;
; Attribute of group where members are stored
group_member = ska-members
; User attribute to compare with
group_member_value = dn

; Members of admin_group are given full admin access to SSH Key Authority web
; interface
admin_group_cn = ska-administrators

My account is in the group ska-administrator and I can access without problem, and another account is in ska-members but can not access.

[thomas-pike]

Well, leaving aside the original problem at the moment, you seem to have misunderstood the group_member config variable, though I think I can understand why. It does not refer to the name of a group whose members can access SKA (in fact no group membership is needed for that). group_member is the attribute of a group object in LDAP that SKA should check to determine who is a member of that group. The correct value of this for AD servers appears to be group_member = member (as per #15).

[jilabaca]

I left the group_member configuration as it came from the factory, but I still show the same error, with a normal AD user I can not enter the SKA..

[jilabaca]

I did a test, configure the dn_user as:

dn_user = "CN=Users,DC=inacap,DC=cl"

and now the error indicates that it does not exist.

[18-Jul-2018 10:32:00 America/Santiago] 1531924320: exception 'UserNotFoundException' with message 'User does not exist.' in /opt/rh/httpd24/root/var/www/ssh-key-authority/model/user.php:334
1531924320: Stack trace:
1531924320: #0 /opt/rh/httpd24/root/var/www/ssh-key-authority/model/userdirectory.php(99): User->get_details_from_ldap()
1531924320: #1 /opt/rh/httpd24/root/var/www/ssh-key-authority/requesthandler.php(24): UserDirectory->get_user_by_uid('rvalenzuela.bbr')
1531924320: #2 /opt/rh/httpd24/root/var/www/ssh-key-authority/public_html/init.php(18): require('/opt/rh/httpd24...')
1531924320: #3 {main}

Now change the dn_user to exactly where the account is:

dn_user = "OU=Servicios Externos,DC=inacap,DC=cl"

and the account entered the SKA without problems.

I left the dn_user as I had originally:

dn_user = "DC=inacap,DC=cl"

And the account re-enters without problem, I think this does so because the account was already created in the DB, because if I use another AD account I have the same problem as before and I am sure that if I reconfigure the dn_user exactly where this new account is, I will have a successful access.

[thomas-pike]

Yes, since the application isn't doing any authentication itself (that is handled by Apache), the application is only using LDAP to get information about the user which is then stored (cached) in the database. You can trigger an update of this stored information by running the scripts/ldap_update.php script to see if it breaks again.

It is still strange that dn_user = "DC=inacap,DC=cl" is not working for you, especially since (as you stated) it works fine for Apache when it uses the exact same setup. Though looking at http://php.net/manual/en/function.ldap-search.php#45388 it could be that we need to set LDAP_OPT_REFERRALS to 0.

[thomas-pike]

Try modifying the file ldap.php in SKA adding the following line after line 40:
ldap_set_option($this->conn, LDAP_OPT_REFERRALS, 0);

See if that helps at all.

[jilabaca]

Nice !!! that was, now it works perfectly !!! Thank you very much Thomas !, you could place an option in the config.ini indicating if the LDAP is windows AD or not

Best Regards!

[thomas-pike]

Yes, I plan to add an option for this. Glad to hear it worked.