AD Login failed / No DN found for <blank> on <FQDN of DC>

[stuartluscombe]

Environment:

Owncloud 8.0.0 (also daily for 19/02/2015)
RHEL 6.6 x86_64 (fully patched)
httpd: 2.2.15
php: 5.4
SSL configured with self-certified certificate
Active Directory Functional Level: 2003

I have managed to configure AD authentication and users show in the User list, as do groups and group membership. However when trying to login I get the following messages every time. This occurred both with and without the SSL validation.

{"reqId":"OwkBrUEFR2KLu9D96ELU","remoteAddr":"172.16.0.162","app":"core","message":"Login failed: 'username' (Remote IP: '172.16.0.162', X-Forwarded-For: '')","level":2,"time":"2015-02-19T14:38:50+00:00","method":"POST","url":"\/index.php\/apps\/files_encryption\/ajax\/getMigrationStatus.php"} {"reqId":"P1Ge2KSd2sdm0FuFsxwH","remoteAddr":"172.16.0.162","app":"user_ldap","message":"Turned off SSL certificate validation successfully.","level":0,"time":"2015-02-19T14:38:51+00:00","method":"POST","url":"\/"} {"reqId":"NRL9\/kyB7CwC\/U4LDXKd","remoteAddr":"172.16.0.162","app":"core","message":"Login failed: 'username' (Remote IP: '172.16.0.162', X-Forwarded-For: '')","level":2,"time":"2015-02-19T14:38:51+00:00","method":"POST","url":"\/"} {"reqId":"zasRfkH2gerwngm9vdp0","remoteAddr":"172.16.0.162","app":"user_ldap","message":"No DN found for on pdc.company.com","level":0,"time":"2015-02-19T14:38:51+00:00","method":"GET","url":"\/index.php\/core\/js\/oc.js?v=7fb8145fb09d2483870c1eac230d56c0"}

[karlitschek]

@blizzz

[blizzz]

Please revise your login filter.

[stuartluscombe]

Thanks for the suggestion, I've been working on this.

If I run an ldapsearch from the console I get the required result:

`ldapsearch -h pdc.company.com -D cn=adlookup,cn=Users,dc=company,dc=com -W "(&(objectclass=person)(samaccountname=user1))" samaccountname
Enter LDAP Password:
extended LDIF

LDAPv3
base <dc=domain,dc=local> (default) with scope subtree
filter: (&(objectclass=person)(samaccountname=user1))
requesting: samaccountname

User1, CompanyUser, company.com
dn: CN=User1,OU=CompanyUsers,DC=company,DC=com
sAMAccountName: user1
`

However I am still getting the same error when trying to login.

{"reqId":"l21sEFB+vOJzVfVlvVet","remoteAddr":"172.16.0.162","app":"core","message":"Login failed: 'user1' (Remote IP: '172.16.0.162', X-Forwarded-For: '')","level":2,"time":"2015-02-20T08:31:30+00:00","method":"POST","url":"\/index.php\/apps\/files_encryption\/ajax\/getMigrationStatus.php"} {"reqId":"NYmPNJVv6yfIOubSg7r0","remoteAddr":"172.16.0.162","app":"user_ldap","message":"Turned off SSL certificate validation successfully.","level":0,"time":"2015-02-20T08:31:30+00:00","method":"POST","url":"\/"} {"reqId":"NCI6ij5T2aw4Bs98Kvcm","remoteAddr":"172.16.0.162","app":"core","message":"Login failed: 'user1' (Remote IP: '172.16.0.162', X-Forwarded-For: '')","level":2,"time":"2015-02-20T08:31:30+00:00","method":"POST","url":"\/"} {"reqId":"gBCW9YJQ0GpiXgkUrvMf","remoteAddr":"172.16.0.162","app":"user_ldap","message":"No DN found for on pdc.company.com","level":0,"time":"2015-02-20T08:31:30+00:00","method":"GET","url":"\/index.php\/core\/js\/oc.js?v=7fb8145fb09d2483870c1eac230d56c0"}

I don't know if this is of worth, but the message "No DN found for on pdc.company.com" does not contain the username for which I'm trying to login with.

I also have sAMAccountName under the Expert | Internal Username Attribute setting.

[samicemalone]

I had this same issue until I changed my filters.

My login filter is as follows:

(&(memberof:1.2.840.113556.1.4.1941:=CN=Owncloud Users,DC=example,DC=co,DC=uk)(sAMAccountName=%uid))

My user filter and group filter are both:

memberof:1.2.840.113556.1.4.1941:=CN=Owncloud Users,DC=example,DC=co,DC=uk

The OID: 1.2.840.113556.1.4.1941 is used for nested groups.

Hope this helps

[blizzz]

@thefold can you also post your LDAP config? ./occ ldap:show-config run as web user from command line outputs it all nicely.

[stuartluscombe]

I changed my filters as per samicmalone's suggestion but I'm still not able to login. The DN errors have disappeared, but I still get login failed messages.

+------------------------------+--------------------------------------------------------------------------------------------------------------------------+ | Configuration | | +------------------------------+--------------------------------------------------------------------------------------------------------------------------+ | hasMemberOfFilterSupport | 1 | | hasPagedResultSupport | | | homeFolderNamingRule | | | lastJpegPhotoLookup | 0 | | ldapAgentName | cn=adlookup,cn=Users,dc=drc,dc=ion,dc=ucl,dc=ac,dc=uk | | ldapAgentPassword | *** | | ldapAttributesForGroupSearch | | | ldapAttributesForUserSearch | | | ldapBackupHost | orac.drc.ion.ucl.ac.uk | | ldapBackupPort | | | ldapBase | dc=drc,dc=ion,dc=ucl,dc=ac,dc=uk | | ldapBaseGroups | dc=drc,dc=ion,dc=ucl,dc=ac,dc=uk | | ldapBaseUsers | dc=drc,dc=ion,dc=ucl,dc=ac,dc=uk | | ldapCacheTTL | 600 | | ldapConfigurationActive | 1 | | ldapEmailAttribute | mail | | ldapExperiencedAdmin | 1 | | ldapExpertUUIDGroupAttr | | | ldapExpertUUIDUserAttr | | | ldapExpertUsernameAttr | sAMAccountName | | ldapGroupDisplayName | cn | | ldapGroupFilter | memberof:1.2.840.113556.1.4.1941:=CN=localadmins,OU=DRCGroups,DC=drc,DC=ion,DC=ucl,DC=ac,DC=uk | | ldapGroupFilterGroups | fellow;imaging;psychologist;secretariat;trials | | ldapGroupFilterMode | 1 | | ldapGroupFilterObjectclass | top | | ldapGroupMemberAssocAttr | memberUid | | ldapHost | homer.drc.ion.ucl.ac.uk | | ldapIgnoreNamingRules | | | ldapLoginFilter | (&(memberof:1.2.840.113556.1.4.1941:=CN=localadmins,OU=DRCGroups,DC=drc,DC=ion,DC=ucl,DC=ac,DC=uk)(sAMAccountName=%uid)) | | ldapLoginFilterAttributes | | | ldapLoginFilterEmail | 0 | | ldapLoginFilterMode | 1 | | ldapLoginFilterUsername | 1 | | ldapNestedGroups | 0 | | ldapNoCase | 0 | | ldapOverrideMainServer | 0 | | ldapPagingSize | 500 | | ldapPort | 389 | | ldapQuotaAttribute | | | ldapQuotaDefault | | | ldapTLS | 0 | | ldapUserDisplayName | displayname | | ldapUserFilter | memberof:1.2.840.113556.1.4.1941:=CN=localadmins,OU=DRCGroups,DC=drc,DC=ion,DC=ucl,DC=ac,DC=uk | | ldapUserFilterGroups | localadmins | | ldapUserFilterMode | 1 | | ldapUserFilterObjectclass | person | | ldapUuidGroupAttribute | auto | | ldapUuidUserAttribute | auto | | turnOffCertCheck | 1 | +------------------------------+--------------------------------------------------------------------------------------------------------------------------+

[tdaniel555]

I have the same problem:

Owncloud version: 8.0.4
OS: CentOS Linux release 7.0.1406 (Core)
AD: Windows Server 2012 R2

I changed several times the login filter, the group filter, etc, but no login allowed at all, just for the local accounts. Any helps?

[blizzz]

Do you have the PHP module mbstring installed?

[blizzz]

Possible duplicate of #16654

[tdaniel555]

Thanks blizzz for the fast answer. Yes, the module is already installed and i'm checking the other report you posted. Thanks again. I'll post it if I resolve the problem with the other report.

[tdaniel555]

I changed the login filter
from: (&(memberOf:1.2.840.113556.1.4.1941:=OU=users,DC=xxxxx,DC=xxxx)(sAMAccountName=%uid))
to: cn
and works!. Now i can login with all my AD accounts

Thanks!

[blizzz]

@tdaniel555 glad it works for you now.

@thefold @samicemalone you still have that issue?

[neonman63]

Hello. I have same error when upgrade from working 8.0.4 to 8.1.4:

{"reqId":"zyEsxWKfClGVXIHxqv0v","remoteAddr":"192.168.58.147","app":"PHP","message":"session_name(): session.name cannot be a numeric or empty '5348105571144' at /var/www/html/owncloud/lib/private/session/internal.php#42","level":3,"time":"2015-11-10T06:15:29+00:00","method":"POST","url":"/owncloud/"}

{"reqId":"1R/NJx1nBjtpXitEiezd","remoteAddr":"192.168.58.147","app":"PHP","message":"session_name(): session.name cannot be a numeric or empty '5348105571144' at /var/www/html/owncloud/lib/private/session/internal.php#42","level":3,"time":"2015-11-10T06:15:29+00:00","method":"GET","url":"/owncloud/index.php/core/js/oc.js?v=954ef50c4dd62045cc750ed3d5389a51"}

{"reqId":"1R/NJx1nBjtpXitEiezd","remoteAddr":"192.168.58.147","app":"user_ldap","message": "No DN found for on 192.168.1.136","level":0,"time":"2015-11-10T06:15:29+00:00","method":"GET","url":"/owncloud/index.php/core/js/oc.js?v=954ef50c4dd62045cc750ed3d5389a51"}

But syncing all users from LDAP working normally:

{"reqId":"GkeiYBpFnw+8wWZ17Ey1","remoteAddr":"","app":"user_ldap","message":"readAttribute: uid=adok,ou=people,dc=su found","level":0,"time":"2015-11-10T06:15:03+00:00","method":"--","url":"--"}

I tried upgrade to 8.2.0, but have same error in log file.

LDAP config:

+-------------------------------+----------------------------------------------------------+
| Configuration                 |                                                          |
+-------------------------------+----------------------------------------------------------+
| hasMemberOfFilterSupport      |                                                          |
| hasPagedResultSupport         |                                                          |
| homeFolderNamingRule          |                                                          |
| lastJpegPhotoLookup           | 0                                                        |
| ldapAgentName                 | uid=owncloud,ou=Special Users,dc=su                      |
| ldapAgentPassword             | ***                                                      |
| ldapAttributesForGroupSearch  |                                                          |
| ldapAttributesForUserSearch   |                                                          |
| ldapBackupHost                |                                                          |
| ldapBackupPort                |                                                          |
| ldapBase                      | dc=su                                                    |
| ldapBaseGroups                | ou=Groups,dc=su                                          |
| ldapBaseUsers                 | ou=People,dc=su                                          |
| ldapCacheTTL                  | 600                                                      |
| ldapConfigurationActive       | 1                                                        |
| ldapEmailAttribute            | mail                                                     |
| ldapExperiencedAdmin          | 0                                                        |
| ldapExpertUUIDGroupAttr       |                                                          |
| ldapExpertUUIDUserAttr        |                                                          |
| ldapExpertUsernameAttr        |                                                          |
| ldapGroupDisplayName          | cn                                                       |
| ldapGroupFilter               |                                                          |
| ldapGroupFilterGroups         |                                                          |
| ldapGroupFilterMode           | 1                                                        |
| ldapGroupFilterObjectclass    |                                                          |
| ldapGroupMemberAssocAttr      | uniqueMember                                             |
| ldapHost                      | 192.168.1.136                                            |
| ldapIgnoreNamingRules         |                                                          |
| ldapLoginFilter               | uid=%uid                                                 |
| ldapLoginFilterAttributes     |                                                          |
| ldapLoginFilterEmail          | 0                                                        |
| ldapLoginFilterMode           | 1                                                        |
| ldapLoginFilterUsername       | 0                                                        |
| ldapNestedGroups              | 0                                                        |
| ldapOverrideMainServer        | 0                                                        |
| ldapPagingSize                | 500                                                      |
| ldapPort                      | 389                                                      |
| ldapQuotaAttribute            |                                                          |
| ldapQuotaDefault              |                                                          |
| ldapTLS                       | 0                                                        |
| ldapUserDisplayName           | cn                                                       |
| ldapUserFilter                | (|(objectclass=inetOrgPerson))                           |
| ldapUserFilterGroups          |                                                          |
| ldapUserFilterMode            | 1                                                        |
| ldapUserFilterObjectclass     | inetOrgPerson                                            |
| ldapUuidGroupAttribute        | auto                                                     |
| ldapUuidUserAttribute         | auto                                                     |
| turnOffCertCheck              | 1                                                        |
| useMemberOfToDetectMembership | 0                                                        |
+-------------------------------+----------------------------------------------------------+

CentOS 6.7
httpd-2.2.15-47.el6.centos.x86_64
php55w-5.5.30-2.w6 with php55w-mbstring-5.5.30-2.w6

[blizzz]

@neonman63 this issue has not seen an update since June, at the last one before was that it was got working. Given your log snippets it does not seem to be related. Please open a new bug report using the issue template.

Therefore I am also closing this issue.