-
-
Notifications
You must be signed in to change notification settings - Fork 684
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
3.4.5 and Active Directory #801
Comments
@red-erik, have you tried the instructions at https://gitlab.com/viharm/PsmLDAPauth? |
I believe that this (#507 ) has not been merged yet, so the configuration tab will not appear only be adding the module. The revisions in my fork to the configuration page are required for this to be visible. |
Related to #206 . |
Hello, Red. |
Yes, I read https://gitlab.com/viharm/PsmLDAPauth but in my Ad anonymous binding is not allowed. Where I have to specify user and password to connect to AD ? |
@red-erik , |
Sure..I'm in an enterprise environment with Forests with multiple child domains and foreign forests connected with trusts so I can do all possible test |
btw..if I use the files from your branch in a 3.4.5 environment, the Configuration page is blank. I modified the original config.tpl.html adding your code to display a new TAB for AD |
Understood, thanks.
My code is quite old; and since it wasn't merged, I suspect that the current conflicts are causing the issue. My fork may need to be rebased to the current dev branch, I'm not an expert on git. |
Hello, Regards, Red. |
@red-erik , thanks for following up. unfortunately, not yet. I am waiting for the PSM maintainers to provide a road map, as I would like to rebase and update only when I am sure it will be merged. As for the authenticated bind, I haven't set aside time for it yet. I may need to travel over the next couple of months for my day job. But this has been added to the list of open issues at https://gitlab.com/viharm/PsmLDAPauth/issues/5. I will endeavour to plan it over the next few days - a lot is happening :-P |
@red-erik , Just had a quick look. Currently the auth library binds to the directory service using the username and password supplied to authenticate with. Does your AD policy allow this? |
@viharm Hello, the only constrain we have is that anonymous binding is not allowed but every AD user is allowed to bind to AD. Anyway, I don't understand how to add users from AD |
@red-erik , if users are allowed to bind, then this should work for you as is. The authentication results depends on a successful bind. You don't specifically add users from AD. The module follows the logic shown here. So this means, everytime a user logs in they are added to the PSM database. If you specfically want to add users before hand then simply create new users in PSM with the exact same user name as in the directory. The password will be ignored. Hope this helps. |
Hello, |
@red-erik , are you able to get some PHP logs? If not, then please could you switch debugging on as shown at https://gitlab.com/viharm/PsmLDAPauth#support? This will provide a debug output. Please ensure that you review the debug output before you send it to ensure no sensitive information is shared. |
Hello, what should I use for: Regards, Red. |
This implies that the AD domain name is not being handed off from PsmLDAPauth to phpLDAPauth to interrogate the directory server. This could be because of one of the following reasons:
A debug log will certainly help me in understanding what's going on.
This is the username field used to interrogate the account being checked for authentication. The username entered by the user trying to login is checked in the directory against this field. For Active Directory servers this is classically either |
Hello, Called from /ServMon.3.4.5/vendor/PsmLDAPauth/phpLDAPauth/Lib/phpKhelper/phpKhelper.lib.inc.php:143 [fn_Debug()] Fatal error: User domain not specified in C:\Reports\ServMon.3.4.5\vendor\PsmLDAPauth\phpLDAPauth\phpldapauth.php on line 266 |
It appears that the user is being specified as |
Hello, Red. |
Just checked this. Well-spotted, I haven't coded this yet. The underlying library is compatible, so it only needs to be added in the controller script. Will try to add this as soon as possible. Please could you confirm if your AD server is AD DS or AD LDS? Thanks for your patience. |
@red-erik , does this mean your users may belong any one of the four domains? Will they need to specify the domain they will logon to? At this moment, PsmLDAPauth allows AD login to only one domain, by entering the domain in the authentication configuration as shown below. Then the users will need to login with only their usernames (without the domain prefix). However in your case, a change in the login logic will be required. I will post a patch soon. In the meantime, please could you try setting one of the domains in your authentication configuration and logging in with one of the users in that domain? This will help verify if the login logic works with your domain. |
@red-erik , please add the following code at line 85 of the file if ( stripos ( $ar_Request['ky_UserKeyword'] , '\\' ) !== FALSE ) {
$ar_DomainAndUser = explode ( '\\' , $ar_Request['ky_UserKeyword'] ) ;
$ar_Request['ky_UserDomain'] = $ar_DomainAndUser[0] ;
$ar_Request['ky_UserKeyword'] = $ar_DomainAndUser[1] ;
}
unset($ar_DomainAndUser) ; This will override any domain configured in the authentication settings with the one specified in the username field separated from the username with a backslash |
Hello, Notice: Trying to get property 'user_id' of non-object in C:\Reports\ServMon.3.4.5\src\psm\Service\User.php on line 248 Notice: Trying to get property 'password' of non-object in C:\Reports\ServMon.3.4.5\src\psm\Service\User.php on line 261 Notice: Trying to get property 'user_id' of non-object in C:\Reports\ServMon.3.4.5\src\psm\Service\User.php on line 262 Warning: Cannot modify header information - headers already sent by (output started at C:\Reports\ServMon.3.4.5\vendor\PsmLDAPauth\phpLDAPauth\Lib\phpKhelper\kint.php(266) : eval()'d code:1) in C:\Reports\ServMon.3.4.5\src\psm\Module\User\Controller\LoginController.php on line 58 Fatal error: Redirect failed. in C:\Reports\ServMon.3.4.5\src\psm\Module\User\Controller\LoginController.php on line 59 Regards, Red. |
@red-erik , I am surprised that forcing a domain from the configuration does not work. Please could you send the log from PsmLDAPauth as before for both scenarios (forced domain & patched logic). |
@red-erik , the missing field for the AD domain is an unexpected error. I may have to rebase my code to the current PSM repository. You can manually force your domain in line 82 of Change... 'ky_UserDomain' => $ar_DirConfigRaw['authdir_userdomain'] , to... 'ky_UserDomain' => 'YOURDOMAIN' , Please could you try this and post the log? As for the patched logic, the logs suggest that authentication works. This is great news. Just need to iron out the implementation of this logic. I have logged an issue for this (https://gitlab.com/viharm/PsmLDAPauth/issues/7) I will rebase my code and integrate the patch properly. Thank you for your help in testing this so far. Will need a final few tests once I'm done. |
Hello, |
@red-erik , thanks for offering to help further. Sorry about the delay. It has been a busy few weeks. I am hoping that I can spend some time on this over the New Year break. |
Hello, Regards, |
Hi @red-erik , thanks for following up on this. Although the module was successfully merged into the “develop” branch in 2019, there was another bug, which was patched in this PR in Aug last year. I’m hoping that if you try with the “develop” branch, the config page should work ok. You should also be able to login with only one domain. It will be good to know if this works for you (with only one allowed domain, configured in the settings page). I have done some initial tests to allow multiple domains in the meantime, but there is a critical decision required - whether to specify a list of allowed domains in the settings page or to allow any domain to be specified while logging in. Since I don’t have AD infrastructure, do you know if the directory carries out robust checks for allowed domains (I hope so, but can’t assume due to risks involved). If the checks are robust, then we can completely remove the restriction of allowed domains, and let the user specify the domain in the login screen (e.g., |
Hello, Regards, |
Just to be sure, downloaded now 3.5.2 (latest) from Develop but I don't see anything into Vendor dir related to PsmLDAPauth. Thanks, Regards, |
Does composer not automatically pull the libraries? |
I forgot the procedure, I was thinking to have everything already packaged. I'll test it ASAP. I don't see any reference to your module and don't know how to "enable" it. Regards, |
|
Hello @viharm Do you have updates on that ? Regards, |
Hi, sorry for the late reply. I tried to download the zip file linked in your log. I could not replicate the issue. Could you try from a different client? |
Bitbucket does not require an account to download the zip file. |
Hello, Regards, |
Version 3.5.2 was released on Aug-2020, so it will not have LDAP functionality. Please use the develop branch |
hmm. Again, I still can't replicate this problem. Are you able to try downloading the link from a different client (even if is a desktop client)? I'm trying to understand the root of the issue. If you are using composer, then it should download from packagist, not BitBucket. If it is related to BitBucket, I may have to move the repository. |
Hello,
I'v tried to integrate the work from @viharm to the last version but I'm not able to have it up and running (the configuration TAB for Ad does not appear).
Would you be so kind to write some lines to explain how to integrate it ?
Thank you in advance.
Regards,
Red.
The text was updated successfully, but these errors were encountered: