Announcement

Collapse
No announcement yet.

ldap login

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • ldap login

    I am trying to get LDAP auth to work with our active directory.
    It seems that nothing is being sent to my AD server.
    here's the details:

    I have ldap working with php. Here is the phpinfo()
    --snip--
    ldap
    LDAP Support enabled
    RCS Version $Id: ldap.c,v 1.161.2.3.2.3 2007/01/05 15:06:55 iliaa Exp $
    Total Links 0/unlimited
    API Version 2004
    Vendor Name Sun Microsystems Inc.
    Vendor Version 400
    --snip--

    when I turn on the (general Options - > Debug) for LDAP I only see info when the admin user logs in or uses a bad password.
    --snip--
    tail -f auth.log
    [14/02/2007 09:41] Local AUTH : Local Auth or LDAP Fallback
    [14/02/2007 09:41] Local AUTH : User admin Successfully authentificated
    [14/02/2007 09:38] Local AUTH : Local Auth or LDAP Fallback
    [14/02/2007 09:44] Local AUTH : Local Auth or LDAP Fallback
    --snip--

    I also have been running a snoop, and I never see any data sent out to my ad server.

    I have installed the following PEAR modules:
    Installed packages, channel pear.php.net:
    =========================================
    Package Version State
    Auth 1.5.0 stable
    Cache_Lite 1.7.2 stable
    DB 1.7.9 stable
    DB_ldap 1.1.1 stable
    DB_ldap2 0.4 beta
    MDB2 2.3.0 stable
    Net_LDAP 0.7.0 beta
    ----------------------------------------------------


    I am not sure about some of these options, any help is appericiated.
    Here is my oreon ldap config:
    Enable LDAP authentification YES
    LDAP Server ad.myserver.com
    LDAP Port 389
    LDAP Base DN DC=ad,DC=myserver,DC=com
    LDAP Login Attribut ldap_search_username
    Enable LDAP over SSL NO
    User for search (anonymous if empty) ldap_search_username
    Password correct_pass
    Default LDAP filter sAMAccountName
    LDAP search timeout 60
    LDAP Search Size Limit 60
    ------------------------------------------------------------

    My server info:
    nagios 2.5 / oreon 1.3.3 / solaris 8

    thanks guys, your product is great.

  • #2
    Hi,

    did you have turn your admin user in 'ldap auth' mode ? in contact form.

    perhaps you may to test ldap auth on a other user than your admin...
    StatusMap Module - NDO Tools Module - ImportCSV Module - SNMP-UI Module - PDFReports Module
    Dons Paypal

    Comment


    • #3
      Sorry let me give more info..

      I have not tried to enable admin to use ldap.
      I am using another user that is setup in ldap to test.

      I have not actually tried to change the admin user to be ldap, for fear of being locked out with no user to login.

      -thanks

      Comment


      • #4
        When you edit your contact, did you change the 'auth type' field to 'ldap' ?

        take a look where : http://wistof.free.fr/doku.php/oreon:ldapuserimport
        StatusMap Module - NDO Tools Module - ImportCSV Module - SNMP-UI Module - PDFReports Module
        Dons Paypal

        Comment


        • #5
          thanks wistof... that is a good howto you have there.

          Yes, i had the user setup as ldap auth type.
          But i tried to do a ldapImport but failed.

          here is the ldapsearch.log
          --snip--
          [14/02/2007 13:42] LDAP Search : (&(objectclass=*)(cn=*))
          [14/02/2007 13:42] LDAP Search : URI : ldap://ad.myserver.com:389
          [14/02/2007 13:42] LDAP Search : Credentials : MY_DOM/search_user :: passwd
          [14/02/2007 13:42] LDAP Search : Bind :
          [14/02/2007 13:42] LDAP Search : XML Output : <?xml version="1.0"?>
          --snip--

          It looks like it's never binding to the server.
          I wrote a test ldap.php to do a bind to this server, and that worked.
          --code--
          <?php
          $ldapserver="ad.myserver.com";
          $authuser="MY_DOM/search_user";
          $authpass="passwd";
          $basedn="DC=ad, DC=myserver, DC=com";
          if (!([email protected]_connect($ldapserver))) {
          die("Could not connect to ldap server");
          } else {
          echo "connected to " . $ldapserver . "<br />";
          }
          // bind to server
          if (!([email protected]_bind($connect, $authuser, $authpass))) {
          die("Unable to bind to server");
          } else {
          print "Bind Success\n";
          }
          ?>
          --code--


          When I do this i see traffic in my snoop, and I can connect to the ad server.

          Comment


          • #6
            ok. I added a new contact and enabled ldap for that user.
            here is from the authlog debug log:
            --snip--
            [14/02/2007 14:51] LDAP User Mapping : stoffee => DC=ad,DC=myserver,DC=com
            [14/02/2007 14:51] LDAP Auth Cnx : ldap://ad.myserver.com:389 : ()
            [14/02/2007 14:51] LDAP AUTH Bind : DC=ad,DC=myseerver,DC=com : ()
            --snip--

            But I still don't see anything in my snoop. I still think there is nothing sending out to the ldap server.

            snoop -d eri0 -V host ad.myserver.com
            Using device /dev/eri (promiscuous mode)
            ***********nothing********



            after unseccusful login this was displayed on the index.php page
            --snip--
            Warning: ldap_error(): supplied argument is not a valid ldap link resource in /www/apps/nagios-oreon/oreon/www/index.php on line 111
            Warning: ldap_errno(): supplied argument is not a valid ldap link resource in /www/apps/nagios-oreon/oreon/www/index.php on line 111
            Warning: ldap_error(): supplied argument is not a valid ldap link resource in /www/apps/nagios-oreon/oreon/www/index.php on line 114
            Warning: ldap_errno(): supplied argument is not a valid ldap link resource in /www/apps/nagios-oreon/oreon/www/index.php on line 114
            Warning: ldap_close() expects parameter 1 to be resource, boolean given in /www/apps/nagios-oreon/oreon/www/index.php on line 157
            --snip--


            here is what I have configured in (general options -> LDAP)
            LDAP Server ad.myserver.com
            LDAP Base DN DC=ad,DC=myserver,DC=com
            LDAP Login Attribut uid
            User for search search_user
            Password search_passwd
            Default LDAP filter (&(objectclass=*)(cn=*))

            Comment


            • #7
              Originally posted by stoffee View Post
              ok. I added a new contact and enabled ldap for that user.
              here is from the authlog debug log:
              --snip--
              [14/02/2007 14:51] LDAP User Mapping : stoffee => DC=ad,DC=myserver,DC=com
              [14/02/2007 14:51] LDAP Auth Cnx : ldap://ad.myserver.com:389 : ()
              [14/02/2007 14:51] LDAP AUTH Bind : DC=ad,DC=myseerver,DC=com : ()
              --snip--
              first, you user ldap dn seems wrong. should be like => CN=stoffee, DC=ad,DC=myserver,DC=com

              you can see a log trace for a good LDAP auth here => http://wistof.free.fr/doku.php/oreon:debugmode


              Originally posted by stoffee View Post
              after unseccusful login this was displayed on the index.php page
              --snip--
              Warning: ldap_error(): supplied argument is not a valid ldap link resource in /www/apps/nagios-oreon/oreon/www/index.php on line 111
              Warning: ldap_errno(): supplied argument is not a valid ldap link resource in /www/apps/nagios-oreon/oreon/www/index.php on line 111
              Warning: ldap_error(): supplied argument is not a valid ldap link resource in /www/apps/nagios-oreon/oreon/www/index.php on line 114
              Warning: ldap_errno(): supplied argument is not a valid ldap link resource in /www/apps/nagios-oreon/oreon/www/index.php on line 114
              Warning: ldap_close() expects parameter 1 to be resource, boolean given in /www/apps/nagios-oreon/oreon/www/index.php on line 157
              --snip--

              Originally posted by stoffee View Post
              --code--
              <?php
              $ldapserver="ad.myserver.com";
              $authuser="MY_DOM/search_user";
              $authpass="passwd";
              $basedn="DC=ad, DC=myserver, DC=com";
              if (!([email protected]_connect($ldapserver))) {
              die("Could not connect to ldap server");
              } else {
              echo "connected to " . $ldapserver . "<br />";
              }
              // bind to server
              if (!([email protected]_bind($connect, $authuser, $authpass))) {
              die("Unable to bind to server");
              } else {
              print "Bind Success\n";
              }
              ?>
              --code--
              try to replace
              Code:
               if (!([email protected]_connect($ldapserver))) {
              from your snippet with somethink like this, and test.
              Code:
               if (!([email protected]_connect("ldap://" . $ldapserver.":".389))) {
              your php version ?
              StatusMap Module - NDO Tools Module - ImportCSV Module - SNMP-UI Module - PDFReports Module
              Dons Paypal

              Comment


              • #8
                LDAP import is not fully functionnal.

                If you use good dn for user all is ok for me.
                Intel(R) Xeon(TM) CPU 3.4GHz - MemTotal : 1034476 kB
                Centreon 2.4.1 - Nagios 3.2.1 - Nagios Plugins 1.4.15 - Manubulon Plugins tuné
                Fedora Core 5 - 2.6.20-1.2320

                Comment


                • #9
                  my php is 5.2.1


                  ...


                  ok so I tried to do it with a connect string of ldap:// but it kept failing.
                  Finally I changed the code oreon/www/index.php line 107
                  107 // $ldapuri = "ldap://" ;
                  108 $ldapuri = "" ;
                  Now i see it connecting to the AD in my snoop.
                  TCP: Destination port = 389 (LDAP)
                  LDAP: ----- Lightweight Directory Access Protocol Header -----
                  LDAP: *[LDAPMessage]
                  LDAP: [Message ID]
                  LDAP: Operation *[APPL 0: Bind Request]
                  LDAP: [Version]
                  LDAP: [Object Name]
                  LDAP: DOMAIN\search_user
                  LDAP: Authentication: Simple [0]
                  LDAP: passwd
                  LDAP:
                  LDAP: ----- Lightweight Directory Access Protocol Header -----
                  LDAP: *[LDAPMessage]
                  LDAP: [Message ID]
                  LDAP: Operation *[APPL 1: Bind Response]
                  LDAP: [Result Code]
                  LDAP: Success
                  LDAP: [Matched DN]
                  LDAP: [Error Message]
                  Am I missing something in my php that does not allow it to be ldap_connect(ldap://ad.server.com)?

                  -------

                  Also I am able to do ldap import now.
                  I imported a user, but that user still can't login..

                  here is the contact LDAP DN
                  CN=Stoffee, Man(XXL),OU=All Users,DC=ad,DC=myserver,DC=com
                  here is my LDAP config (options -> general ->lDAP)
                  LDAP server: ad.myserver.com
                  LDAP Base DN: OU=All Users, DC=ad, DC=myserver, DC=com
                  LDAP Login Attribut: uid
                  user for search: DOMAIN\search_user
                  pass: passwd
                  Default LDAP filter: (&(objectclass=*)(cn=*))
                  I can then go to ldapimport (Configuration-> Users-> Contacts-> LdapImport)
                  Search Filter
                  (&(objectclass=*)(cn=*))
                  or
                  (&(objectclass=*)(cn=Stoffee*))
                  here is my ldapsearch.log
                  [15/02/2007 14:45] LDAP Search : (&(objectclass=*)(cn=Stoffee*))
                  [15/02/2007 14:45] LDAP Search : URI : ad.myserver.com:389
                  [15/02/2007 14:45] LDAP Search : Credentials : DOMAIN\search_user :: passwd
                  [15/02/2007 14:45] LDAP Search : Bind : 0
                  [15/02/2007 14:45] LDAP Search : Bind OK
                  [15/02/2007 14:45] LDAP Search : Base DN : OU=All Users, DC=ad, DC=myserver, DC=com
                  [15/02/2007 14:45] LDAP Search : Filter : (&(objectclass=*)(cn=Stoffee*))
                  [15/02/2007 14:45] LDAP Search : Size Limit : 60
                  [15/02/2007 14:45] LDAP Search : Timeout : 60
                  [15/02/2007 14:45] LDAP Search : Error : Undefined attribute type
                  [15/02/2007 14:45] LDAP Search : 3 entries found
                  [15/02/2007 14:45] LDAP Search : 3
                  When I try to login as that user I imported I get the following int he auth.log
                  [15/02/2007 14:04] LDAP User Mapping : stoffee => CN=Stoffee, Man (XXL),OU=All Users,DC=ad,DC=myserver,DC=com
                  [15/02/2007 14:04] LDAP Auth Cnx : ad.myserver.com:389 : Success (0)
                  [15/02/2007 14:04] LDAP AUTH Bind : CN=Stoffee, Man (XXL),OU=All Users,DC=ad,DC=myserver,DC=com : Invalid credentials (49)
                  [15/02/2007 14:04] LDAP AUTH : LDAP don't like you, sorry

                  Comment


                  • #10
                    Working ... almost

                    I was able to figure out why the ldap:// and ldaps:// were not working on my server.
                    I had the sun ldap libraries linked in php.so rather than openldap. that is fixed, but I am still have trouble getting ldaps:// to work..


                    Currently I can login and search using ldap(AD) with no SSL, but when i enable ssl it always falls back to local auth.
                    I am using this cert:
                    DC=com/DC=myserver/DC=ad/CN=myserver TLS CA 01,

                    here is the log info from the login attempt:

                    snip from oreon\log\auth.log:
                    Code:
                    [28/02/2007 15:29] LDAP User Mapping : stoffee => [email protected]
                    [28/02/2007 15:29] LDAP Auth Cnx  : ldaps://adldap.myserver.com:636 : Success (0)
                    [28/02/2007 15:29] LDAP AUTH Bind : [email protected] : Can't contact LDAP server (-1)
                    [28/02/2007 15:29] LDAP AUTH : Error, Fallback to Local AUTH
                    [28/02/2007 15:29] Local AUTH : Local Auth or LDAP Fallback
                    [28/02/2007 15:29] Local AUTH : User stoffee Successfully authentificated
                    Here is a debug log from openldap:
                    Code:
                    ldap_create
                    ldap_url_parse_ext(ldaps://adldap.myserver.com:636)
                    ldap_bind_s
                    ldap_simple_bind_s
                    ldap_sasl_bind_s
                    ldap_sasl_bind
                    ldap_send_initial_request
                    ldap_new_connection 1 1 0
                    ldap_int_open_connection
                    ldap_connect_to_host: TCP adldap.myserver.com:636
                    ldap_new_socket: 15
                    ldap_prepare_socket: 15
                    ldap_connect_to_host: Trying 1xx.1xx.2xx.xx7:636
                    ldap_connect_timeout: fd: 15 tm: -1 async: 0
                    TLS trace: SSL_connect:before/connect initialization
                    TLS trace: SSL_connect:SSLv2/v3 write client hello A
                    TLS trace: SSL_connect:SSLv3 read server hello A
                    TLS certificate verification: depth: 1, err: 20, subject: /DC=com/DC=myserver/DC=ad/CN=myserver TLS CA 01, issuer: /DC=com/DC=myserver/DC=ad/CN=myserver Root Authority
                    TLS certificate verification: Error, unable to get local issuer certificate
                    TLS trace: SSL3 alert write:fatal:unknown CA
                    TLS trace: SSL_connect:error in SSLv3 read server certificate B
                    TLS trace: SSL_connect:error in SSLv3 read server certificate B
                    Does anyone know the proper steps to get the cert in so that php is using it? I tried a few different techniques.
                    I created a PEM from the CERT on our ldap server.
                    put it in openldap/etc/ldap.conf
                    Code:
                    BASE dc=myserver, dc=com
                    URL ldap://adldap.myserver.com  ldaps://adldap.myserver.com:636
                    TLS_CACERT  /usr/local/ssl/certs/adldap.myserver.com.pem
                    I also put it in the httpd.conf
                    Code:
                    #ssl for ldap
                    LDAPTrustedCAType BASE64_FILE
                    LDAPTrustedCA /usr/local/ssl/certs/adldap.myserver.com.pem
                    None of these seem to change anything.

                    I even tried to connect on the command line, and I still get a "unable to get local issuer"
                    Code:
                     #sudo openssl s_client -host adldap.myserver.com -port 636 -CAfile /usr/local/ssl/certs/adldap.myserver.com.pem
                    
                    --
                    CONNECTED(00000004)
                    depth=1 /DC=com/DC=myserver/DC=ad/CN=myserver TLS CA 01
                    verify error:num=20:unable to get local issuer certificate
                    verify return:0
                    ---
                    Certificate chain
                     0 s:/CN=ad.myserver.com
                       i:/DC=com/DC=myserver/DC=ad/CN=myserver TLS CA 01
                     1 s:/DC=com/DC=myserver/DC=ad/CN=myserver TLS CA 01
                       i:/DC=com/DC=myserver/DC=ad/CN=myserver Root Authority
                    ---
                    Server certificate
                    -----BEGIN CERTIFICATE-----
                    -----END CERTIFICATE-----
                    subject=/CN=ad.myserver.com
                    issuer=/DC=com/DC=myserver/DC=ad/CN=myserver TLS CA 01
                    ---
                    Acceptable client certificate CA names
                    /DC=com/DC=myserver/DC=ad/CN=myserver Root Authority
                    /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
                    /C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
                    /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Freemail CA/[email protected]
                    /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Premium CA/[email protected]
                    /C=US/O=First Data Digital Certificates Inc./CN=First Data Digital Certificates Inc. Certification Authority
                    /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Basic CA/[email protected]
                    /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
                    /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority
                    /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority
                    /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
                    /C=US/O=GTE Corporation/CN=GTE CyberTrust Root
                    /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
                    /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority
                    /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
                    /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Root
                    ---
                    SSL handshake has read 5169 bytes and written 342 bytes
                    ---
                    New, TLSv1/SSLv3, Cipher is RC4-MD5
                    Server public key is 1024 bit
                    SSL-Session:
                        Protocol  : TLSv1
                        Cipher    : RC4-MD5
                        Session-ID: 4125000097BFC155FBCF5C6A3F805D7058FBE79D59EFB19AB5E0F6001F86EB35
                        Session-ID-ctx:
                        Master-Key: DF0DEACB2EDF250FAB38F9E437A05704F9A69B64EAF0902A3D86951A465540F6CA75EF014279E9A58BE64E0E486FB40C
                        Key-Arg   : None
                        Start Time: 1173286745
                        Timeout   : 300 (sec)
                        Verify return code: 20 (unable to get local issuer certificate)
                    ---
                    
                    read:errno=0
                    I guess I need to learn more about ssl certs, so i can determine why it's failing and where i really need to put the cert.
                    I have tried this also, but no luck
                    http://blogs.csuchico.edu/ik/2006/02...e-ldap-in-php/
                    Any thoughts?

                    Comment

                    Working...
                    X