Announcement

**wistof** · 14 February 2007, 20:49

Hi,

did you have turn your admin user in 'ldap auth' mode ? in contact form.

perhaps you may to test ldap auth on a other user than your admin...

**stoffee** · 14 February 2007, 21:56

Sorry let me give more info..

I have not tried to enable admin to use ldap.
I am using another user that is setup in ldap to test.

I have not actually tried to change the admin user to be ldap, for fear of being locked out with no user to login.

-thanks

**wistof** · 14 February 2007, 22:33

When you edit your contact, did you change the 'auth type' field to 'ldap' ?

take a look where : http://wistof.free.fr/doku.php/oreon:ldapuserimport

**stoffee** · 14 February 2007, 22:45

thanks wistof... that is a good howto you have there.

Yes, i had the user setup as ldap auth type.
But i tried to do a ldapImport but failed.

here is the ldapsearch.log
--snip--
[14/02/2007 13:42] LDAP Search : (&(objectclass=*)(cn=*))
[14/02/2007 13:42] LDAP Search : URI : ldap://ad.myserver.com:389
[14/02/2007 13:42] LDAP Search : Credentials : MY_DOM/search_user :: passwd
[14/02/2007 13:42] LDAP Search : Bind :
[14/02/2007 13:42] LDAP Search : XML Output : <?xml version="1.0"?>
--snip--

It looks like it's never binding to the server.
I wrote a test ldap.php to do a bind to this server, and that worked.
--code--
<?php
$ldapserver="ad.myserver.com";
$authuser="MY_DOM/search_user";
$authpass="passwd";
$basedn="DC=ad, DC=myserver, DC=com";
if (!([email protected]_connect($ldapserver))) {
die("Could not connect to ldap server");
} else {
echo "connected to " . $ldapserver . "<br />";
}
// bind to server
if (!([email protected]_bind($connect, $authuser, $authpass))) {
die("Unable to bind to server");
} else {
print "Bind Success\n";
}
?>
--code--

When I do this i see traffic in my snoop, and I can connect to the ad server.

**stoffee** · 14 February 2007, 23:34

ok. I added a new contact and enabled ldap for that user.
here is from the authlog debug log:
--snip--
[14/02/2007 14:51] LDAP User Mapping : stoffee => DC=ad,DC=myserver,DC=com
[14/02/2007 14:51] LDAP Auth Cnx : ldap://ad.myserver.com:389 : ()
[14/02/2007 14:51] LDAP AUTH Bind : DC=ad,DC=myseerver,DC=com : ()
--snip--

But I still don't see anything in my snoop. I still think there is nothing sending out to the ldap server.

snoop -d eri0 -V host ad.myserver.com
Using device /dev/eri (promiscuous mode)

***********nothing********

after unseccusful login this was displayed on the index.php page
--snip--
Warning: ldap_error(): supplied argument is not a valid ldap link resource in /www/apps/nagios-oreon/oreon/www/index.php on line 111
Warning: ldap_errno(): supplied argument is not a valid ldap link resource in /www/apps/nagios-oreon/oreon/www/index.php on line 111
Warning: ldap_error(): supplied argument is not a valid ldap link resource in /www/apps/nagios-oreon/oreon/www/index.php on line 114
Warning: ldap_errno(): supplied argument is not a valid ldap link resource in /www/apps/nagios-oreon/oreon/www/index.php on line 114
Warning: ldap_close() expects parameter 1 to be resource, boolean given in /www/apps/nagios-oreon/oreon/www/index.php on line 157
--snip--

here is what I have configured in (general options -> LDAP)
LDAP Server ad.myserver.com
LDAP Base DN DC=ad,DC=myserver,DC=com
LDAP Login Attribut uid
User for search search_user
Password search_passwd
Default LDAP filter (&(objectclass=*)(cn=*))

**wistof** · 15 February 2007, 01:34

Originally posted by stoffee View Post

ok. I added a new contact and enabled ldap for that user.
here is from the authlog debug log:
--snip--
[14/02/2007 14:51] LDAP User Mapping : stoffee => DC=ad,DC=myserver,DC=com
[14/02/2007 14:51] LDAP Auth Cnx : ldap://ad.myserver.com:389 : ()
[14/02/2007 14:51] LDAP AUTH Bind : DC=ad,DC=myseerver,DC=com : ()
--snip--

first, you user ldap dn seems wrong. should be like => CN=stoffee, DC=ad,DC=myserver,DC=com

you can see a log trace for a good LDAP auth here => http://wistof.free.fr/doku.php/oreon:debugmode

Originally posted by stoffee View Post

after unseccusful login this was displayed on the index.php page
--snip--
Warning: ldap_error(): supplied argument is not a valid ldap link resource in /www/apps/nagios-oreon/oreon/www/index.php on line 111
Warning: ldap_errno(): supplied argument is not a valid ldap link resource in /www/apps/nagios-oreon/oreon/www/index.php on line 111
Warning: ldap_error(): supplied argument is not a valid ldap link resource in /www/apps/nagios-oreon/oreon/www/index.php on line 114
Warning: ldap_errno(): supplied argument is not a valid ldap link resource in /www/apps/nagios-oreon/oreon/www/index.php on line 114
Warning: ldap_close() expects parameter 1 to be resource, boolean given in /www/apps/nagios-oreon/oreon/www/index.php on line 157
--snip--

Originally posted by stoffee View Post

--code--
<?php
$ldapserver="ad.myserver.com";
$authuser="MY_DOM/search_user";
$authpass="passwd";
$basedn="DC=ad, DC=myserver, DC=com";
if (!([email protected]_connect($ldapserver))) {
die("Could not connect to ldap server");
} else {
echo "connected to " . $ldapserver . "<br />";
}
// bind to server
if (!([email protected]_bind($connect, $authuser, $authpass))) {
die("Unable to bind to server");
} else {
print "Bind Success\n";
}
?>
--code--

try to replace

Code:

 if (!([email protected]_connect($ldapserver))) {

from your snippet with somethink like this, and test.

Code:

 if (!([email protected]_connect("ldap://" . $ldapserver.":".389))) {

your php version ?

**DonKiShoot** · 15 February 2007, 10:10

LDAP import is not fully functionnal.

If you use good dn for user all is ok for me.

**stoffee** · 15 February 2007, 23:55

my php is 5.2.1

...

ok so I tried to do it with a connect string of ldap:// but it kept failing.
Finally I changed the code oreon/www/index.php line 107

107 // $ldapuri = "ldap://" ;
108 $ldapuri = "" ;

Now i see it connecting to the AD in my snoop.

TCP: Destination port = 389 (LDAP)
LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation *[APPL 0: Bind Request]
LDAP: [Version]
LDAP: [Object Name]
LDAP: DOMAIN\search_user
LDAP: Authentication: Simple [0]
LDAP: passwd
LDAP:
LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation *[APPL 1: Bind Response]
LDAP: [Result Code]
LDAP: Success
LDAP: [Matched DN]
LDAP: [Error Message]

Am I missing something in my php that does not allow it to be ldap_connect(ldap://ad.server.com)?

-------

Also I am able to do ldap import now.
I imported a user, but that user still can't login..

here is the contact LDAP DN

CN=Stoffee, Man(XXL),OU=All Users,DC=ad,DC=myserver,DC=com

here is my LDAP config (options -> general ->lDAP)

LDAP server: ad.myserver.com
LDAP Base DN: OU=All Users, DC=ad, DC=myserver, DC=com
LDAP Login Attribut: uid
user for search: DOMAIN\search_user
pass: passwd
Default LDAP filter: (&(objectclass=*)(cn=*))

I can then go to ldapimport (Configuration-> Users-> Contacts-> LdapImport)
Search Filter

(&(objectclass=*)(cn=*))

or

(&(objectclass=*)(cn=Stoffee*))

here is my ldapsearch.log

[15/02/2007 14:45] LDAP Search : (&(objectclass=*)(cn=Stoffee*))
[15/02/2007 14:45] LDAP Search : URI : ad.myserver.com:389
[15/02/2007 14:45] LDAP Search : Credentials : DOMAIN\search_user :: passwd
[15/02/2007 14:45] LDAP Search : Bind : 0
[15/02/2007 14:45] LDAP Search : Bind OK
[15/02/2007 14:45] LDAP Search : Base DN : OU=All Users, DC=ad, DC=myserver, DC=com
[15/02/2007 14:45] LDAP Search : Filter : (&(objectclass=*)(cn=Stoffee*))
[15/02/2007 14:45] LDAP Search : Size Limit : 60
[15/02/2007 14:45] LDAP Search : Timeout : 60
[15/02/2007 14:45] LDAP Search : Error : Undefined attribute type
[15/02/2007 14:45] LDAP Search : 3 entries found
[15/02/2007 14:45] LDAP Search : 3

When I try to login as that user I imported I get the following int he auth.log

[15/02/2007 14:04] LDAP User Mapping : stoffee => CN=Stoffee, Man (XXL),OU=All Users,DC=ad,DC=myserver,DC=com
[15/02/2007 14:04] LDAP Auth Cnx : ad.myserver.com:389 : Success (0)
[15/02/2007 14:04] LDAP AUTH Bind : CN=Stoffee, Man (XXL),OU=All Users,DC=ad,DC=myserver,DC=com : Invalid credentials (49)
[15/02/2007 14:04] LDAP AUTH : LDAP don't like you, sorry

**stoffee** · 7 March 2007, 18:04

Working ... almost

I was able to figure out why the ldap:// and ldaps:// were not working on my server.
I had the sun ldap libraries linked in php.so rather than openldap. that is fixed, but I am still have trouble getting ldaps:// to work..

Currently I can login and search using ldap(AD) with no SSL, but when i enable ssl it always falls back to local auth.
I am using this cert:
DC=com/DC=myserver/DC=ad/CN=myserver TLS CA 01,

here is the log info from the login attempt:

snip from oreon\log\auth.log:

Code:

[28/02/2007 15:29] LDAP User Mapping : stoffee => [email protected]
[28/02/2007 15:29] LDAP Auth Cnx  : ldaps://adldap.myserver.com:636 : Success (0)
[28/02/2007 15:29] LDAP AUTH Bind : [email protected] : Can't contact LDAP server (-1)
[28/02/2007 15:29] LDAP AUTH : Error, Fallback to Local AUTH
[28/02/2007 15:29] Local AUTH : Local Auth or LDAP Fallback
[28/02/2007 15:29] Local AUTH : User stoffee Successfully authentificated

Here is a debug log from openldap:

Code:

ldap_create
ldap_url_parse_ext(ldaps://adldap.myserver.com:636)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP adldap.myserver.com:636
ldap_new_socket: 15
ldap_prepare_socket: 15
ldap_connect_to_host: Trying 1xx.1xx.2xx.xx7:636
ldap_connect_timeout: fd: 15 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 20, subject: /DC=com/DC=myserver/DC=ad/CN=myserver TLS CA 01, issuer: /DC=com/DC=myserver/DC=ad/CN=myserver Root Authority
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B

Does anyone know the proper steps to get the cert in so that php is using it? I tried a few different techniques.
I created a PEM from the CERT on our ldap server.
put it in openldap/etc/ldap.conf

Code:

BASE dc=myserver, dc=com
URL ldap://adldap.myserver.com  ldaps://adldap.myserver.com:636
TLS_CACERT  /usr/local/ssl/certs/adldap.myserver.com.pem

I also put it in the httpd.conf

Code:

#ssl for ldap
LDAPTrustedCAType BASE64_FILE
LDAPTrustedCA /usr/local/ssl/certs/adldap.myserver.com.pem

None of these seem to change anything.

I even tried to connect on the command line, and I still get a "unable to get local issuer"

Code:

 #sudo openssl s_client -host adldap.myserver.com -port 636 -CAfile /usr/local/ssl/certs/adldap.myserver.com.pem

--
CONNECTED(00000004)
depth=1 /DC=com/DC=myserver/DC=ad/CN=myserver TLS CA 01
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=ad.myserver.com
   i:/DC=com/DC=myserver/DC=ad/CN=myserver TLS CA 01
 1 s:/DC=com/DC=myserver/DC=ad/CN=myserver TLS CA 01
   i:/DC=com/DC=myserver/DC=ad/CN=myserver Root Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=/CN=ad.myserver.com
issuer=/DC=com/DC=myserver/DC=ad/CN=myserver TLS CA 01
---
Acceptable client certificate CA names
/DC=com/DC=myserver/DC=ad/CN=myserver Root Authority
/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
/C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Freemail CA/[email protected]
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Premium CA/[email protected]
/C=US/O=First Data Digital Certificates Inc./CN=First Data Digital Certificates Inc. Certification Authority
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Basic CA/[email protected]
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
/C=US/O=GTE Corporation/CN=GTE CyberTrust Root
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority
/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Root
---
SSL handshake has read 5169 bytes and written 342 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: 4125000097BFC155FBCF5C6A3F805D7058FBE79D59EFB19AB5E0F6001F86EB35
    Session-ID-ctx:
    Master-Key: DF0DEACB2EDF250FAB38F9E437A05704F9A69B64EAF0902A3D86951A465540F6CA75EF014279E9A58BE64E0E486FB40C
    Key-Arg   : None
    Start Time: 1173286745
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

read:errno=0

I guess I need to learn more about ssl certs, so i can determine why it's failing and where i really need to put the cert.
I have tried this also, but no luck
http://blogs.csuchico.edu/ik/2006/02...e-ldap-in-php/
Any thoughts?

Announcement

ldap login

ldap login

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment