Recent Topics

ldap RDN/BAse DN

Started by on Jul 21, 2007 – Contents updated: Jul 21, 2007

Jul 21, 2007 01:08    

I've installed the ldap plugin into b2evolution-1.10.2in order to authenticate users with a windows 2003 server. Our server has different ou's set up to apply different policies to different users.
From what I can see the RDN needs to be set specifically for the ou that the users are in. Our users are in different ou's. How do we get around this?
e.g
RDN cn=uid%s,ou=finance,dc=domain,dc=com
Base DN ou=finance,dc=domain,dc=com
How do people from other departments log in?
In Moodle we bind to the LDAP server with one ldap account that we have set up for that purpose.
This plugin seems to be better as it binds as the users themselves but I can't get it working with our set up. Well not for everyone.

Jul 22, 2007 21:31

I'm the author of this plugin, but not really intro ldap.. :)

Have you tried leaving "ou" out of the RDN? or using "*" as the value?

Aug 17, 2007 05:44

Sorry about the late reply, I haven't had the chance to work on this since I last posted. I have tried what you suggested today but to no avail.

ldap_plugin_14:

With no ou in RDN:
Connected to server «ldapserverip:port»..
Using rdn «dc=domain,dc=com»..
Could not bind to LDAP server!
Skipping disabled LDAP server «ariel:389»!

with RDN = *:

Connected to server «ldapserverip:port»..
Using rdn «*,ou=finance,dc=domain,dc=com»..
Could not bind to LDAP server!
Skipping disabled LDAP server «ariel:389»!

Our LDAP server is definalteyl enalbed as Moodle connects fine via ldap.

Aug 18, 2007 16:03

If it is the same problem as in the other thread: I've just added a ldap protocol version setting to the plugin. Please try it, from the link to the SVN repository above.

If it should work out ok, I'll release a new plugin version.

Aug 24, 2007 02:24

Hi Blueyed,
Thanks for your reply. I'm still having no luck with this. I think firstly I need to confirm my settings are what is expected from the plugin.

At the moment I keep having to test the new plugin change, and then go in and change all the settings for the plugin fields via B2Evolution because I'm not sure whether it's a wrong setting in the fields of the Plugin or the code of the plugin. :roll:

I'll show you exactly what I put in my fields. Maybe I'm doing something obviously wrong:
I have a Windows Domain server called Myserver and I connect to it on the default ldap port of 389
RDN = *
I’m in a school in Australia so my BaseDN is dc=myschool,dc=vic,dc=edu,dc=au
Search Filter = uid=%s
Assign by Group is blank
Template for new group is Bloggers
I have selected Version 3 for LDAP Protocol version
I get the following message:

Connected to server «myserver:389»..
Using rdn «*»..
Trying protocol versions: 2, 3
Could not bind to LDAP server! Error(s): "Invalid credentials" (49) (protocol version 2); "Invalid credentials" (49) (protocol version 3)
Skipping disabled LDAP server «:389»!

Now, if I change the RDN to cn=%s,ou=students,dc=myschool,dc=vic,dc=edu,dc=au
And keep the rest of the settings the same I get:

Connected to server «myserver:389»..
Using rdn «cn=donj,ou=students,dc=myschool,dc=vic,dc=edu,dc=au»..
Trying protocol versions: 2, 3
Could not bind to LDAP server! Error(s): "Invalid credentials" (49) (protocol version 2); "Invalid credentials" (49) (protocol version 3)
Skipping disabled LDAP server «:389»!

I have ou’s for students and within that ou I have the students in ou’s by year level
I also have an ou for staff
I need to authenticate all users irrelevant of ou.
I can confirm I have an account that I created in the ou students called donj
I checked out the other link and tried to adjust my plugin with the settings suggested.
ldap_set_option($ldap_conn, LDAP_OPT_PROTOCOL_VERSION, 3);
No change
About the LDAP protocol version: how does it fail exactly? Can you remove the "@" in front of the ldap_bind() call and enable error displaying (add "error_reporting(E_ALL); ini_set('display_errors', 'on');" before the ldap_bind call).
No Change
I didn’t see any difference at all

Aug 24, 2007 02:58

Whoops sorry,
I added the line error_reporting(E_ALL); ini_set('display_errors', 'on'); but I didn't actually remove the @.
I have now and it still doesn't work but it does provide more errors. If that helps :-/
Warning: ldap_bind() [function.ldap-bind]: Unable to bind to server: Invalid credentials in /var/www/b2/blogs/plugins/_ldap.plugin.php on line 219

Warning: ldap_bind() [function.ldap-bind]: Unable to bind to server: Invalid credentials in /var/www/b2/blogs/plugins/_ldap.plugin.php on line 219

Warning: Cannot modify header information - headers already sent by (output started at /var/www/b2/blogs/plugins/_ldap.plugin.php:219) in /var/www/b2/blogs/inc/_misc/_misc.funcs.php on line 2886

Warning: Cannot modify header information - headers already sent by (output started at /var/www/b2/blogs/plugins/_ldap.plugin.php:219) in /var/www/b2/blogs/inc/_misc/_misc.funcs.php on line 2887

Warning: Cannot modify header information - headers already sent by (output started at /var/www/b2/blogs/plugins/_ldap.plugin.php:219) in /var/www/b2/blogs/inc/_misc/_misc.funcs.php on line 2888

Warning: Cannot modify header information - headers already sent by (output started at /var/www/b2/blogs/plugins/_ldap.plugin.php:219) in /var/www/b2/blogs/inc/_misc/_misc.funcs.php on line 2889

Warning: Cannot modify header information - headers already sent by (output started at /var/www/b2/blogs/plugins/_ldap.plugin.php:219) in /var/www/b2/blogs/inc/VIEW/login/_header.php on line 29

Aug 25, 2007 14:04

You seem to have set the version to "auto", right? (because it tries v2 and v3)

The problem is "Invalid credentials". Are you sure that the user (RDN) and password are correct?
It replaces %s in the RDN with the username and the password is the one provided during login.

Therefor, RDN=* won't work (normally), but "cn=%s,ou=students,dc=myschool,dc=vic,dc=edu,dc=au" may.
You may want to try something simpler, e.g. just "cn=%s".

Also, you may want to make sure that it works outside of b2evo, by using another tool/ldap browser.

Aug 29, 2007 03:54

No that's not correct. I have the Version set specifically to Version 3. Why it tried the automatic setting I don't know.

I have set the password many times thinking there maybe something wrong with the users credentials. The user is there and I am logging on with the right details.
I tried setting the RDN to cn=%s same problem. Invalid credentials
Tried settng the RDN to "cn=%s,ou=students,dc=myschool,dc=vic,dc=edu,dc=au" Same issue.

Now here's something interesting. I removed the setting from RDN so it was blank and I got the following error message:
Warning: ldap_search() [function.ldap-search]: Search: Operations error in /var/www/b2/blogs/plugins/_ldap.plugin.php on line 257

Warning: ldap_get_entries(): supplied argument is not a valid ldap result resource in /var/www/b2/blogs/plugins/_ldap.plugin.php on line 259

Warning: Cannot modify header information - headers already sent by (output started at /var/www/b2/blogs/plugins/_ldap.plugin.php:257) in /var/www/b2/blogs/inc/_misc/_misc.funcs.php on line 2984

Warning: Cannot modify header information - headers already sent by (output started at /var/www/b2/blogs/plugins/_ldap.plugin.php:257) in /var/www/b2/blogs/inc/_misc/_misc.funcs.php on line 2987

When I hit the back key I noticed the user was logged in!!!! :D
So I hit refresh and there I was within B2Evolution with a newly created blog account. So I then looked at the debug entries alll that I think are related:

ldap_plugin_16:
User already exists locally with this password.
login:
login: 'donj'
pass: not empty
User is trying to log in.
User successfully logged in with username and password...

Registered plugin IDs: 16
get_by_ID(): Instantiate Plugin (ID 16).
Loading plugins table data.
register(): ldap_plugin, ID: 16, priority: 50, classfile_path: [/var/www/b2/blogs/plugins/_ldap.plugin.php]
Loading plugin class file: ldap_plugin
Calling ldap_plugin(#16)->LoginAttempt( )
Trigger event AfterLoginRegisteredUser
No registered plugins.

So I deleted the user and tried it again same error but then with a refresh of the screen it was logged in and account created.

I feel close but not ready to light the cigar

Aug 29, 2007 04:15

"tufta" wrote:

No that's not correct. I have the Version set specifically to Version 3. Why it tried the automatic setting I don't know.

I have set the password many times thinking there maybe something wrong with the users credentials. The user is there and I am logging on with the right details.
I tried setting the RDN to cn=%s same problem. Invalid credentials
Tried settng the RDN to "cn=%s,ou=students,dc=myschool,dc=vic,dc=edu,dc=au" Same issue.

Now here's something interesting. I removed the setting from RDN so it was blank and I got the following error message:
Warning: ldap_search() [function.ldap-search]: Search: Operations error in /var/www/b2/blogs/plugins/_ldap.plugin.php on line 257

Warning: ldap_get_entries(): supplied argument is not a valid ldap result resource in /var/www/b2/blogs/plugins/_ldap.plugin.php on line 259

Warning: Cannot modify header information - headers already sent by (output started at /var/www/b2/blogs/plugins/_ldap.plugin.php:257) in /var/www/b2/blogs/inc/_misc/_misc.funcs.php on line 2984

Warning: Cannot modify header information - headers already sent by (output started at /var/www/b2/blogs/plugins/_ldap.plugin.php:257) in /var/www/b2/blogs/inc/_misc/_misc.funcs.php on line 2987

When I hit the back key I noticed the user was logged in!!!! :D
So I hit refresh and there I was within B2Evolution with a newly created blog account. So I then looked at the debug entries alll that I think are related:

ldap_plugin_16:
User already exists locally with this password.
login:
login: 'donj'
pass: not empty
User is trying to log in.
User successfully logged in with username and password...

Registered plugin IDs: 16
get_by_ID(): Instantiate Plugin (ID 16).
Loading plugins table data.
register(): ldap_plugin, ID: 16, priority: 50, classfile_path: [/var/www/b2/blogs/plugins/_ldap.plugin.php]
Loading plugin class file: ldap_plugin
Calling ldap_plugin(#16)->LoginAttempt( )
Trigger event AfterLoginRegisteredUser
No registered plugins.

So I deleted the user and tried it again same error but then with a refresh of the screen it was logged in and account created.

However, I just tested this with a user not in the Ldap and it worked just the same. Same initial error but a refresh take you to your newly created blog. I dont' know whether I'm moving forward or backward :-/

Aug 30, 2007 00:13

The debug info for the request with all the warnings would have been more useful.. :)

The problem was, that ldap_search() failed, but somehow this caused the user to be created (as you can see in the debuglog above: the "User already exists locally with this password.").

Hmm. Apparently, you can bind to the server using an empty RDN (odd!), but the search then fails.
In fact, you've provoked a bug here, which I've fixed - binding without any rdn does not make sense: we need to authenticate the user through binding.

I've added some more debug_log lines, also regarding the protocol version issue (which is not really relevant, but it seems odd and I'd like to fix it, too).
Please try it again, using the version from SVN.

Have you tried using another tool to bind to the server given the user/rdn and password?

Aug 31, 2007 02:22

Hi Blueyed,
Thanks for your continued support.
In the couple of previous posts I tried to put as much info as I could to help. I'm not sure whether that's humour or a real request above. :-/
If it's the latter let me know what you need.

I understood that the search was failing and that the user was still being created.

I've tried the new version but I'm still getting the same errors.
I have used another tool called ldap.exe which I have tested with a bogus user and the user I have set up to test B2Evolution with. Results:

Binding with false identity:
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
{NtAuthIdentity: User='icabod'; Pwd= <unavailable>; domain = 'NULL'.}
Error <49>: ldap_bind_s() failed: Invalid Credentials.

Binding with account used to test B2Evolution:
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
{NtAuthIdentity: User='donj'; Pwd= <unavailable>; domain = 'NULL'.}
Authenticated as dn:'donj'.

So the accounts fine.
What environment are you testing on? Does it have mutliple OU's?

This is what I get from the Debug info:
ldap_plugin_16:
Connected to server «ariel:389»..
Using rdn «cn=donj,ou=students,DC=myschool,DC=vic,DC=edu,DC=au»..
protocol_version setting: 'Version 3'
Trying protocol versions: 2, 3
Could not bind to LDAP server! Error(s): "Invalid credentials" (49) (protocol version 2); "Invalid credentials" (49) (protocol version 3)

Sep 02, 2007 21:36

I've just meant that you had provided the debug output of the request after the user had been created, not the one with empty rdn.

What RDN have you used with ldap.exe?

Try just "%s" as RDN..

Please note, that I have no LDAP environment currently to test this. I've once written this for where I work, but we're not using b2evo there anymore.

The protocol_version problem is fixed btw - so now only the configured version should get used/tried. You need to save the plugin settings for this again.

Sep 05, 2007 03:32

Hi Blueyed
ldap.exe doesn't give an option for RDN (It may be the same thing but) it asks you to input a Domain in which I enter myschool.vic.edu.au and I get the following from the ldap screen. And as you know from a previous post user authenticates successfully.
defaultNamingContext: DC=myschool,DC=vic,DC=edu,DC=au;
1> schemaNamingContext: CN=Schema,CN=Configuration,DC=myschool,DC=vic,DC=edu,DC=au;
1> configurationNamingContext: CN=Configuration,DC=myschool,DC=vic,DC=edu,DC=au;
1> rootDomainNamingContext: DC=myschool,DC=vic,DC=edu,DC=au;

I've used %s it doesn't work and I save the ldap settings prior to logging off as admin and attempting to log on with test ldap user everytime.

BTW it still states Trying protocol versions: 2, 3 but also displays protocol_version setting: 'Version 3'

I've tried with RDN %s and nothing in the Search Filter and I've tried RDN %s and uid=%s in the Search Filter

Sep 05, 2007 22:57

tufta, there should be no debug output for protocol_version anymore, so you may not have used the latest version. But that's a minor issue anyway.

Please try RDN "cn=%s,DC=myschool,DC=vic,DC=edu,DC=au" (from what ldap.exe seems to use - rootDomainNamingContext).

The search filter does not matter currently really, because you need to bind first.

Sep 07, 2007 01:49

Blueeyed,
I've just been and downloaded 478 version 2.01 Dev. I downloaded one last time you told me to as well. I went into the plugin area and uninstalled the ldap plugin that was there from the uninstall icon. I then deleted the _ldap.plugin.php file. Then, I uploaded the downloaded file into the plugins directory and installed it from the admin interface. Put the settings in you suggested and the result is the same. Here is the output from ldap debug:
ldap_plugin_17:
Connected to server «myserverip:389»..
Using rdn «cn=donj,DC=myschool,DC=vic,DC=edu,DC=au»..
Trying protocol versions: 2, 3
Could not bind to LDAP server! Error(s): "Invalid credentials" (49) (protocol version 2); "Invalid credentials" (49) (protocol version 3)

Sep 09, 2007 17:51

Sorry, I have no ideas anymore.

You might want to hack some simple/short php script together, with ldap_bind() etc to test this / find a solution.

What happens if you use a totally invalid RDN like "foobar"?

Sep 10, 2007 03:59

Hi Blueyed yes this is what I'll attempt to do. Thanks for your support over the last few weeks I appreciate it.

Sep 13, 2007 01:29

Hi Blueeyed,
I did as you suggested and started to create an ldap php file. I looked around on the net and found basic help on connecting to the ldap server via php. I coded up something and interestingly I was getting the same error. Invalid Credentials. I then put some basic debugging in the code sending the user details and DN back to the screen (as you do) and with the use of ldap.exe (free download) I realised that what it was expecting was different to what I was entering. The cn is not the login name. I was expecting it to resolve the samAccountName not the cn. Sometimes this may be the same it depends on how you add the user initially via Windows.
I initially felt a bit of a dunce about that, but then I thought, well I did say I wasn't sure what goes in what fields pretty early on in the posting.
Anyway, that said, when I first downloaded the plugin I looked around for the How To on using it and there wasn't one. I feel somewhat confident about setting it up now and if you're agreeable I'll have a go at writing one.
Once again thank you for your help. I did uncover a bug along the way so it wasn’t a useless waste of your time (I hope). I feel I’ve gained a lot about ldap from the experience.
It works exactly like it should now. One request for a future enhancement would be to adjust your code to enter the email address from ldap automatically when it creates the blog account?

Sep 13, 2007 02:20

I'm glad it works for you now! :)

The email address should get set, if a field named "email" gets found in the search result. Maybe the field is named different on your side? I could add an alternative name (or make it more configurable), but having just a list of names/keys to try makes sense IMHO.

Yes, a README would be really great, indeed!
Please just put together a README text file (ReSTructured Text format preferred, like e.g. http://evocms-plugins.svn.sourceforge.net/viewvc/evocms-plugins/openid_plugin/trunk/README?view=markup, but I could format that).
You could also just add it to the online manual, maybe? See http://manual.b2evolution.net/Ldap_plugin

Thanks in advance!


Form is loading...

Build your own website! – This forum is powered by b2evolution CMS, a complete engine for your website.