LDAP connection failed (trying to connect a Sun LDAP server)

Hi there,
after configuring the mysql back-end (works flawless in 4.2.4), I am trying to configure ldap accounts in multiotp with this command:

./multiotp.php -config \
ldap-activated=1 \
ldap-account-suffix="dc=...,dc=..." \
ldap-base-dn="ou=people,dc=...,dc=..." \
ldap-bind-dn="uid=admin,dc=...,dc=..." \
ldap-cn-identifier="cn" \
ldap-domain-controllers="..url.." \
ldap-group-attribute="objectClass" \
ldap-in-group="INETORGPERSON" \
ldap-port=389 \
ldap-server-password="password" \
ldap-ssl=0 \
ldap-network-timeout=100 \
ldap-time-limit=300

the output is "19 INFO: Requested operation successfully done".
When checking the ldap with:

./multiotp.php -ldap-check
 
the output is also "19 INFO: Requested operation successfully done".

But when I provide:

./multiotp.php -ldap-users-sync

the output is :

LOG 2014-03-31 16:08:59 warning LDAP Error: LDAP connection failed

LOG 2014-03-31 16:08:59 warning LDAP Info: LDAP access error
99 ERROR: Authentication failed (and other possible unknown errors)

Is this any wrong configuration of mine?
How can I find more info for the success of the connection (is there a successful bind or not)?

thanks in advance

Comments

  • edited April 2014
    Hi,

    The ldap-account-suffix is optional and is added as a suffix of the ldap-bind-dn. If the ldap-bind-dn is already complete, the appended ldap-account-suffix will result in a bad binding information.

    The -ldap-check option is not using the ldap-account-suffix yet (a bug to be fixed), that's why it works in your case! (last beta version is already corrected, see http://download.multiotp.net/beta/)

    Just set the value of ldap-account-suffix to empty and it should work flawlessly.

    Regards,

    Andre
  • Hi and thanks for the quick reply.
    According to your suggestion I set an empty suffix, but now some other warnings come up. The command is:

    ./multiotp.php -config \
    ldap-activated=1 \
    ldap-account-suffix="" \
    ldap-base-dn="ou=people,dc=...,dc=..." \
    ldap-bind-dn="uid=admin,dc=...,dc=..." \
    ldap-cn-identifier="cn" \
    ldap-domain-controllers="..url.." \
    ldap-group-attribute="objectClass" \
    ldap-in-group="inetOrgPerson" \
    ldap-port=389 \
    ldap-server-password="password" \
    ldap-ssl=0 \
    ldap-network-timeout=100 \
    ldap-time-limit=300

    and the output on -ldap-users-sync :

    PHP Warning:  ldap_get_attributes() expects parameter 2 to be resource, boolean given in /IS/web/multiotp-4.2.4/multiotp.php on line 14333
    PHP Warning:  ldap_next_entry() expects parameter 2 to be resource, boolean given in /IS/web/multiotp-4.2.4/multiotp.php on line 14343
    PHP Warning:  Invalid argument supplied for foreach() in /IS/web/multiotp-4.2.4/multiotp.php on line 8351

    LOG 2014-04-01 16:39:50 info LDAP Info: No modification about LDAP users (processed in 00:00:00)
    19 INFO: Requested operation successfully done

    seems to me like function users_info of class MultiotpAdLdap creates some strange filter for the ldap search, although I have no php experience...
    By the way, I am using ldap (sun ldap).

    regards
  • Hi Alex,

    The good news is that multiOTP can now reach your LDAP server ;-)
    Do you know exactly which kind of LDAP server is installed on your Sun machine ?

    Currently I have only done intensive tests for the AD/LDAP server provided by Windows, but I haven't done other tests.

    Regards,

    Andre
  • Hi Andre,
    the ldap server I am using is a Sun Directory Server 5.2.
    As I said, it seems to me like the $filter created inside the user_info function, is suited more to an AD... 
  • edited April 2014
    Hello,

    I will have a look at the documentation of Oracle (http://docs.oracle.com/cd/E19199-01/816-6699-10/ax_ldurl.html) later.

    For sure, we will have to adapt the filter.

    Regards,

    Andre
  • Hi Andre,
    I was fooling around with the code (no php experience ...) and when I changed the hardcoded ldap search filter in function users_info() the search result ($sr) was created fine. The change I did probably suited my ldap configuration.
    But problems insisted elsewhere (inside function group_info() I suppose), probably cause of hardcoded group attributes. I didn't guess any attribute mapping to play with this...

    I was wandering if it would be better providing search filters in a -config like parameter at the first place, instead of hardcoding those search strings.

    waiting for a news....

    Alex
  • Hello Alex,

    It's exactly what open source is for, try to tweak a little bit just to see if it works for specific needs!
    Thanks to give us the hardcoded ldap search filter you changed in function users_info(), and I will think about one or more additional parameters to customize the LDAP connection.

    I think I have found an LDAP server that is more or less corresponding to yours to make some tests.

    Regards,

    Andre
  • Hi Andre,

    inside users_info(), I just replaced:
    $filter = "(&(objectClass=user)(samaccounttype=". ADLDAP_NORMAL_ACCOUNT .")(objectCategory=person)(".$this->_cn_identifier."=".$username."))";
    which seems more AD like, with:
    $filter = "(&(".$this->_cn_identifier."=<username>)(objectClass=inetOrgPerson))";
    where in <username> I hardcoded an ldap user I am testing with (I am still just running -ldap-users-sync).

    As I said, I didn't guess any group attribute mapping so I could also test a similar $filter inside group_info() .
    This is all I did... hope this helps.

    By the way, I think that any LDAP server would do for testing, not just Sun LDAP.

    regards
    Alex
  • Hi again,

    I am using version 4.2.4.2 and the workflow I thought would be correct for importing users from ldap is:
    1. -config (commands like I mention in previous posts)
    2. ./multiotp.php -initialize-backend
    3. ./multiotp.php -ldap-check
    4. ./multiotp.php -ldap-users-sync

    The 1, 2, 3 commands work fine and the output is:

    19 INFO: Requested operation successfully done


    Then I tried to sync users with:

    ./multiotp.php -ldap-users-sync

    and come out with this output:

    PHP Warning:  ldap_get_attributes() expects parameter 2 to be resource, boolean given in /IS/web/multiotp-4.2.4.2/multiotp.php on line 14610
    PHP Warning:  ldap_next_entry() expects parameter 2 to be resource, boolean given in /IS/web/multiotp-4.2.4.2/multiotp.php on line 14620
    PHP Warning:  Invalid argument supplied for foreach() in /IS/web/multiotp-4.2.4.2/multiotp.php on line 8509

    LOG 2014-04-16 14:12:38 info LDAP Info: No modification about LDAP users (processed in 00:00:00)
    19 INFO: Requested operation successfully done


    When trying ./multiotp.php -ldap-user-info username the output was:

    PHP Warning:  ldap_get_attributes() expects parameter 2 to be resource, boolean given in /IS/web/multiotp-4.2.4.2/multiotp.php on line 14610
    PHP Warning:  ldap_next_entry() expects parameter 2 to be resource, boolean given in /IS/web/multiotp-4.2.4.2/multiotp.php on line 14620
    PHP Warning:  Invalid argument supplied for foreach() in /IS/web/multiotp-4.2.4.2/multiotp.php on line 8509
    Array
    (
        [] => Array
            (
                [user] => 
                [groups] => Array
                    (
                    )

                [useraccountcontrol] => 0
                [accountdisable] => 
                [mail] => 
                [displayname] => 
                [mobile] => 
                [msnpallowdialin] => 
            )

    )
    19 INFO: Requested operation successfully done


    and in ./multiotp.php -ldap-users-list it was

    PHP Warning:  ldap_get_attributes() expects parameter 2 to be resource, boolean given in /IS/web/multiotp-4.2.4.2/multiotp.php on line 14610
    PHP Warning:  ldap_next_entry() expects parameter 2 to be resource, boolean given in /IS/web/multiotp-4.2.4.2/multiotp.php on line 14620
    PHP Warning:  Invalid argument supplied for foreach() in /IS/web/multiotp-4.2.4.2/multiotp.php on line 8402
    39 ERROR: Requested operation aborted


    I see that the three PHP warnings are the same (line 14610) and I think $sr variable in function group_info() cant be set properly.
    Hardcoding a $filter that thought was ok, the result was:
    ldap_search(): Search: Time limit exceeded in /IS/web/multiotp-4.2.4.2/multiotp.ldap.php on line 14951
    Any suggestions ?
    regards
    Alex
  • Hello,

    Generic LDAP support should be added in the 4.3.x version of multiOTP.

    Best regards,

    Andre
  • Generic LDAP is now supported since release 4.3.1.1 (2014-12-15).
This discussion has been closed.