LDAP binding

[Lichengchang]

Hi,

I am trying to bind user authorization to LDAP In conf.php

// LDAP settings
define('USE_LDAP', true);
define('LDAP_SSL', false); // set to true if using LDAP with SSL encryption
define('LDAP_HOST', '192.168.1.1');
define('LDAP_PORT', '389');
define('LDAP_PROTOCOL_VERSION', 3);
define('LDAP_DN', 'OU=employee,DC=example,DC=com');
define('LDAP_USER', 'jimmy'); // if no email set: cn=admin,dc=example,dc=com
define('LDAP_PASS', 'password');

I'm getting these errors:
Could not bind to server. Returned Error was: [34] Invalid DN syntax

tcpdump info：
No DN information was sent.

normal situation：

so in conf.php LDAP_DN is invalid?

[Skywalker-11]

Can you query the ldap server with ldapsearch?

EDIT:
The command should be something like
ldapsearch -x -h 192.168.1.1 -D "jimmy" -W -b "OU=employee,DC=example,DC=com"

What ldap server are you using?

[Lichengchang]

Yes, But I use following commend：
ldapsearch -x -h 192.168.1.1 -D "uid=jimmy,ou=employee,dc=example,dc=com" -W -b "ou=employee,dc=example,dc=com"

system：ubuntu 14.04
ldap：openldap 2.4.31

[Skywalker-11]

if thats the case the ldap_user should be uid=jimmy,ou=employee,dc=example,dc=com

[Lichengchang]

Hi,

I follow the step but it still not working .

[Lichengchang]

any defferent way i can try??

[Lichengchang]

ldap server display error： get_ava: unknown attributeType sAMAccountName

[Skywalker-11]

check the LDAP_EMAIL_FIELD it should define the account name the users are using to login.

MailWatch can work with mail address and SMTP:<username> to compare the specified fields value. As fallback it uses sAMAccountName as the field eg. for Microsoft Active Directory.

[Skywalker-11]

any news?

[Lichengchang]

I change some set in the conf.php：
LDAP_USER use uid=publicUser,dc=example,dc=com
LDAP_EMAIL_FIELD use mail

Then I change some code in the functions.php
In 2624 line：

$user = 'cn='
cn change to uid

LDAP is work.

[Skywalker-11]

As it is solved: can you close it?

[gregorgodler]

Hi, I'm having the same issue. What exactly did you change in function.php?

[Skywalker-11]

@CowBoy6 can you try to use tools/LDAP/ldaptest.php? It should give more verbose output.

[gregorgodler]

@Skywalker-11 I'm using EFA, if this could help. Here is output:

[root@efa mailscanner]# php tools/LDAP/ldaptest.php Test connection to server Try authenticating as cn=admin,dc=domain,dc=com authentication for searching the account was successful search for [email protected] in LDAP directory search done found 1 accounts matching the filter array(2) { ["count"]=> int(1) [0]=> array(24) { ["objectclass"]=> array(5) { ["count"]=> int(4) [0]=> string(12) "posixAccount" [1]=> string(3) "top" [2]=> string(13) "inetOrgPerson" [3]=> string(16) "domainAccount" } [0]=> string(11) "objectclass" ["gidnumber"]=> array(2) { ["count"]=> int(1) [0]=> string(1) "0" } [1]=> string(9) "gidnumber" ["givenname"]=> array(2) { ["count"]=> int(1) [0]=> string(4) "test" } [2]=> string(9) "givenname" ["sn"]=> array(2) { ["count"]=> int(1) [0]=> string(4) "test" } [3]=> string(2) "sn" ["uid"]=> array(2) { ["count"]=> int(1) [0]=> string(4) "test" } [4]=> string(3) "uid" ["homedirectory"]=> array(2) { ["count"]=> int(1) [0]=> string(16) "/home/users/test" } [5]=> string(13) "homedirectory" ["loginshell"]=> array(2) { ["count"]=> int(1) [0]=> string(9) "/bin/bash" } [6]=> string(10) "loginshell" ["cn"]=> array(2) { ["count"]=> int(1) [0]=> string(4) "test" } [7]=> string(2) "cn" ["uidnumber"]=> array(2) { ["count"]=> int(1) [0]=> string(5) "50786" } [8]=> string(9) "uidnumber" ["mail"]=> array(2) { ["count"]=> int(1) [0]=> string(18) "[email protected]" } [9]=> string(4) "mail" ["userpassword"]=> array(2) { ["count"]=> int(1) [0]=> string(105) "{CRYPT}$6$FQHA4z1q$.z6Eip9TFtkum31qNOiQVxdKkNzSETnlZqELalkPqGKAoKkeqr4bnObCM25w/6QwMh6K/35CurKcSK0dfJgDj/" } [10]=> string(12) "userpassword" ["count"]=> int(11) ["dn"]=> string(66) "uid=test,ou=Users,o=domain,ou=InternalUsers,dc=domain,dc=com" } } Trying to authenticate as user: [email protected] PHP Warning: ldap_bind(): Unable to bind to server: Invalid DN syntax in /var/www/html/mailscanner/tools/LDAP/ldaptest.php on line 117 :Could not bind to server ldap.domain.com. Returned Error was: [34] Invalid DN syntax

[Skywalker-11]

@CowBoy6 can you try if a ldap query like the following works (for binding user -D use the value as indicated by Trying to authenticate as user: [email protected]
ldapsearch -x -h <LDAP_HOST> -D "[email protected]" -W -b <LDAP_DN>

[gregorgodler]

@Skywalker-11 If I try to authenticate as user [email protected] it returns Invalid DN syntax.

[root@efa user]# ldapsearch -x -h ldap.mydomain.com -D [email protected] -W -b dc=mydomain,dc=com
Enter LDAP Password:
ldap_bind: Invalid DN syntax (34)
additional info: invalid DN

When I enter different entry for binding user it returns all users info and result is not success.

[root@efa user]# ldapsearch -x -h ldap.mydomain.com -D uid=test,ou=Users,o=mydomain,ou=InternalUsers,dc=mydomain,dc=com -W -b dc=mydomain,dc=com
.
.
.
# search result
search: 2
result: 0 Success

# numResponses: 360
# numEntries: 359

[gregorgodler]

@Skywalker-11 Forgot to mention, we have openldap. This is part from conf.php for LDAP settings for authentication:

define('USE_LDAP', true);
define('LDAP_SSL', false); // Set to true if using LDAP with SSL encryption.
define('LDAP_HOST', 'ldap.mydomain.com');
define('LDAP_PORT', '389');
define('LDAP_DN', 'ou=InternalUsers,dc=mydomain,dc=com');
define('LDAP_USER', 'cn=admin,dc=mydomain,dc=com'); // If no email set: cn=admin,dc=example,dc=com
define('LDAP_PASS', 'TOPsecretPASSWORD');
define('LDAP_FILTER', 'mail=%s'); //%s will be replaced by username eg. 'mail=%', 'mail=SMTP:%s', sAMAccountName=%s'
define('LDAP_PROTOCOL_VERSION', 3);
// can be set to 'proxyaddresses' or 'mail'. Please refer to your LDAP system manual for the right keyword
define('LDAP_EMAIL_FIELD', 'mail');
// Ldap field that is used to bind to the ldap server to check the credentials.
// The value of the LDAP_USERNAME_FIELD will be extended by LDAP_BIND_PREFIX and LDAP_BIND_SUFFIX to created the binding username.
define('LDAP_USERNAME_FIELD', 'mail');
//define('LDAP_BIND_PREFIX', 'cn=');
//define('LDAP_BIND_SUFFIX', ',dc=mydomain,dc=com');
// Microsoft Active Directory compatibility support for searches from Domain Base DN
define('LDAP_MS_AD_COMPATIBILITY', true);

[Skywalker-11]

If all your users are under ,ou=Users,o=mydomain,ou=InternalUsers,dc=mydomain,dc=com you could construct the username by using LDAP_BIND_PREFIX, LDAP_BIND_SUFFIX and LDAP_USERNAME_FIELD.

Otherwise you can use the patch #1048 and use dn as LDAP_USERNAME_FIELD

[gregorgodler]

My solution was add into conf.php:
define('LDAP_DN_FIELD', 'dn');

Modify function.php row 2923 from:
$user = $result[0][LDAP_USERNAME_FIELD][0];

into this:
$user = $result[0][LDAP_DN_FIELD];

[Lichengchang]

My solution:

// LDAP settings for authentication
define('USE_LDAP', true);
define('LDAP_SSL', true);
define('LDAP_HOST', 'ldap://mydomain.com')
define('LDAP_PORT', '636');

define('LDAP_DN', 'dc=mydomain,dc=com');
define('LDAP_USER', ''); // blank
define('LDAP_PASS', ''); // blank
define('LDAP_FILTER', 'uid=%s');
define('LDAP_PROTOCOL_VERSION', 3);
define('LDAP_EMAIL_FIELD', 'mail');
define('LDAP_USERNAME_FIELD', 'uid');
define('LDAP_BIND_PREFIX', 'uid=');
define('LDAP_BIND_SUFFIX', ',ou=my ou,dc=mydomain,dc=com');
define('LDAP_MS_AD_COMPATIBILITY', false);