Some Problems with openLDAP

Discussion forum about Anuko Time Tracker
Post Reply
betamax65
Posts: 2
Joined: Wed Nov 20, 2019 8:23 am

Some Problems with openLDAP

Post by betamax65 » Wed Nov 20, 2019 9:49 am

Hi @all,

this is my first Shot with Time Tracker and i run in some Troubles with Auth against LDAP (in my case it means an openLDAP Server, not Active Directoy by Microsoft).

First some technical Informations:

Time Tracker Version: 1.19.12.5172
openLDAP Version: 2.4.45 (LDAPv3)
PHP Version: 5.6.40

Description:
After Install with Auth against DB, i could Login to Time Tracker as described with admin/secret. So i think Insalaltion ist working. Then i change the auth to LDAP like that (i have anonimize some Information):

Code: Select all

define('AUTH_MODULE', 'ldap');

 $GLOBALS['AUTH_MODULE_PARAMS'] = array(
 'server' => 'IP_OF_LDAP',
 'type' => 'openldap',
 'base_dn' => 'ou=user,dc=example,dc=com',
 'default_domain' => 'example.de',
 'member_of' => array(timetracker));
Our LDAP-Server need an LDAP-Auth to get hole Information (see here, also with some anonimize Informations)

LDAP Search without Auth

Code: Select all

ldapsearch -H ldap://IP_OF_LDAP -b "dc=example,dc=com" "uid=admin" -x

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: uid=admin
# requesting: ALL
#

# System Administrator, user, example.com
dn: cn=System Administrator,ou=user,dc=example,dc=com
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
loginShell: /bin/bash
homeDirectory: /home/admin
uid: admin
cn: System Administrator
uidNumber: 10059
sn: Administrator
givenName: System
gidNumber: 10004
mail: admin@example.de

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
And the same with Auth (also with anonimze Informations)

Code: Select all

ldapsearch -H ldap://IP_OF_LDAP -b "dc=example,dc=com" -D "cn=admin,dc=example,dc=com" "uid=admin" -x -w MYSECRET
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: uid=admin
# requesting: ALL
#

# System Administrator, user, example.com
dn: cn=System Administrator,ou=user,dc=example,dc=com
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
loginShell: /bin/bash
homeDirectory: /home/admin
uid: admin
cn: System Administrator
uidNumber: 10059
sn: Administrator
givenName: System
gidNumber: 10004
userPassword:: HASH_WAS_HERE
mail: admin@example.de

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
Finaly a LDAP Search for timetracker Group

Code: Select all

ldapsearch -H ldap://IP_OF_LDAP -b "dc=example,dc=com" "cn=timetracker" -x

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: cn=timetracker
# requesting: ALL
#

# timetracker, group, wenzel-elektronik.com
dn: cn=timetracker,ou=group,dc=example,dc=com
objectClass: posixGroup
gidNumber: 10010
cn: timetracker
memberUid: admin

# timetracker, user, example.com
dn: cn=timetracker,ou=user,dc=example,dc=com
gidNumber: 500
cn: timetracker
objectClass: posixGroup
objectClass: top
memberUid: kschmidt
memberUid: admin

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2
So when i try know to login with LDAP User admin (uid=admin,OU=user,dc=example,dc=com) i got an "Incorrect login or password." The Password is correct (check often). Debug told me:

Code: Select all

$lc=resource(3) of type (ldap link)
ldap_error()=Success
$login_oldap=string(45) "uid=admin,ou=user,dc=example,dc=com"
$lb=bool(false)
ldap_error()=Invalid credentials

bool(false)
I have also a Error in Apache Log like this:

Code: Select all

[Wed Nov 20 09:48:55.635869 2019] [:error] [pid 13859] [client IP_HERE:56590] PHP Deprecated:  Non-static method Auth_db::authenticate() should not be called statically, assuming $this from incompatible context in /var/www/ttrack/WEB-INF/lib/auth/Auth_ldap.class.php on line 85, referer: https://ttracker.example.com/login.php

I think "ldap_error()=Invalid credentials" means that i have to configure Auth for LDAP. I found here an Thread about that, but i can't figure out, what i had to change in WEB-INF/lib/auth/Auth_ldap.class.php (My PHP skills are on a scale of 1 - 10 at zero) ;-)

There is also one more Thing: When LDAP Auth is enabled, i think a Login as admin@localhost should be possible with Auth against the DB. But this is also not working here.

Long Posting, sorry. Hopefully that Informations is enough for a little Tip, what i had to change.

Thx
Kai

ttuser
Posts: 6
Joined: Fri Mar 11, 2016 10:16 pm

Re: Some Problems with openLDAP

Post by ttuser » Wed Nov 20, 2019 1:29 pm

Your default domain in $GLOBALS['AUTH_MODULE_PARAMS'] is example.de while you are probably trying to login as admin@example.com. Try to change to:

Code: Select all

'default_domain' => 'example.com',

betamax65
Posts: 2
Joined: Wed Nov 20, 2019 8:23 am

Re: Some Problems with openLDAP

Post by betamax65 » Wed Nov 20, 2019 1:30 pm

I found a solution that works here.

Our Useraccounts was created with LAM (LDAP Account Manager). This Tool creates Objects like: cn=Max Meier,ou=user,dc=example,dc=com but Time Tracker sends uid=meier,ou=user,dc=example,dc=com. This did not work here (don't know why)

I edit WEB-INF/lib/auth/Auth_ldap.class.php

$login_oldap = 'uid='.$login.','.$this->params['base_dn'];
to
$login_oldap = 'cn='.$login.','.$this->params['base_dn'];

The User was then created with the CN Value in Time Traker and can Login. But i did not know if this coul make Problems somewhere other in Time Tracker.

Kai

Post Reply