AD account unable to login mantis

[eric2_chang]

setting:
$g_login_method = LDAP;
$g_ldap_server = 'LDAP://ldap.xxxxx.xxxx:389';
$g_ldap_root_dn = 'CN=xxxx,OU=LDAP,OU=xxxxxx,DC=xxxxx,DC=xxxx';
$g_ldap_uid_field = 'sAMAccountName';
$g_ldap_bind_dn = 'domain\user'
$g_ldap_bind_passwd = 'xxxxxxx'; # Password
$g_use_ldap_email =ON;
$g_show_realname = ON;
$g_ldap_protocol_version = 3;
$g_use_ldap_realname = ON;
$g_ldap_realname_field = 'cn';
$g_ldap_follow_referrals = OFF;

error log:
ldap_api.php:63 ldap_connect_bind() Attempting connection to LDAP server/URI 'ldap://**********/'.
ldap_api.php:66 ldap_connect_bind() Connection accepted by LDAP server
ldap_api.php:79 ldap_connect_bind() Setting LDAP protocol version to 3
ldap_api.php:101 ldap_connect_bind() Attempting bind to ldap server with username and password
ldap_api.php:114 ldap_connect_bind() Bind to ldap server successful
ldap_api.php:334 ldap_authenticate_by_username() Searching for (&(sAMAccountName=*****)) /* login username
ldap_api.php:366 ldap_authenticate_by_username() No matching entries found
ldap_api.php:369 ldap_authenticate_by_username() Unbinding from LDAP server
ldap_api.php:396 ldap_authenticate_by_username() Authentication failed
ldap_api.php:326 ldap_authenticate_by_username() Binding to LDAP server
ldap_api.php:63 ldap_connect_bind() Attempting connection to LDAP server/URI 'ldap://**********/'.
ldap_api.php:66 ldap_connect_bind() Connection accepted by LDAP server
ldap_api.php:79 ldap_connect_bind() Setting LDAP protocol version to 3
ldap_api.php:101 ldap_connect_bind() Attempting bind to ldap server with username and password
ldap_api.php:114 ldap_connect_bind() Bind to ldap server successful
ldap_api.php:334 ldap_authenticate_by_username() Searching for (&(sAMAccountName=administrator))
ldap_api.php:366 ldap_authenticate_by_username() No matching entries found
ldap_api.php:369 ldap_authenticate_by_username() Unbinding from LDAP server
ldap_api.php:396 ldap_authenticate_by_username() Authentication failed


Same https://mantisbt.org/bugs/view.php?id=24057 situation
Any setting problem?

[Jacques]

Same problem for us !

Nobody know?

[cas]

It seems to indicate that the user does not exist.
So first check if the user is already known within AD with the correct credentials.

[Jacques]

the user exists, obviously, and he connects very well to internal resources using LDAP

[cas]

Yes, you connect to the ldap server but the log states that the user that is logging on does not exist within AD.

[GRoM]

2.png (29.61 KiB) Viewed 3668 times

File: config_inc.php
#$g_login_method = MD5;
$g_login_method = LDAP;
$g_ldap_server = '192.168.100.1';
$g_ldap_root_dn = 'DC=my,DC=tomsk,DC=ru';
$g_ldap_organization = '(objectCategory=person)';
$g_ldap_protocol_version = 3;
$g_ldap_network_timeout = 5;
$g_ldap_follow_referrals = 0;
$g_ldap_bind_dn = 'USER_AD';
$g_ldap_bind_password = 'password_USER_AD';
$g_ldap_uid_field = 'sAMAccountName';
$g_ldap_realname_field ='cn';
$g_use_ldap_realname = ON;
$g_use_ldap_email = ON;

File: ./core/ldap_api.php
Function: ldap_cache_user_data

Code: Select all

function ldap_cache_user_data( $p_username ) {
	global $g_cache_ldap_data;

	# Returne cached data if available
	if( isset( $g_cache_ldap_data[$p_username] ) ) {
		return $g_cache_ldap_data[$p_username];
	}

	log_event( LOG_LDAP, "Retrieving data for '$p_username' from LDAP server" );

	# Bind and connect.
	# We suppress errors, because failing to connect is not blocking in this
	# context, it just means we won't be able to retrieve user data from LDAP.
/* DELETED (comment) 
	$t_ds = @ldap_connect_bind();
	if( $t_ds === false ) {
		log_event( LOG_LDAP, "ERROR: could not bind to LDAP server" );
		return false;
	}
end DELETED (comment) */

// ADD new
	$ldapserver 		 = config_get( 'ldap_server' );
	$ldapuser      		 = config_get( 'ldap_bind_dn' ); 
	$ldappass     		 = config_get( 'ldap_bind_password' );
	$ldapprotokol    	 = config_get( 'ldap_protocol_version' );
	$ldapreferal     	 = config_get( 'ldap_follow_referrals' );
	

	$t_ds = ldap_connect($ldapserver) or die("Could not connect to LDAP server.");
	if( $t_ds === false ) {
		log_event( LOG_LDAP, "ERROR: could not connect to LDAP server" );
		return false;
	}

	ldap_set_option ($t_ds, LDAP_OPT_REFERRALS, $ldapreferal) or die('Unable to set LDAP opt referrals');
	ldap_set_option($t_ds, LDAP_OPT_PROTOCOL_VERSION, $ldapprotokol) or die('Unable to set LDAP protocol version');
	$ldapbind = ldap_bind($t_ds, $ldapuser, $ldappass) or die ("Error trying to bind: ".ldap_error($t_ds));
	if( $ldapbind === false ) {
		log_event( LOG_LDAP, "ERROR: could not bind to LDAP server" );
		return false;
	}

// End ADD new

	# Search
	$t_ldap_organization = config_get( 'ldap_organization' );
	$t_ldap_root_dn      = config_get( 'ldap_root_dn' );
	$t_ldap_uid_field    = config_get( 'ldap_uid_field' );
	
	$t_search_filter = '(&' . $t_ldap_organization
		. '(' . $t_ldap_uid_field . '=' . ldap_escape_string( $p_username ) . '))';
/*	DELETED (comment)	
	$t_search_attrs = array(
		'mail',
		config_get( 'ldap_realname_field' )
	);
end DELETED (comment) */

// ADD new
	$t_search_attrs = array(
		'mail',
		config_get( 'ldap_realname_field' ),
		'givenName',
		'sn'
	);
// end ADD new

	log_event( LOG_LDAP, 'Searching for ' . $t_search_filter );
	$t_sr = @ldap_search( $t_ds, $t_ldap_root_dn, $t_search_filter, $t_search_attrs );
	if( $t_sr === false ) {
		ldap_log_error( $t_ds );
		ldap_unbind( $t_ds );
		log_event( LOG_LDAP, "Search '$t_search_filter' failed" );
		return false;
	}

	# Get results
	$t_entry = ldap_first_entry( $t_ds, $t_sr );
	if( $t_entry === false ) {
		log_event( LOG_LDAP, 'No matches found.' );
		$g_cache_ldap_data[$p_username] = false;
		return false;
	}

	$t_data = false;
	foreach( $t_search_attrs as $t_attr ) {
		# Suppress error to avoid Warning in case an invalid attribute was specified
		$t_value = @ldap_get_values( $t_ds, $t_entry, $t_attr );
		if( $t_value === false ) {
			log_event( LOG_LDAP, "WARNING: field '$t_attr' does not exist" );
			continue;
		}
		$t_data[$t_attr] = $t_value[0];
	}
	# !!!!!!!!!!!!!! If you do not want to feed your full name, then comment out the following line: !!!!!!!!!
	$t_data[config_get( 'ldap_realname_field' )] = $t_data['sn'].' '.$t_data['givenName'];

	# Store data in the cache
	$g_cache_ldap_data[$p_username] = $t_data;

	# Unbind
	log_event( LOG_LDAP, 'Unbinding from LDAP server' );
	ldap_unbind( $t_ds );

	return $t_data;
}