View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0012167 | mantisbt | ldap | public | 2010-07-13 13:21 | 2014-09-23 18:05 |
Reporter | dregad | Assigned To | dhx | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.1 | ||||
Target Version | 1.2.6 | Fixed in Version | 1.2.6 | ||
Summary | 0012167: LDAP port parameter is ignored | ||||
Description | It appears that the config_inc.php parameter g_ldap_port is not taken into consideration when authentication is made via LDAP on a port other than 389. We use Active Directory for LDAP, and have multiple regional LDAP server, each listening to default port 389, as well as a Global Catalog (port 3268). I easily managed to get LDAP authentication to work on one regional server, but could not achieve the same on the global catalog by changing the value of g_ldap_port. Note: I could not test with additional port numbers as I do not have the possibility to change the LDAP server setup. | ||||
Steps To Reproduce | Case 1: successful connection (default port)Set config_inc.php as follows: Resulting log file: Case 2: failed connection (Global Catalog port)Set config_inc.php as follows: Message: Resulting log file: Case 3: successful connection (Global Catalog port specified in server)Set config_inc.php as follows: Resulting log file: | ||||
Additional Information | WORKAROUND: define the port number directly in the ldap server connection string, as shown below. $g_ldap_server = 'ldap://ldap.domain.com:3268/'; | ||||
Tags | patch | ||||
Attached Files | 0002-Fix-12167-Improve-LDAP-logging-and-comments-in-confi.patch (4,949 bytes)
From e3e31af4f09c8e1932040d6f151075369559f2bb Mon Sep 17 00:00:00 2001 From: Damien Regad <damien.regad@merckserono.net> Date: Thu, 4 Nov 2010 16:05:15 +0100 Subject: [PATCH 2/2] Fix #12167: Improve LDAP logging and comments in config_defaults.php Document the fact that LDAP port parameter is not used by ldap_connect when the provided hostname is a URI, and modify the logging in ldap_api.php to correctly reflect what is actually happening to avoid creating confusion. Implemented also additional improvements to LDAP logging, allowing to fully trace what is happening throughout the LDAP authentication process. --- config_defaults_inc.php | 11 +++++++++-- core/ldap_api.php | 38 +++++++++++++++++++++++++++++++------- 2 files changed, 40 insertions(+), 9 deletions(-) diff --git a/config_defaults_inc.php b/config_defaults_inc.php index b3f8bd8..276a55a 100644 --- a/config_defaults_inc.php +++ b/config_defaults_inc.php @@ -1641,13 +1641,20 @@ **************************/ /** + * The LDAP server can be provided either as + * - a simple hostname (in that case, g_ldap_port must be defined) + * - a complete URI (then g_ldap_port is ignored, and the port number + * has to be specified as part of the URI itself, e.g. + * ldaps://ldap.example.com:636/) * * @global string $g_ldap_server */ - $g_ldap_server = 'ldaps://ldap.example.com.au/'; + $g_ldap_server = 'ldap.example.com'; /** - * LDAP port (default 389). If this doesn't work, try 636. + * LDAP port (default 389). If this doesn't work, try 636 (ldaps) + * or for Active Directory Global Catalog forest-wide search, + * default port 3268 (ldap) or 3269 (ldaps) * * @global integer $g_ldap_port */ diff --git a/core/ldap_api.php b/core/ldap_api.php index d962afc..d5bb248 100644 --- a/core/ldap_api.php +++ b/core/ldap_api.php @@ -38,10 +38,27 @@ function ldap_connect_bind( $p_binddn = '', $p_password = '' ) { $t_ldap_server = config_get( 'ldap_server' ); $t_ldap_port = config_get( 'ldap_port' ); - log_event( LOG_LDAP, "Attempting connection to LDAP server '{$t_ldap_server}' port '{$t_ldap_port}'." ); - $t_ds = @ldap_connect( $t_ldap_server, $t_ldap_port ); + # Verify if LDAP server provided is a URI or just a host name + # Connect and log accordingly + $t_message = "Attempting connection to LDAP "; + $t_ldap_uri = parse_url( $t_ldap_server ); + if ( count( $t_ldap_uri ) > 1 ) { + $t_message .= "URI '{$t_ldap_server}'."; + $t_ds = @ldap_connect( $t_ldap_server ); + } else { + $t_message .= "server '{$t_ldap_server}' port '{$t_ldap_port}'."; + if (is_numeric( $t_ldap_port ) ) { + $t_ds = @ldap_connect( $t_ldap_server, $t_ldap_port ); + } else { + log_event( LOG_LDAP, "ERROR - LDAP port '$t_ldap_port' is not numeric" ); + trigger_error( ERROR_LDAP_SERVER_CONNECT_FAILED, ERROR ); + return false; + } + } + log_event( LOG_LDAP, $t_message ); + if ( $t_ds !== false && $t_ds > 0 ) { - log_event( LOG_LDAP, "Connection accepted to LDAP server" ); + log_event( LOG_LDAP, "Connection accepted by LDAP server" ); $t_protocol_version = config_get( 'ldap_protocol_version' ); if( $t_protocol_version > 0 ) { @@ -70,10 +87,10 @@ function ldap_connect_bind( $p_binddn = '', $p_password = '' ) { } if ( !$t_br ) { - log_event( LOG_LDAP, "bind to ldap server failed - authentication error?" ); + log_event( LOG_LDAP, "Bind to ldap server failed - authentication error?" ); trigger_error( ERROR_LDAP_AUTH_FAILED, ERROR ); } else { - log_event( LOG_LDAP, "bind to ldap server successful" ); + log_event( LOG_LDAP, "Bind to ldap server successful" ); } } else { log_event( LOG_LDAP, "Connection to ldap server failed" ); @@ -332,10 +349,11 @@ function ldap_authenticate_by_username( $p_username, $p_password ) { $t_authenticated = false; - if ( $t_info ) { + if ( $t_info['count'] > 0 ) { # Try to authenticate to each until we get a match for ( $i = 0; $i < $t_info['count']; $i++ ) { $t_dn = $t_info[$i]['dn']; + log_event( LOG_LDAP, "Checking {$t_info[$i]['dn']}" ); # Attempt to bind with the DN and password if ( @ldap_bind( $t_ds, $t_dn, $p_password ) ) { @@ -343,8 +361,11 @@ function ldap_authenticate_by_username( $p_username, $p_password ) { break; } } + } else { + log_event( LOG_LDAP, "No matching entries found" ); } - + + log_event( LOG_LDAP, "Unbinding from LDAP server" ); ldap_free_result( $t_sr ); ldap_unbind( $t_ds ); } @@ -368,6 +389,9 @@ function ldap_authenticate_by_username( $p_username, $p_password ) { user_set_field( $t_user_id, 'email', $t_email ); } } + log_event( LOG_LDAP, "User '$p_username' authenticated" ); + } else { + log_event( LOG_LDAP, "Authentication failed" ); } return $t_authenticated; -- 1.7.1 | ||||
After investigation, it turns out that this is not a Mantis error, but normal behavior of the ldap_connect() function as documented in http://php.net/manual/en/function.ldap-connect.php, which states that the port parameter is not used when the provided hostname is a URI. So the workaround I proposed is correct and valid, and an alternative (assuming that using default ldap protocol is fine) would be to define globals as follows: I will submit a patch later on, to address the problem by better documenting this through comments in config_defaults_inc.php. I will also propose some improvements to the LDAP logging, which currently does not reflect the reality and is confusing for the admin. Damien |
|
Patch attached (comes on top of the one for 0012166) |
|
I implemented further improvements to LDAP logging, and also improved the error handling. Please disregard previously uploaded patch, and use the ones in attached mbt-1.2.x-LDAP-20101124.tar.gz (patch on top of latest git-trunk). |
|
Following vboctor's fix for 0012747, I rebased my fixes on top of latest 1.2.x trunk, resolving conflicts (mbt-1.2.x-LDAP-20110302.tar.gz). |
|
Thanks Damien, I've committed your patchset to the 1.2.x branch. I started porting your changes to the 1.3.x branch however there seems to be quite a divergence (for instance, $g_ldap_port seems to be deprecated). Are you able to assist with forward porting to 1.3.x? |
|
Hi David, Of course I can have a look (as time allows - I'm quite busy these days...), although I'm not so familiar with 1.3 branch's code. Do you have a work in progress somewhere (e.g. github) that I can use, or should I start with master and my initial patch ? Note, if the only issue you had is $g_ldap_port being deprecated, then you can probably ignore it (assuming that the configuration for the port is documented in config_defaults.inc), since the purpose of this bug report was to address the fact say that this parameter was not used... |
|
Check git.mantisbt.org for the latest code. master = 1.3.x On your local side, check "git branch -a" output to see a list of all repositories/branches currently setup locally. Given the mailing list discussion about ldap_port has been resolved I should be able to look at porting your patch to 1.3.x myself - without testing though. This should be OK given that the changes are primarily to documentation. |
|
Hi David, That's not what I meant ;-) I know about the 2 main branches and even though my git-fu is not the best, I can get by. I was actually asking if you had already started to port my changes to 1.3.x, and if yes whether I could pick that up from somewhere. If not, I'll start from scratch, no problems. I'll take care of implementing it and will let you know when done. |
|
Hi David, After a busy few months, I finally got around to finalizing the port of my changes to 1.3.x, including an overhaul of the relevant Admin Guide docbook section. You will find in the attached mbt-1.3.x-LDAP-20110616.tar.gz the corresponding git patches after resolving all conflicts. Please review and apply them on top of the latest git trunk. Let me know if you have any questions. Note that I did not execute a full set of tests, as I don't have a running 1.3.x instance. |
|
Thanks for taking the time to port the patches to the 1.3.x (master) branch. I've committed the changes at last. On quick inspection both branches should now have all of these LDAP related patches applied (from 0012166 and 0012167). |
|
Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch |
|
MantisBT: master-1.2.x 8f23dcc4 2010-11-04 11:05 Damien Regad Committer: dhx Details Diff |
Fix 0012167: Improve LDAP logging and comments in config_defaults.php Document the fact that LDAP port parameter is not used by ldap_connect when the provided hostname is a URI, and modify the logging in ldap_api.php to correctly reflect what is actually happening to avoid creating confusion. Implemented also additional improvements to LDAP logging, allowing to fully trace what is happening throughout the LDAP authentication process. Signed-off-by: David Hicks <d@hx.id.au> |
Affected Issues 0012167 |
|
mod - config_defaults_inc.php | Diff File | ||
mod - core/ldap_api.php | Diff File | ||
MantisBT: master-1.2.x 802bfcfc 2010-11-24 12:34 Damien Regad Committer: dhx Details Diff |
Fix 0012167: Improved LDAP error handling and logging Created a new ldap_log_error function that will call log_event with the code and description of the last LDAP error. This is used after each failed call to a PHP ldap function. Improved the error handling of PHP ldap calls, some error cases were not covered Signed-off-by: David Hicks <d@hx.id.au> |
Affected Issues 0012167 |
|
mod - core/ldap_api.php | Diff File | ||
MantisBT: master 4910ffdd 2011-03-28 15:06 Damien Regad Committer: dhx Details Diff |
Fix 0012167: Improved LDAP error handling and logging Created a new ldap_log_error function that will call log_event with the code and description of the last LDAP error. This is used after each failed call to a PHP ldap function. Improved the error handling of PHP ldap calls, some error cases were not covered Implemented also additional improvements to LDAP logging, allowing to fully trace what is happening throughout the LDAP authentication process. Note: this is a manual merge of changes from commits 802bfcfc6 and 8f23dcc4, taking into consideration the specifics of 1.3.x branch. Signed-off-by: David Hicks <d@hx.id.au> |
Affected Issues 0012167 |
|
mod - core/ldap_api.php | Diff File |