LDAP Access

General discussion of Mantis.

Moderators: Developer, Contributor

egarces
Posts: 1
Joined: 27 Feb 2023, 11:43

LDAP Access

Post by egarces »

Hi,

We have Mantis installed for many years using Basic Access, but we want to upgrade to the last version using LDAP access.

The question is to know if Mantis may have the two different access, by LDAP for the internal company users and basic or HTML for customers.

Also to know if we can add users from two different domains with trust relationship.

Thanks in advanced.

Enrique
Phroobar
Posts: 34
Joined: 13 Dec 2022, 16:14

Re: LDAP Access

Post by Phroobar »

Where you able to make LDAP work? We are moving from basic access to ldap and could really use some examples or pointers.
Phroobar
Posts: 34
Joined: 13 Dec 2022, 16:14

Re: LDAP Access - please help

Post by Phroobar »

I've added these paramaters to my config_inc.php in order to get LDAP working.

$g_login_method = LDAP;
$g_ldap_server = 'dev-ldapad-internal-ep****';
$g_ldap_root_dn = 'DC=DEVT3,DC=NET';

I'm receiving
APPLICATION ERROR #1404
LDAP Extension Not Loaded.
What does that mean?
0 D:\Applications\IssueTracker\IssueTracker_wwwroot\core\ldap_api.php 62 - - trigger_error <string>'1404', <integer>256
1 D:\Applications\IssueTracker\IssueTracker_wwwroot\core\ldap_api.php 374 - - ldap_connect_bind -
2 D:\Applications\IssueTracker\IssueTracker_wwwroot\core\ldap_api.php 344 - - ldap_authenticate_by_username <string>'administrator', <string>'root'
3 D:\Applications\IssueTracker\IssueTracker_wwwroot\core\authentication_api.php 762 - - ldap_authenticate <integer>1, <string>'root'
4 D:\Applications\IssueTracker\IssueTracker_wwwroot\login_page.php 150 - - auth_does_password_match <integer>1, <string>'root'
atrol
Site Admin
Posts: 8353
Joined: 26 Mar 2008, 21:37
Location: Germany

Re: LDAP Access

Post by atrol »

See "Optional extensions" at https://www.mantisbt.org/docs/master/en ... s.software
You have to install the PHP LDAP extension on your server.
Please use Search before posting and read the Manual
Phroobar
Posts: 34
Joined: 13 Dec 2022, 16:14

Re: LDAP Access

Post by Phroobar »

Well we got that to work. However LDAP access is returning 'ldap_search() Operations error in ...\core\ldap_api.php' line 378


This is what we have for ldap settings.
$g_login_method = LDAP;
$g_ldap_server = 'ldap://prod-****;
$g_ldap_root_dn = 'OU=Users,DC=US,DC=BANK-DNS,DC=COM';
$g_ldap_organization = '';
$g_ldap_portcol_version = 3;
$g_ldap_follow_referrals = ON;
$g_ldap_bind_dn = '';
$g_ldap_uid_field = 'uid';
$g_ldap_realname_field = 'cn';
$g_ldap_use_starttls = OFF;
$g_show_detailed_errors=ON;
$g_ldap_uid_field = 'sxxxxx';
Phroobar
Posts: 34
Joined: 13 Dec 2022, 16:14

Re: LDAP Access

Post by Phroobar »

We figured out how to get ldap to work. We needed to use a service account and password. LDAP is working now for us. Thanks everyone for you help.
Phroobar
Posts: 34
Joined: 13 Dec 2022, 16:14

Re: LDAP Access

Post by Phroobar »

Now the question is how do we get LDAP secured to work or StartTls. I've installed our company certificates on the servers. We set the $g_ldap_server = 'ldaps://prod-****:636'; It still returns 1401 LDAP server connection failed. Any ideas?

$g_login_method = LDAP;
$g_ldap_server = 'ldaps://prod-****:636';
$g_ldap_root_dn = 'OU=Users,DC=US,DC=BANK-DNS,DC=COM';
$g_ldap_organization = '';
$g_ldap_portcol_version = 3;
$g_ldap_follow_referrals = ON;
$g_ldap_bind_dn = '';
$g_ldap_uid_field = 'uid';
$g_ldap_realname_field = 'cn';
$g_ldap_use_starttls = OFF;
$g_show_detailed_errors=ON;
$g_ldap_uid_field = 'sxxxxx';
atrol
Site Admin
Posts: 8353
Joined: 26 Mar 2008, 21:37
Location: Germany

Re: LDAP Access

Post by atrol »

Enable LDAP logging to get more detailed error information
https://www.mantisbt.org/docs/master/en ... ig.logging
Please use Search before posting and read the Manual
malika
Posts: 1
Joined: 03 Feb 2017, 05:33
Contact:

Re: LDAP Access

Post by malika »

Phroobar wrote: 03 Oct 2023, 21:51 Now the question is how do we get LDAP secured to work or StartTls. I've installed our company certificates on the servers. We set the $g_ldap_server = 'ldaps://prod-****:636'; It still returns 1401 LDAP server connection failed. Any ideas?

$g_login_method = LDAP;
$g_ldap_server = 'ldaps://prod-****:636';
$g_ldap_root_dn = 'OU=Users,DC=US,DC=BANK-DNS,DC=COM';
$g_ldap_organization = '';
$g_ldap_portcol_version = 3;
$g_ldap_follow_referrals = ON;
$g_ldap_bind_dn = '';
$g_ldap_uid_field = 'uid';
$g_ldap_realname_field = 'cn';
$g_ldap_use_starttls = OFF;
$g_show_detailed_errors=ON;
$g_ldap_uid_field = 'sxxxxx';
Did it worked? i am stuck on the same issue
Phroobar
Posts: 34
Joined: 13 Dec 2022, 16:14

Re: LDAP Access

Post by Phroobar »

No it didn't work. We were given certs to install but maybe mantis needs them placed or installed somewhere. LDAPS doesn't work. I'm going to open a ticket on this.
Phroobar
Posts: 34
Joined: 13 Dec 2022, 16:14

Re: LDAP Access

Post by Phroobar »

We do have the proper certificates setup on the VM and IT says to use port 636. However the stack trace seems to be wanting to login with Administrator instead of the AD service account listed in the $g_ldap_bind_dn. Any ideas?

$g_login_method = LDAP;
$g_ldap_server = 'ldaps://us.bank-dns.com:636';
$g_ldap_root_dn = 'DC=US,DC=BANK-DNS,DC=COM';
$g_ldap_use_starttls = OFF;
$g_show_detailed_errors=ON;
$g_ldap_uid_field = 'uid';
$g_ldap_realname_field = 'cn';
$g_ldap_follow_referrals = OFF;
$g_ldap_protocol_version = 3;
$g_ldap_bind_dn='CN=cdospuatappid,OU=APPIDS,DC=us,DC=bank-dns,DC=com';

Stack trace:
153 trigger_error <string>'1401', <integer>256
374 ldap_connect_bind
344 ldap_authenticate_by_username <string>'administrator', <string>'root'
762 ldap_authenticate <integer>1, <string>'root'
150 auth_does_password_match <integer>1, <string>'root'
Phroobar
Posts: 34
Joined: 13 Dec 2022, 16:14

Re: LDAP Access

Post by Phroobar »

I've run Microsoft's PortQry on the ldap 636 port and it responds correctly so it isn't being blocked.

The problem seems to be mantis keeps using Administrator instead of the account we are telling it. There must be some additional setting here. That service account is not a mantis user. Does it need to be?
dregad
Developer
Posts: 73
Joined: 26 Jul 2010, 14:24

Re: LDAP Access

Post by dregad »

The problem seems to be mantis keeps using Administrator instead of the account we are telling it
As mentioned in #33444, I believe this is a red herring. This is just a sanity check performed by the login page to ensure the default administrator account's password has been changed.
Phroobar
Posts: 34
Joined: 13 Dec 2022, 16:14

Re: LDAP Access

Post by Phroobar »

I've run the script
<?php

$g_ldap_server = 'ldaps://xxx.com:636';
$g_ldap_bind_dn='CN=userappid,OU=APPIDS,DC=us,DC=xxx,DC=com';
$g_ldap_bind_passwd = 'xxx’;
ldap_set_option(null, LDAP_OPT_DEBUG_LEVEL, 0xffff);
$ds = ldap_connect($g_ldap_server);
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_bind($ds, $g_ldap_bind_dn, $g_ldap_bind_passwd) or die('ERROR');
echo 'SUCCESS';
?>


dap_create
ldap_url_parse_ext(ldaps://xxx.com:636)
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP xxx.com:636
ldap_new_socket: 632
ldap_prepare_socket: 632
ldap_connect_to_host: Trying 100.67.12.133:636
ldap_pvt_connect: fd: 632 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS certificate verification: depth: 1, err: 20, subject: /C=Uxxxxx
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS: can't connect: error:16000069:STORE routines::unregistered scheme.
ldap_err2string
PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in C:\PHP81\ldap_test.php on line 8

Shouldn't this be using the local windows OS store? Do I need to update something in the PHP.ini file?
;curl.cainfo =
;openssl.cafile=
;openssl.capath=

How do you setup a certificate to be used by PHP?
Phroobar
Posts: 34
Joined: 13 Dec 2022, 16:14

Re: LDAP Access

Post by Phroobar »

Where exactly does Mantis BT expect the certificates to be installed? The OS store and/or IIS?
Post Reply