LDAP authentication error

Author Message

Sagar Khushalani

Thursday 26 October 2006 10:49:04 am

Hello
I'm trying to configure my site to authenticate with an AD on a W2k3 server. The site is on the domain controller itself. However, every time I try to log-in using one of the user accounts on the AD, i get this:

Fatal error: eZ publish did not finish its request
The execution of eZ publish was abruptly ended, the debug output is present below.

I've configured the site.ini file to allow LDAP authentication if standard fails.
Also, my ldap.ini files looks like this:

[LDAPSettings]
# Set LDAP version number
LDAPVersion=2
# Set to true if use LDAP server
LDAPEnabled=true
# LDAP host
LDAPServer=localhost
# Port nr for LDAP, default is 389
LDAPPort=389
# Specifies the base DN for the directory.
LDAPBaseDn=DC--cchtesting,DC--net
# If the server does not allow anonymous bind, specify the user name for the bind here.
LDAPBindUser= administrator
# If the server does not allow anonymous bind, specify the password for the bind here.
LDAPBindPassword= ************
# Could be sub, one, base.
LDAPSearchScope=sub
# Use the equla sign to replace "=" when specify LDAPBaseDn or LDAPSearchFilters
LDAPEqualSign=--
# Add extra search requirment. Uncomment it if you don't need it.
# Example LDAPSearchFilters[]=objectClass--inetOrgPerson
LDAPSearchFilters[]
# LDAP attribute for login. Normally, uid
LDAPLoginAttribute=SAMAccountName
# Could be id or name
LDAPUserGroupType=id
# Default place to store LDAP users. Could be content object id or group name for LDAP user group,
# depends on LDAPUserGroupType.
LDAPUserGroup[]=12
# LDAP attribute type for user group. Could be name or id
LDAPUserGroupAttributeType=name
# LDAP attribute for user group. For example, employeetype. If specified, LDAP users
# will be saved under the same group as in LDAP server.
LDAPUserGroupAttribute=employeetype
# LDAP attribute for First name. Normally, givenname
LDAPFirstNameAttribute=givenname
# LDAP attribute for Last name. Normally, sn
LDAPLastNameAttribute=sn
# LDAP attribute for email. Normally, mail
LDAPEmailAttribute=mail
# LDAP encoding is utf-8 or not
Utf8Encoding=false
# if 'enabled' you can move LDAP users to a different group and they will not
# be automatically moved back (to the group they are configured to be placed in)
# when the user logs in again.
KeepGroupAssignment=disabled

for the usergroup, i kept it at 12 (Guest Accounts). Is that correct? Also, i changed uid to SAMAccountName.

I also have this line in the ezldapuser.php file in the kernel\classes\datatypes\ezuser folder:

$r = ldap_bind( $ds,$auth_user,$auth_pass );

Can someone help? Let me know if you need more details.

Sagar Khushalani

http://www.sagarkhushalani.com

Jonny Bergkvist

Friday 27 October 2006 2:55:16 am

Hello,

LDAPServer=localhost
Is that correct for you? This could be true if you run eZ at the same server as the LDAP-directory runs, or if you use stunnel or any other redirect-software that passes on traffic from your eZ-host at port 389 to some other host (the LDAP-server).

A hint is to go into kernel/classes/datatypes/ezuser/ezldapuser.php and print some variables, such as result of ldap_connect and ldap_bind. This may make it easier to track your problem.

- Jonny
http://www.hit.no/

Sagar Khushalani

Saturday 28 October 2006 9:08:50 am

ezpublish and active directory are on the same server, so localhost is correct, right?

for the ldap bind, i used administrator and the admin password of the domain controller. is that correct?

i'll post the rest of the ezldapuser.php files when i get back to the office on tuesday.

thanks

Sagar Khushalani

http://www.sagarkhushalani.com

Sagar Khushalani

Thursday 02 November 2006 11:29:27 am

how do i get it to print the variables?

Sagar Khushalani

http://www.sagarkhushalani.com

Jonny Bergkvist

Tuesday 07 November 2006 12:19:38 am

You may want to follow the ldap connection process and find where it stops/fails:
first is ldap_connect(),
then some ldap_set_option() to konfigure ldap client to match server type/configuration.
Then ldap_bind(). When ldap_bind is successfull you can get data/entries from ldap with
ldap_list() - scope "one", ldap_read() - scope "base", ldap_search - scope "sub"
ldap_get_entries() returns the searchresult as an array.

To print a variable you can do like this:
edit kernel/common/classes/datatypes/ezuser/ezldapuser.php

You may want to view the $info-variable,
find the line: $info = ldap_get_entries( $ds, $sr ) ;
then insert a line under with:
echo "<pre>"; print_r( $sr ); echo "</pre>"; exit;

Try to login and you will see what values this variable contains.
If it's empty, you should check out the earlier stages of ldap connection process, by printing variables in the same manner as the example.

- Jonny

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.