Users from AD child domain can't connect with LDAPS

[SveDec]

Code of Conduct

• [x] I agree to follow this project's Code of Conduct

Is there an existing issue for this?

• [x] I have searched the existing issues

Version

10.0.17

Bug description

Hi,

In the context of securing GLPI connections by transiting from LDAP to LDAPS, i face an issue with this specific use case :

• GLPI is plugged to an Active Directory for user's connections,
• the AD contains the root domain (rootdomain.lan) and a child domain (child.rootdomain.lan),
• and users who connect to GLPI can have their account in both root and child domains.

To be able to identify users from both domain, GLPI's LDAP configuration uses port 3268, which is AD's "Global Catalog" unsecured port. With this configuration, everything works fine.

The problem appears when trying to use the secure 3269 port : then, users from the root domain are still able to connect, but not those from the child domain.

Below are the results from my tests.

1. From the GLPI host's OS perspective

Test commands :

• for LDAP (port 389 and 3268) : sudo -u www-data ldapsearch -x -b "DC=rootdomain,DC=lan" -D "rootdomain\bindAccount" -H 'ldap://ldap.rootdomain.lan:[$port]' -W '(|(sAMAccountName=[$account]))' -v
• for LDAPS (port 636 and 3269) : sudo -u www-data ldapsearch -x -b "DC=rootdomain,DC=lan" -D "rootdomain\bindAccount" -H 'ldaps://ldap.rootdomain.lan:[$port]' -W '(|(sAMAccountName=[$account]))' -v

---------------------------------------------------------
| Account  | Root domain account | Child domain account |
---------------------------------------------------------
| Response | 389 : ✓             | 389 : ✗              |
|          | 636 : ✓             | 636 : ✗              |
|          | 3268 : ✓            | 3268 : ✓             |
|          | 3269 : ✓            | 3269 : ✓             |
---------------------------------------------------------

We observe that with the ldapsearch command, the AD responds as expected : only for root domain's accounts with standard LDAP ports, and also for child domain's accounts with global catalog ports.

2. From GLPI

With standard LDAP ports :

• Port 389
  • Config : Server: '[ldap://]ldap.rootdomain.lan', Port: '389', BaseDN: 'DC=rootdomain,DC=lan', Connection filter: none, RootDN:'bindAccount', - Use TLS: none
  • LDAP connection test : OK (with or without scheme)
  • Results (idem with or without scheme) :
    • Root domain account = connection OK ✓
    • Child domain account = connection KO ✗
• Port 636
  • Config : Server: 'ldaps://ldap.rootdomain.lan', Port: '636', BaseDN: 'DC=rootdomain,DC=lan', Connection filter: none, RootDN:'bindAccount', Use TLS: none
  • LDAP connection test : OK (KO without scheme, as expected)
    • Root domain account = connection OK ✓
    • Child domain account = connection KO ✗

=> GLPI works as expected with the standard LDAP ports

With Active Directory global catalog ports :

• Port 3268
  • With scheme
    • Config : Server: 'ldap://ldap.rootdomain.lan', Port: '3268', BaseDN: 'DC=rootdomain,DC=lan', Connection filter: none, RootDN:'bindAccount', Use TLS: none
    • LDAP connection test : OK
      • Root domain account = connection OK ✓
      • Child domain account = connection KO ✗
  • Without scheme
    • Config : Server: 'ldap.rootdomain.lan', Port: '3268', BaseDN: 'DC=rootdomain,DC=lan', Connection filter: none, RootDN:'bindAccount', Use TLS: none
    • LDAP connection test : OK
      • Root domain account = connection OK ✓
      • Child domain account = connection OK ✓ => current working configuration
• Port 3269
  • With scheme
    • Config : Server: 'ldaps://ldap.rootdomain.lan', Port: '3269', BaseDN: 'DC=rootdomain,DC=lan', Connection filter: none, RootDN:'bindAccount', Use TLS: none
    • LDAP connection test : OK
      • Root domain account = connection OK ✓
      • Child domain account = connection KO ✗
  • Without scheme : leads to an LDAP connection test fail

=> We observe that inserting the scheme in the server name seems to change GLPI's behaviour.

So currently it is not possible for users from the child domain to use GLPI if LDAPS is configured.

Relevant log output

In the port "3269 with scheme" config, there are no logs written in mail-error.log, php-errors.log or sql-errors.log files in glpi/files/_log/ directory when trying to connect with the child domain account ; on the screen, only the invalid username or password message appears.
In the event.log file, only one line appears :
[login] 3: Failed connection from ChildDomainAccount from IP [ip_addr]

Page URL

https://glpi.rootdomain.lan/front/login.php

Steps To reproduce

1. Configure your LDAP server with the following values : Server: 'ldaps://ldap.rootdomain.lan', Port: '3269', BaseDN: 'DC=rootdomain,DC=lan', Connection filter: none, RootDN:'bindAccount', Use TLS: none
2. Try to connect to GLPI with an account from child.rootdomain.lan

Your GLPI setup information

GLPI 10.0.17 ( => /var/www/glpi)
Installation mode: TARBALL
Current language:fr_FR

Operating system: Linux SERVERNAME 6.1.0-26-amd64 #​1 SMP PREEMPT_DYNAMIC Debian 6.1.112-1 (2024-09-30) x86_64
PHP 8.2.24 apache2handler (Core, FFI, PDO, Phar, Reflection, SPL, SimpleXML, Zend OPcache, apache2handler, bz2, calendar, ctype,
	curl, date, dom, exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, intl, json, ldap, libxml, mbstring, mysqli, mysqlnd,
	openssl, pcre, pdo_mysql, posix, random, readline, session, shmop, sockets, sodium, standard, sysvmsg, sysvsem, sysvshm,
	tokenizer, xml, xmlreader, xmlwriter, xsl, zip, zlib)
Setup: max_execution_time="30" memory_limit="128M" post_max_size="8M" safe_mode="" session.save_handler="files"
	upload_max_filesize="2M" disable_functions="" 
Software: Apache/2.4.62 (Debian) (Apache/2.4.62 (Debian) Server at glpi.rootdomain.lan Port 443
)
	Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Server Software: Debian 12
	Server Version: 10.11.6-MariaDB-0+deb12u1
	Server SQL Mode: STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
	Parameters: glpi@localhost/glpi
	Host info: Localhost via UNIX socket
	
PHP version (8.2.24) is supported.
Sessions configuration is OK.
Allocated memory is sufficient.
mysqli extension is installed.
Following extensions are installed: dom, fileinfo, filter, libxml, json, simplexml, xmlreader, xmlwriter.
curl extension is installed.
gd extension is installed.
intl extension is installed.
zlib extension is installed.
The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present.
Database engine version (10.11.6) is supported.
No files from previous GLPI version detected.
The log file has been created successfully.
Write access to /var/www/glpi/files/_cache has been validated.
Write access to /var/www/glpi/files/_cron has been validated.
Write access to /var/www/glpi/files has been validated.
Write access to /var/www/glpi/files/_dumps has been validated.
Write access to /var/www/glpi/files/_graphs has been validated.
Write access to /var/www/glpi/files/_lock has been validated.
Write access to /var/www/glpi/files/_pictures has been validated.
Write access to /var/www/glpi/files/_plugins has been validated.
Write access to /var/www/glpi/files/_rss has been validated.
Write access to /var/www/glpi/files/_sessions has been validated.
Write access to /var/www/glpi/files/_tmp has been validated.
Write access to /var/www/glpi/files/_uploads has been validated.

Web server root directory configuration seems safe.
Sessions configuration is secured.
OS and PHP are relying on 64 bits integers.
exif extension is installed.
ldap extension is installed.
openssl extension is installed.
Following extensions are installed: bz2, Phar, zip.
Zend OPcache extension is installed.
Following extensions are installed: ctype, iconv, mbstring, sodium.
Write access to /var/www/glpi/marketplace has been validated.
Access to timezone database (mysql) is not allowed.

GLPI_ROOT: "/var/www/glpi"
GLPI_CONFIG_DIR: "/var/www/glpi/config"
GLPI_VAR_DIR: "/var/www/glpi/files"
GLPI_MARKETPLACE_DIR: "/var/www/glpi/marketplace"
GLPI_USE_CSRF_CHECK: "1"
GLPI_CSRF_EXPIRES: "7200"
GLPI_CSRF_MAX_TOKENS: "100"
GLPI_USE_IDOR_CHECK: "1"
GLPI_IDOR_EXPIRES: "7200"
GLPI_ALLOW_IFRAME_IN_RICH_TEXT: false
GLPI_SERVERSIDE_URL_ALLOWLIST: ["/^(https?|feed):\\/\\/[^@:]+(\\/.*)?$/"]
GLPI_TELEMETRY_URI: "https://telemetry.glpi-project.org"
GLPI_INSTALL_MODE: "TARBALL"
GLPI_NETWORK_MAIL: "[email protected]"
GLPI_NETWORK_SERVICES: "https://services.glpi-network.com"
GLPI_MARKETPLACE_ALLOW_OVERRIDE: true
GLPI_MARKETPLACE_MANUAL_DOWNLOADS: true
GLPI_USER_AGENT_EXTRA_COMMENTS: ""
GLPI_DISABLE_ONLY_FULL_GROUP_BY_SQL_MODE: "1"
GLPI_AJAX_DASHBOARD: "1"
GLPI_CALDAV_IMPORT_STATE: 0
GLPI_DEMO_MODE: "0"
GLPI_CENTRAL_WARNINGS: "1"
GLPI_TEXT_MAXSIZE: "4000"
GLPI_DOC_DIR: "/var/www/glpi/files"
GLPI_CACHE_DIR: "/var/www/glpi/files/_cache"
GLPI_CRON_DIR: "/var/www/glpi/files/_cron"
GLPI_DUMP_DIR: "/var/www/glpi/files/_dumps"
GLPI_GRAPH_DIR: "/var/www/glpi/files/_graphs"
GLPI_LOCAL_I18N_DIR: "/var/www/glpi/files/_locales"
GLPI_LOCK_DIR: "/var/www/glpi/files/_lock"
GLPI_LOG_DIR: "/var/www/glpi/files/_log"
GLPI_PICTURE_DIR: "/var/www/glpi/files/_pictures"
GLPI_PLUGIN_DOC_DIR: "/var/www/glpi/files/_plugins"
GLPI_RSS_DIR: "/var/www/glpi/files/_rss"
GLPI_SESSION_DIR: "/var/www/glpi/files/_sessions"
GLPI_TMP_DIR: "/var/www/glpi/files/_tmp"
GLPI_UPLOAD_DIR: "/var/www/glpi/files/_uploads"
GLPI_INVENTORY_DIR: "/var/www/glpi/files/_inventories"
GLPI_NETWORK_REGISTRATION_API_URL: "https://services.glpi-network.com/api/registration/"
GLPI_MARKETPLACE_PLUGINS_API_URI: "https://services.glpi-network.com/api/marketplace/"
GLPI_I18N_DIR: "/var/www/glpi/locales"
GLPI_VERSION: "10.0.17"
GLPI_SCHEMA_VERSION: "10.0.17@bde16719fbd4112f59a9a7d34c66c959bce73434"
GLPI_MARKETPLACE_PRERELEASES: false
GLPI_MIN_PHP: "7.4.0"
GLPI_MAX_PHP: "8.4.0"
GLPI_YEAR: "2024"

htmlawed/htmlawed version 1.2.14 in (/var/www/glpi/vendor/htmlawed/htmlawed)
phpmailer/phpmailer version 6.8.0 in (/var/www/glpi/vendor/phpmailer/phpmailer/src)
simplepie/simplepie version 1.5.8 in (/var/www/glpi/vendor/simplepie/simplepie/library)
tecnickcom/tcpdf version 6.7.5 in (/var/www/glpi/vendor/tecnickcom/tcpdf)
michelf/php-markdown in (/var/www/glpi/vendor/michelf/php-markdown/Michelf)
true/punycode in (/var/www/glpi/vendor/true/punycode/src)
iamcal/lib_autolink in (/var/www/glpi/vendor/iamcal/lib_autolink)
sabre/dav in (/var/www/glpi/vendor/sabre/dav/lib/DAV)
sabre/http in (/var/www/glpi/vendor/sabre/http/lib)
sabre/uri in (/var/www/glpi/vendor/sabre/uri/lib)
sabre/vobject in (/var/www/glpi/vendor/sabre/vobject/lib)
laminas/laminas-i18n in (/var/www/glpi/vendor/laminas/laminas-i18n/src)
laminas/laminas-servicemanager in (/var/www/glpi/vendor/laminas/laminas-servicemanager/src)
monolog/monolog in (/var/www/glpi/vendor/monolog/monolog/src/Monolog)
sebastian/diff in (/var/www/glpi/vendor/sebastian/diff/src)
donatj/phpuseragentparser in (/var/www/glpi/vendor/donatj/phpuseragentparser/src/UserAgent)
elvanto/litemoji in (/var/www/glpi/vendor/elvanto/litemoji/src)
symfony/console in (/var/www/glpi/vendor/symfony/console)
scssphp/scssphp in (/var/www/glpi/vendor/scssphp/scssphp/src)
laminas/laminas-mail in (/var/www/glpi/vendor/laminas/laminas-mail/src/Protocol)
laminas/laminas-mime in (/var/www/glpi/vendor/laminas/laminas-mime/src)
rlanvin/php-rrule in (/var/www/glpi/vendor/rlanvin/php-rrule/src)
ramsey/uuid in (/var/www/glpi/vendor/ramsey/uuid/src)
psr/log in (/var/www/glpi/vendor/psr/log/Psr/Log)
psr/simple-cache in (/var/www/glpi/vendor/psr/simple-cache/src)
psr/cache in (/var/www/glpi/vendor/psr/cache/src)
league/csv in (/var/www/glpi/vendor/league/csv/src)
mexitek/phpcolors in (/var/www/glpi/vendor/mexitek/phpcolors/src/Mexitek/PHPColors)
guzzlehttp/guzzle in (/var/www/glpi/vendor/guzzlehttp/guzzle/src)
guzzlehttp/psr7 in (/var/www/glpi/vendor/guzzlehttp/psr7/src)
glpi-project/inventory_format in (/var/www/glpi/vendor/glpi-project/inventory_format/lib/php)
wapmorgan/unified-archive in (/var/www/glpi/vendor/wapmorgan/unified-archive/src)
paragonie/sodium_compat in (/var/www/glpi/vendor/paragonie/sodium_compat/src)
symfony/cache in (/var/www/glpi/vendor/symfony/cache)
html2text/html2text in (/var/www/glpi/vendor/html2text/html2text/src)
symfony/css-selector in (/var/www/glpi/vendor/symfony/css-selector)
symfony/dom-crawler in (/var/www/glpi/vendor/symfony/dom-crawler)
twig/twig in (/var/www/glpi/vendor/twig/twig/src)
twig/string-extra in (/var/www/glpi/vendor/twig/string-extra)
symfony/polyfill-ctype not found
symfony/polyfill-iconv not found
symfony/polyfill-mbstring not found
symfony/polyfill-php80 not found
symfony/polyfill-php81 not found
symfony/polyfill-php82 in (/var/www/glpi/vendor/symfony/polyfill-php82)
league/oauth2-client in (/var/www/glpi/vendor/league/oauth2-client/src/Provider)
league/oauth2-google in (/var/www/glpi/vendor/league/oauth2-google/src/Provider)
thenetworg/oauth2-azure in (/var/www/glpi/vendor/thenetworg/oauth2-azure/src/Provider)

Anything else?

Nothing to add except a big thank you for GLPI ! And thanks in advance for your help.

[github-actions[bot]]

There has been no activity on this issue for some time and therefore it is considered stale and will be closed automatically in 10 days.

If this issue is related to a bug, please try to reproduce on latest release. If the problem persist, feel free to add a comment to revive this issue. If it is related to a new feature, please open a topic to discuss with community about this enhancement on suggestion website.

You may also consider taking a subscription to get professionnal support or contact GLPI editor team directly.

[SveDec]

There has been no activity on this issue for some time and therefore it is considered stale and will be closed automatically in 10 days.

If this issue is related to a bug, please try to reproduce on latest release. If the problem persist, feel free to add a comment to revive this issue. If it is related to a new feature, please open a topic to discuss with community about this enhancement on suggestion website.

You may also consider taking a subscription to get professionnal support or contact GLPI editor team directly.

The latest release is still 10.0.17, no change related to this bug.

[github-actions[bot]]

There has been no activity on this issue for some time and therefore it is considered stale and will be closed automatically in 10 days.

If this issue is related to a bug, please try to reproduce on latest release. If the problem persist, feel free to add a comment to revive this issue. If it is related to a new feature, please open a topic to discuss with community about this enhancement on suggestion website.

You may also consider taking a subscription to get professionnal support or contact GLPI editor team directly.

[SveDec]

There has been no activity on this issue for some time and therefore it is considered stale and will be closed automatically in 10 days.

If this issue is related to a bug, please try to reproduce on latest release. If the problem persist, feel free to add a comment to revive this issue. If it is related to a new feature, please open a topic to discuss with community about this enhancement on suggestion website.

You may also consider taking a subscription to get professionnal support or contact GLPI editor team directly.

GLPI updated to 10.0.18, and the issue is still present.

[github-actions[bot]]

There has been no activity on this issue for some time and therefore it is considered stale and will be closed automatically in 10 days.

If this issue is related to a bug, please try to reproduce on latest release. If the problem persist, feel free to add a comment to revive this issue. If it is related to a new feature, please open a topic to discuss with community about this enhancement on suggestion website.

You may also consider taking a subscription to get professionnal support or contact GLPI editor team directly.

[SveDec]

The latest release is still 10.0.18, no change related to this bug.

[cedric-anne]

@SveDec

Could you test the patch proposed in #20103 ?

[trasher]

~~Please note there is a change with #20103: protocol is no longer allowed. Ensure you use TLS intead of relying on ldaps://.~~ I changed that.

[trasher]

No feedback, I close. Feel free to reopen if you can reproduce with GLPI 10.0.19 (soon to be released).

[SveDec]

Hello,

Sorry for the response delay due to holidays after the latest release.

10.0.19 has been installed and I confirm the changes have resolved the issue : the config Server: 'ldaps://ldap.rootdomain.lan', Port: '3269', BaseDN: 'DC=rootdomain,DC=lan', Connection filter: none, RootDN:'bindAccount', Use TLS: none now allows to log in with users from both root and child domain.

Thank you for resolving this !