FR3DLdapBundle icon indicating copy to clipboard operation
FR3DLdapBundle copied to clipboard
verified publisher icon Maks3w

Authentication failed if DN updated

Open jonag opened this issue 10 years ago • 8 comments

Hi,

This morning I could not connect to my application which use this bundle to retrieve the users from our LDAP.

I found this error in the logs of the application :

DEBUG - 0x31 (Invalid credentials; 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1): CN=Jonathan GONÇALVES,OU=Stagiaires,OU=A5Sys,OU=A5 Groupe,DC=A5GROUPE,DC=local

After some research I have found that my field DN on the LDAP has been changed to CN=Jonathan GONÇALVES,OU=A5Sys,OU=A5 Groupe,DC=A5GROUPE,DC=local and since I store this field on the database the authentification didn't work.

I had to manually update the field on the database to be able to connect again.

Because the field can be changed for various reasons (for example a change of position), is there a way to prevent this issue? (Other than not storing the field in the database)

Thanks !

(I'm using the version 2.0.0 of the bundle with PHP 7.0.0RC1 or PHP 5.6.4 and Symfony 2.7.3)

jonag avatar Sep 07 '15 08:09 jonag

Probably a solution could be if the authentication fails due missing DN then perform a ldap search without the cached DN.

Maks3w avatar Sep 07 '15 08:09 Maks3w

Yes but the error doesn't seem to be "Missing DN" but "Invalid credentials". I have no experience with LDAP, is there a way to distinguish the two errors ?

If so I can try to fix that during this week.

jonag avatar Sep 07 '15 09:09 jonag

Due security reasons ldap_bind don't discloure what parameters is wrong.

So:

  1. You can avoid persist DN on your database. If DN is null the bundle automatically perform a search each time.
  2. Create a patch for to perform a ldap_search when ldap_bind fails and retry ldap_bind with the DN found.

Maks3w avatar Sep 07 '15 09:09 Maks3w

Hi,

I have the same problem. Can you describe the solution to bypass the problem ?

Thanks !

Sullivan-Malher avatar Mar 20 '17 15:03 Sullivan-Malher

Hello, Always same errors in v3. Is there any possibility to give us more details to bypass this problem ?

Thanks

TomKrakott avatar Apr 12 '17 10:04 TomKrakott

OK so ... workaround ... I've fire the DN in my database (not in entity surely) :

/**
* nothing here
*/
private $dn;

And in the LdapAuthenticationProvider.php, I've replace this line :

            if (!$this->ldapManager->bind($user, $presentedPassword)) {
                throw new BadCredentialsException('The presented password is invalid TOTORO.');
            }

By :

            $updatedUser = $this->ldapManager->findUserByUsername($user->getUsername());

            if (!$this->ldapManager->bind($updatedUser, $presentedPassword)) {
                throw new BadCredentialsException('The presented password is invalid TOTORO.');
            }

It's a bad workaround but it's work. I've to clone the FR3DLdapBundle before.

Bye :)

TomKrakott avatar Apr 12 '17 16:04 TomKrakott

It works perfectly. Thank you for your help !

Sullivan-Malher avatar Apr 13 '17 06:04 Sullivan-Malher

I've just seen, TOTORO is in my code. Forgot it, sorry :smile: Things always look better in the morning.

Due to the suppresion of DN in database, each connection will fail and generate the update of the DN. I've change my code to replace this line :

    protected function checkAuthentication(UserInterface $user, UsernamePasswordToken $token)
    {
        $currentUser = $token->getUser();
        ...

To :

    protected function checkAuthentication(UserInterface $user, UsernamePasswordToken $token)
    {
        $currentUser = $this->ldapManager->findUserByUsername($user->getUsername());
        ...

Good coding ...

TomKrakott avatar Apr 13 '17 07:04 TomKrakott