filegator icon indicating copy to clipboard operation
filegator copied to clipboard
verified publisher icon filegator

LDAP Auth error: Login failed, please try again

Open AndreCoelhoCGI opened this issue 4 years ago • 14 comments

I have installed a new Ubuntu 18.04 server and follow the install steps provided by FileGator documentation: "Install on fresh Ubuntu 18.04 or Debian 10.3"

After this, I edited configuration.php and change the configs for this settings:

root@filegatorvm1:/var/www/filegator# cat configuration.php (...) 'Filegator\Services\Auth\AuthInterface' => [ 'handler' => '\Filegator\Services\Auth\Adapters\LDAP', 'config' => [ 'private_repos' => false, 'ldap_server'=>'ldap://xxx.xxx.xxx.xxx', 'ldap_bindDN'=>'cn=binduser,ou=filegatorgroups,dc=filegatorad,dc=local', 'ldap_bindPass'=>'xxx', 'ldap_baseDN'=>'ou=filegatorgroups,dc=filegatorad,dc=local', 'ldap_filter'=>'(&(uid=*)(memberOf=cn=filegatorusers,ou=filegatorgroups,dc=filegatorad,dc=local))', 'ldap_attributes'=> ["samaccountname","uid","cn","dn"], 'ldap_userFieldMapping'=> [ 'username' =>'samaccountname', 'name' =>'cn', 'userDN' =>'dn', 'default_permissions' =>'read|write|upload|download|batchdownload|zip', 'admin_usernames' =>['filegatoradmin','admin'], ], ], ], (...)

Authentication works fine, but I can't log in to the FileGator portal, always showing "Login failed, please try again" In the Active Directory, I have the follow users and groups:

  • aduser: "binduser" (for bindDN)
  • aduser: "filegatoradmin" (admin user - for FileGator administration)
  • aduser: "filegatoruser" (normal user - member of "filegatorusers" adgroup)
  • adgroup: "filegatorusers" (for all users, for the default permissions)

What might be missing to fail to authenticate to the FileGator portal? How do I then define different permissions for the different adgroups and/or adusers existing on Active Directory?

root@filegatorvm1:/var/www/filegator# tail -f ./private/logs/app.log [2021-07-27 13:19:43] default.INFO: Login failed for filegatoradmin from IP xxx.xxx.xxx.xxx [] []

  • FileGator Version [latest = 7.6.0]
  • Server: [Ubuntu 18.04]
  • PHP Version [PHP 7.2.24-0ubuntu0.18.04.8]
  • Browser [Chrome, Edge]

AndreCoelhoCGI avatar Jul 27 '21 13:07 AndreCoelhoCGI

What ldap-server are you using? You filter by the attribute 'uid' in the 'ldap_filter'-configuration, but use the attribut 'samaccountname' int the 'username'-configuration? Do they both exists and have the same values?

permissions: admins from the 'admin_usernames'-configuration are granted everything. All others just whats configured in the 'default_permissions'-configuration. It's not possible to define the permissions per user.

ahaenggli avatar Aug 17 '21 19:08 ahaenggli

@AndreCoelhoCGI were you able to sort it out for I'm having the same issue.

@ahaenggli I tried your method and still getting the same login error.

Kind regards,

Bankole.

bjo004 avatar Feb 26 '22 14:02 bjo004

@bjo004 If the connection to your LDAP server is OK, it is most likely an error with the usernames or the baseDN. Try this attached little php script LDAP-test.php.txt. You can use the same config parameters as in filegator. The outputs should make debugging easier.

ahaenggli avatar Feb 26 '22 17:02 ahaenggli

Hi @ahaenggli

Got a configuration that worked. Had to change the ldap filter to match what is configured. Used the mail ldap attribute instead of uid for uid was not returning any results. Once that was applied. It worked. Thanks for your debug script for it made things much quicker. I've put the config below.

'config' => [ 'private_repos' => false, 'ldap_server'=>'ldap://127.0.0.1', 'ldap_bindDN'=>'uid=ldapbinduser,cn=users,dc=ldap,dc=example,dc=com', 'ldap_bindPass'=>'mysecretpassword', 'ldap_baseDN'=>'cn=users,dc=ldap,dc=example,dc=com', // Get a list of active members only 'ldap_filter'=>'(&(mail=*)(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))', 'ldap_attributes' => ["mail","cn","dn"], 'ldap_userFieldMapping'=> [ 'username' =>'mail', 'username_AddDomain' =>'@example.com', 'username_RemoveDomains' =>['@department1.example.com', '@department2.example.com'], 'name' =>'cn', 'userDN' =>'dn', 'default_permissions' => 'read|write|upload|download|batchdownload|zip', 'admin_usernames' =>['user1', 'user2'], ],
]

Kind regards,

Bankole.

bjo004 avatar Feb 26 '22 23:02 bjo004

Got another question @ahaenggli .

Does filegator support Azure AD? If not, are there plans to support in the future?

Kind regards,

Bankole.

bjo004 avatar Feb 26 '22 23:02 bjo004

Glad to read that it is working now, @bjo004.

I know nothing about AzureAD in this project. I suggest you open a new issue to ask that.

ahaenggli avatar Feb 27 '22 09:02 ahaenggli

Hi all,

I'm probably doing something silly but I can't get AD authentication working in my lab environment.

I can confirm my server can reach AD (sssd used), have successfully queried the user in question using ldapsearch as well. With this in mind here is my 'AuthInterface' config. I did try and change the filter to use mail but this didn't work.

AuthInterface

Filegator\Services\Auth\AuthInterface' => [ 'handler' => '\Filegator\Services\Auth\Adapters\LDAP', 'config' => [ 'private_repos' => false, 'ldap_server' => 'ldap://192.168.1.116', // LDAP server address 'ldap_bindDN' => 'CN=dpage,CN=Users,DC=voyager,DC=com', 'ldap_bindPass' => 'HIDDEN', 'ldap_baseDN' => 'CN=Users,DC=voyager,DC=com', 'ldap_filter' => '(sAMAccountName=*)', 'ldap_attributes' => ["sAMAccountName", "cn", "dn"], 'ldap_userFieldMapping' => [ 'username' => 'sAMAccountName', 'username_AddDomain' => '@voyager.com', 'username_RemoveDomains' => ['@department1.voyager.com', '@department2.voyager.com'], 'name' => 'cn', 'userDN' => 'dn', 'default_permissions' => 'read|write|upload|download|batchdownload|zip', 'admin_usernames' => ['user1', 'user2'], ], ], ],

Any help is greatly appreciated. Thank you in advance!!

hfiles23 avatar Jan 02 '24 14:01 hfiles23

Hi @hfiles23,

Do you want to match the ldap_filter, the ldap_attributes and username to what I posted above? See if that works?

Kind regards,

Bankole.

bjo004 avatar Jan 02 '24 15:01 bjo004

Hi @bjo004,

For the username are you using ldapbinduser? I guess that will need created in AD if that's the case.

hfiles23 avatar Jan 02 '24 16:01 hfiles23

Hi @hfiles23

Just in case you didn't see what I posted above.

'config' => [
'private_repos' => false,
'ldap_server'=>'ldap://127.0.0.1',
'ldap_bindDN'=>'uid=ldapbinduser,cn=users,dc=ldap,dc=example,dc=com',
'ldap_bindPass'=>'mysecretpassword',
'ldap_baseDN'=>'cn=users,dc=ldap,dc=example,dc=com',
// Get a list of active members only
'ldap_filter'=>'(&(mail=*)(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))',
'ldap_attributes' => ["mail","cn","dn"],
'ldap_userFieldMapping'=> [
'username' =>'mail',
'username_AddDomain' =>'@example.com',
'username_RemoveDomains' =>['@department1.example.com', '@department2.example.com'],
'name' =>'cn',
'userDN' =>'dn',
'default_permissions' => 'read|write|upload|download|batchdownload|zip',
'admin_usernames' =>['user1', 'user2'],
],
]

bjo004 avatar Jan 02 '24 18:01 bjo004

Hi @bjo004,

Unfortunately when I change the config using the above the front end becomes unavailable.

Here's what I used.

'Filegator\Services\Auth\AuthInterface' => [ 'handler' => '\Filegator\Services\Auth\Adapters\LDAP', 'config' => [ 'private_repos' => false, 'ldap_server'=>'ldap://192.168.1.116', 'ldap_bindDN'=>'uid=dpage,cn=users,dc=ldap,dc=voyager,dc=com', 'ldap_bindPass'=>'MYPASS', 'ldap_baseDN'=>'cn=users,dc=ldap,dc=voyager,dc=com', // Get a list of active members only 'ldap_filter'=>'(&(mail=*)(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))', 'ldap_attributes' => ["mail","cn","dn"], 'ldap_userFieldMapping'=> [ 'username' =>'mail', 'username_AddDomain' =>'@voyager.com', 'username_RemoveDomains' =>['@department1.voyager.com', '@department2.voyager.com'], 'name' =>'cn', 'userDN' =>'dn', 'default_permissions' => 'read|write|upload|download|batchdownload|zip', 'admin_usernames' =>['dpage'], ], ], ],

hfiles23 avatar Jan 02 '24 21:01 hfiles23

This is the error I'm getting, as mentioned before I can query AD so stumped at why Filegator is failing to query AD.

Log [2024-01-02 21:15:41] default.WARNING: E_WARNING: Undefined array key "sAMAccountName" {"code":2,"message":"Undefined array key "sAMAccountName"","file":"/var/www/filegator/backend/Services/Auth/Adapters/LDAP.php","line":196} [] [2024-01-02 21:15:41] default.WARNING: E_WARNING: Trying to access array offset on value of type null {"code":2,"message":"Trying to access array offset on value of type null","file":"/var/www/filegator/backend/Services/Auth/Adapters/LDAP.php","line":196} []

hfiles23 avatar Jan 02 '24 21:01 hfiles23

add to backend/Services/Auth/Adapters/LDAP.php in function init(...) the following ldap option:

            ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);

use sAMAccountName lowercase samaccountname

fdefilippo avatar Mar 10 '24 16:03 fdefilippo

Thank you @fdefilippo, will give that a go.

hfiles23 avatar Mar 11 '24 17:03 hfiles23