[4.x] Fix LDAP "Bind Directly as User"

[tatankat]

Pull Request for Issue #35829 (probably) and restored broken functionality.

Summary of Changes

Simple fix to restore (some of) the LDAP functionality, not needing a full rewrite. Replace [username] in 'users_dn' configuration as was done before by the Joomla LDAP Client (replaced by the Symfony LDAP framework).

Testing Instructions

Use the LDAP configuration as it was working with V3 with "Bind Directly as User" as Authorisation Method and a User's DN with [username] in it to be replaced as the description says (uid=[username], dc=my-domain, dc=com)

Actual result BEFORE applying this Pull Request

The entered username was used to bind with ldap, which makes no sense as the username is escaped and can't be used as full dn to login to ldap.

Expected result AFTER applying this Pull Request

The configurated users_dn is used with "[username]" replaced by the entered username.

Documentation Changes Required

None, this was broken in V4 vs V3.

[nickdring]

Hi there, I'm running ‎4.1.3-rc1 and it's still not working for me. This is the set-up we use with J3. Do I need to do anything differently?

[tatankat]

As you use ldaps, you also need #37962

[tatankat]

@nickdring Can you confirm it's working with the 2 PRs applied?

[nickdring]

Hi @tatankat I updated to ‎4.1.5-rc1 but its still not working. Sorry.

[tatankat]

@nickdring The code from these PRs are not yet released in a Joomla version (AFAIK), so you have to apply the changes "manually" to test. As @richard67 said in #37962, only once these changes are tested by several humans, these PRs will be merged and can be included in Joomla.

[nickdring]

Hi @tatankat sorry didn't realise. So I manually added the new changes but it still doesn't work.

[richard67]

Hi @tatankat sorry didn't realise. So I manually added the new changes but it still doesn't work.

@nickdring You have added the changes from both PRs, #37962 and this one here? If so, you have to edit and save the ldap plugin settings once so that the right encryption setting is used. Or you would have to apply the database changes from the other PR, but that would be too complicated now. Or if you have apploed only the changes from this PR here, you should test with ldap (without s).

[nickdring]

Hi, https://github.com/joomla/joomla-cms/pull/37962 has 5 files, one of which is ldap.php, which is the same file as https://github.com/joomla/joomla-cms/pull/37959. But I tried both versions and it doesn't work.

[richard67]

Hi, #37962 has 5 files, one of which is ldap.php, which is the same file as #37959. But I tried both versions and it doesn't work.

@nickdring In the ldap.php you would have to use an editor and apply the changes from both PRs if you want to use ldaps. Maybe @tatankat can provide you a download of the file with the changes from both PRs if you can't do that.

[nickdring]

If @tatankat can do that for me I'd be happy to try it.

[richard67]

@nickdring Are you testing on a testing environment or a testing copy of your life site? Or are you using your life site for testing? I'm asking in order to give you the right advise later for testing. If possible you should use a testing environment or a testing copy of your life site.

[nickdring]

I'm testing J4 on a staging, I can break it as much as I like ;)

[tatankat]

@nickdring Good to know about your test environment :)

As you don't use [username] in your User's DN, this PR won't do anything. And as the other PR separately does not work, it does not work yet with the two combined. (but hold on)

As I was investigating, I found another change of behavior which (probably) also explains why logging in with domain fails (which I suspect you do too). When User's DN is empty, V3 took the entered login, while V4 does not. Except when you use this PR (combined with the other, will give you that next week if still necessary) and put simply [username] in the User's DN. Can you test that?

If this does not work, can you give me some more details about your installation and what type of credentials you use to login?

[nickdring]

Hi @tatankat I tried that, but it didn't work. This is our usual set up as per J3. As you can see, LDAP v3 is not activated, and we don't use User's DN or Connect Username .

[richard67]

@tatankat Should @nickdring select an encryption protocol when using a host with "ldaps://"?

[tatankat]

@nickdring and @richard67 , yes, the SSL encryption protocol should be selected (I will check if I can improve #37962 for that, as I am apparently not the only one using it this way).

The combination of both PRs are in https://github.com/tatankat/joomla-cms/tree/patched/plugins/authentication/ldap (my "patched" branch).

This PR now most probably also fixes #36074, #35573 and #35571

[nickdring]

Hi @tatankat so would you like me to try with the two files in https://github.com/tatankat/joomla-cms/tree/patched/plugins/authentication/ldap ? Do I need to change any of the settings?

[tatankat]

Yes, please. You need to remove the "ldaps://" part in the Host and set "Encryption Protocol" to SSL. When code is accepted to J4, this will be done automatically on upgrade. It's also strange you don't have LDAP v3, so maybe try that one if it is not working - you never know this did not do anything in J3.

[nickdring]

Ok, two new uploaded, and I removed ldaps:// from the host and set encryption to SSL. I also tried LDAP v3 option on and off and a bunch of other combinations, but it is always the same result I'm afraid.

[tatankat]

A last guess: do you still have the port number in the "Host" field? If it is, can you test with the port number removed? If not, then some debugging will need to take place. Is there some error in the php logs? It seems to me the debug option currently has no effect, so I will check if something can be done with that. Can you check on your ldap server if something is connecting and what it is doing?

[nickdring]

Hi @tatankat I've tried with and without the port number in the host field. I've tried different port numbers too, LDAP v3 on and off, I've also tried with our User DN. In the PHP logs, all I see is '2022-05-24T13:15:10+00:00 INFO 10.255.7.56 ldapfailure Username and password do not match, or you do not have an account yet.' BTW I updated to 4.1.5.rc2, and I see the option for the encryption has changed, now it's either on or off and only TLS. I'll see if I can get any LDAP logs/info from my colleagues in ICT.

[HLeithner]

This pull requests has automatically rebased to 4.2-dev.

[joomla-bot]

This pull requests has been automatically converted to the PSR-12 coding standard.

[tatankat]

@nickdring I have fixed the ldap debug in PR #38388 To run with ldap debugging, you should update the file (or run from https://github.com/tatankat/joomla-cms/tree/patched which includes all ldap fixes) and execute composer update symfony/ldap Can you please issue a test and show us the resulting log?

[nickdring]

Hi there, I tried your branch on a local installation and its still not working. The only log message is '2022-08-19T08:47:54+00:00 INFO 10.255.7.56 ldapfailure Username and password do not match or you do not have an account yet.' I've tried all the variations I can think off.

[tatankat]

@nickdring If you have successfully enabled the ldap debugging, then you should find in the php error log (not in the joomla log), then you should see messages like these:

ldap_create
ldap_url_parse_ext(ldap://localhost:1389)
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:1389

If this is not the case, then check if your installation uses the right symonfony ldap version, joomla has ldap debugging correctly enabled and it logs somewhere the php stderr messages. Using those messages, we should find what is wrong. If you can't enable/find those messages, I can't help you, sorry.

[nickdring]

Hi, in the php_error.log i see the follwing error: Stack trace: #0 /Applications/MAMP/bin/phpMyAdmin5/libraries/classes/Controllers/ExportController.php(394): PhpMyAdmin\Export->getFilenameAndMimetype('database', '', Object(PhpMyAdmin\Plugins\Export\ExportSql), '', NULL) #1 /Applications/MAMP/bin/phpMyAdmin5/libraries/classes/Routing.php(187): PhpMyAdmin\Controllers\ExportController->index(Array) #2 /Applications/MAMP/bin/phpMyAdmin5/index.php(19): PhpMyAdmin\Routing::callControllerForRoute('/export', Object(FastRoute\Dispatcher\GroupCountBased), Object(Symfony\Component\DependencyInjection\ContainerBuilder)) #3 {main} thrown in /Applications/MAMP/bin/phpMyAdmin5/libraries/classes/Export.php on line 348 [05-Aug-2022 14:00:37 UTC] PHP Warning: ldap_connect(): Could not create session handle: Bad parameter to an ldap routine in /Applications/MAMP/htdocs/libraries/vendor/symfony/ldap/Adapter/ExtLdap/Connection.php on line 162 [05-Aug-2022 14:01:02 UTC] PHP Warning: ldap_connect(): Could not create session handle: Bad parameter to an ldap routine in /Applications/MAMP/htdocs/libraries/vendor/symfony/ldap/Adapter/ExtLdap/Connection.php on line 162 [05-Aug-2022 14:01:48 UTC] PHP Warning: ldap_connect(): Could not create session handle: Bad parameter to an ldap routine in /Applications/MAMP/htdocs/libraries/vendor/symfony/ldap/Adapter/ExtLdap/Connection.php on line 162 [08-Aug-2022 08:27:15 UTC] PHP Warning: ldap_connect(): Could not create session handle: Bad parameter to an ldap routine in /Applications/MAMP/htdocs/libraries/vendor/symfony/ldap/Adapter/ExtLdap/Connection.php on line 162 [08-Aug-2022 08:28:05 UTC] PHP Warning: ldap_connect(): Could not create session handle: Bad parameter to an ldap routine in /Applications/MAMP/htdocs/libraries/vendor/symfony/ldap/Adapter/ExtLdap/Connection.php on line 162 [08-Aug-2022 08:42:55 UTC] PHP Warning: ldap_connect(): Could not create session handle: Bad parameter to an ldap routine in /Applications/MAMP/htdocs/libraries/vendor/symfony/ldap/Adapter/ExtLdap/Connection.php on line 162 [08-Aug-2022 08:43:39 UTC] PHP Warning: ldap_connect(): Could not create session handle: Bad parameter to an ldap routine in /Applications/MAMP/htdocs/libraries/vendor/symfony/ldap/Adapter/ExtLdap/Connection.php on line 162 [08-Aug-2022 08:44:18 UTC] PHP Warning: ldap_connect(): Could not create session handle: Bad parameter to an ldap routine in /Applications/MAMP/htdocs/libraries/vendor/symfony/ldap/Adapter/ExtLdap/Connection.php on line 162 [08-Aug-2022 08:44:34 UTC] PHP Warning: ldap_connect(): Could not create session handle: Bad parameter to an ldap routine in /Applications/MAMP/htdocs/libraries/vendor/symfony/ldap/Adapter/ExtLdap/Connection.php on line 162

[tatankat]

@nickdring ok, from the php error log, it is clear that the ldap client did not yet start. You probably still have the protocol (ldaps://) and/or the port number in the Host field. Can you check? You can check which parameter is used in ldap_connect. For now, you can add error_log("LDAP connecting to ".$this->config['connection_string']); on line ~~149~~162 in libraries/vendor/symfony/ldap/Adapter/ExtLdap/Connection.php . I'll probably work on some more (and more correct) Joomla logging later.

[nickdring]

Hi @tatankat this is my setup.

[tatankat]

@nickdring If there aren't any trailing spaces there, I see no reason why it would give that error. Everything looks ok. So I added the logging. To get some logging, you should enable logging in Joomla: "Global configuration" > Logging > "Log Almost Everything". On the same page, you see also the file where the logs should be (named everything.php).

The ldap client debug logging is still somewhere else, not in the php_error.log, but your web server error log.

I hope this will give us some pointers... Also, adding the php snippet I gave, can give us some useful information.