TeamPass
TeamPass copied to clipboard
nilsteampassnet
LDAP - User is expired! // User could not be authentificated
Steps to reproduce
Expected behaviour
Tell us what should happen
Actual behaviour
Tell us what happens instead
Server configuration
Operating system: Linux TeamPass 5.10.0-14-amd64 #1 SMP Debian 5.10.113-1 (2022-04-29) x86_64
Web server: Apache/2.4.53 (Debian)
Database: 5.5.5-10.5.15-MariaDB-0+deb11u1
PHP version: 7.4.28
Teampass version: 3.0.0.17
Teampass configuration file:
'max_latest_items' => '10',
'enable_favourites' => '1',
'show_last_items' => '1',
'enable_pf_feature' => '0',
'log_connections' => '1',
'log_accessed' => '1',
'time_format' => 'H:i:s',
'date_format' => 'd/m/Y',
'duplicate_folder' => '0',
'item_duplicate_in_same_folder' => '0',
'duplicate_item' => '0',
'number_of_used_pw' => '3',
'manager_edit' => '1',
'cpassman_dir' => '/var/www/html/TeamPass',
'cpassman_url' => 'http://<anonym_url>/TeamPass
'favicon' => 'http://<anonym_url>/TeamPass/favicon.ico',
'path_to_upload_folder' => '/var/www/html/TeamPass/upload',
'path_to_files_folder' => '/var/www/html/TeamPass/files',
'url_to_files_folder' => 'http://<anonym_url>/TeamPass/files',
'activate_expiration' => '0',
'pw_life_duration' => '0',
'maintenance_mode' => '0',
'enable_sts' => '0',
'encryptClientServer' => '1',
'cpassman_version' => '3.0.0.17',
'ldap_mode' => '1',
'ldap_type' => 'ActiveDirectory',
'ldap_suffix' => '0',
'ldap_domain_dn' => '0',
'ldap_domain_controler' => '0',
'ldap_user_attribute' => 'samaccountname',
'ldap_ssl' => '0',
'ldap_tls' => '0',
'ldap_elusers' => '0',
'ldap_search_base' => '0',
'ldap_port' => '389',
'richtext' => '0',
'allow_print' => '0',
'roles_allowed_to_print' => '0',
'show_description' => '1',
'anyone_can_modify' => '0',
'anyone_can_modify_bydefault' => '0',
'nb_bad_authentication' => '0',
'utf8_enabled' => '1',
'restricted_to' => '0',
'restricted_to_roles' => '0',
'enable_send_email_on_user_login' => '0',
'enable_user_can_create_folders' => '0',
'insert_manual_entry_item_history' => '0',
'enable_kb' => '0',
'enable_email_notification_on_item_shown' => '0',
'enable_email_notification_on_user_pw_change' => '0',
'custom_logo' => '',
'custom_login_text' => '',
'default_language' => 'english',
'send_stats' => '0',
'send_statistics_items' => 'stat_country;stat_users;stat_items;stat_items_shared;stat_folders;stat_folders_shared;stat_admins;stat_managers;stat_ro;stat_mysqlversion;stat_phpversion;stat_teampassversion;stat_languages;stat_kb;stat_suggestion;stat_customfields;stat_api;stat_2fa;stat_agses;stat_duo;stat_ldap;stat_syslog;stat_stricthttps;stat_fav;stat_pf;',
'send_stats_time' => '1650198767',
'get_tp_info' => '1',
'send_mail_on_user_login' => '0',
'nb_items_by_query' => 'auto',
'enable_delete_after_consultation' => '0',
'enable_personal_saltkey_cookie' => '0',
'personal_saltkey_cookie_duration' => '31',
'email_smtp_server' => '
Updated from an older Teampass or fresh install:
PLEASE attach to this issue the file /includes/config/tp.config.php.
Client configuration
Browser: EDGE v94.0
Operating system: W10 21H1
Logs
Web server error log
No error
Log from the web-browser developer console (CTRL + SHIFT + i)
No message
LDAP synchronization is fonctionnal, no problem for get all my users.
i add one user and i have "managed through AD".
when i try to connect, i have a LDAP error - User is expired! when i try to test user/pwd on LDAP config, i have LDAP - user could not be authentificated
if i try other user, it's good (on LDAP config)
i dont know activate debug mode on LDAP connector.
When i clik on LDAP synchro, i get all users and group, the filter is not applied. do u have a limit on the users number ?
https://github.com/nilsteampassnet/TeamPass/issues/3165#issuecomment-1129719908 use domen\user you also need to configure emails, encryption keys are sent to the new user's email, regardless of whether it is configured or not.
Hi,
I received the mail with my encryption code.
i have 2 users for my test, AAAAAA.BBBBB (domain) --------- CCCCCCC (OU) ----------------- User1 ----------------- User2
NetBIOS Domain is DDDDDD
User1 can test the current config LDAP without error but when i trying to connect to TeamPass, i have expired user. User2 have an error directly in the config LDAP menu.
i have many users 7000+, is it possible to have a problem with the internal TP limit ? i dont' find all my users in LDAP synchronization. When i try to LDAP synchronization, i have in a console error: false, entries: Array(6000), ldap_groups: Array(1252)
i tried to create manually user in TeamPass and after synchronise LDAP -- same result i test connexion with DDDDD\user1 -> KO Login credentials do not correspond i test to modify user login in TP with DDDDDDD\user1 -- KO error.log -> PHP Fatal error: Uncaught LdapRecord\Query\ObjectNotFoundException: No LDAP query results for filter: [(samaccountname=DDDDDD\user1)] in: [] in /var/www/html/TeamPass/includes/libraries/LdapRecord/Query/ObjectNotFoundException.php:33\nStack
i test to connexion with [email protected] --- KO
is it possible to activate debug mode for LDAP ? the variable debugldap in the https://teampass.readthedocs.io/en/latest/install/ldap/ is not present in the TP v3.0.0.17
how it worked for me
LDAP synchronization >> add domain user edit domain user edit login user >> AAAAAA.BBBBB\user
maybe you should try to separate the users. Create another OU and add test users there.
Thanks for your response,
I created new OU and modify my LDAP config for pointing on this OU. that it's good.
The LDAP synchronization see all my users on this OU. i show User1 and User2. i add my 2 users with the button "Add user in Teampass" and after i modified the login with AAAA.BBBB\user1
i have "Login credentials do not correspond!" in the prompt of TP, just i type "User1".
i have no error on /var/log/apache2/error.log
do you know how to activate more log for the LDAP ?
i solved my problem.
in identity.php
// Check shadowexpire attribute - if === 1 then user disabled
if (
(isset($userADInfos['shadowexpire'][0]) === true && (int) $userADInfos['shadowexpire'][0] === 1)
||
!(isset($userADInfos['accountexpires'][0]) === true && (int) $userADInfos['accountexpires'][0] < time())
) {
return [
'error' => true,
'message' => langHdl('error_ad_user_expired'),
];
}
just inverse condition for accountexpires. (add a !) !(isset($userADInfos['accountexpires'][0]) === true && (int) $userADInfos['accountexpires'][0] < time())
because : accountexpires[0] exist every time ==> isset($userADInfos['accountexpires'][0]) is always TRUE The value for user never expire is 0 so ===> (int) $userADInfos['accountexpires'][0] < time() is always TRUE
TRUE && TRUE is TRUE.
the if is TRUE and return error.
My probleme for User1 and User2 is resolve. but it's test user.
For my real user, i have "LDAP error: Error : User could not be authentificated"
same OU for my real and test user ... it's very strange. i added User3 test and it's OK.
But for me and other real person, it's not fonctionnal.
if you have any idea ...
It's my last comment. I resolv - temporary - my probleme.
the "displayName" in my AD is different of the sAMAccountName.
Example : User1 ==> sAMAccountName is User1 //// displayName is Robert Tuch
When i try to connect ==> KO
But if i modify the displayName for my User1 ===> displayName = sAMAccountName = User1 ==> OK Succesfull !
i don't investigated on the PHP, if i solve definitivly my case, i will post the new code.
It's good with this parameters :
with the french traduction, "User Distinguished Name" is "Error error string" ...
LDAP is fonctionnal with the code modification in the identity.php (probleme ad is expired).
I had this problem, when i comment out the line, who was working for and who wasn't working stopped, i changed the low condition from true to false and it worked both users.
(isset($userADInfos['accountexpires'][0]) === false && (int) $userADInfos['accountexpires'][0] < time())
hello, I confirm that in version 3.0.0.18 the manipulation above corrects the authentication by AD
Hell Everyone, iam using Teampass 3.0.0.20 and i have the same Problem. Everything in LDAP works find but if i try to login with an AD User the User is expired or the credentials are wrong. One thing i noticed: If i switch of the "Password expires" in the AD User itselfe the Login works, sadly thats no solution for me...
One question: Where can i finde the identity.php file abouth? The only identity.php i can find is the following file: /var/www/html/teampass/includes/libraries/Authentication/phpseclib/System/SSH/Agent
But in this file there is no "//check shadowsexpire" function.
Thx in advance!
you may need to specify OU users correctly. For some reason, I can't search for users recursively, you need to explicitly set the full OU to the list of users. I also had to manually change the user login to domen\login in the user profile. https://github.com/nilsteampassnet/TeamPass/issues/3165
Hello @rrgadeev,
Edit: I did another try, i change my normal AD-Account from "Never Expires" to Expires "Date in a Month" ... and there we go .. i can log in with that account. To make sure its the Problem i switched it back to "Never Expires" .. and i get the error again. Looks like there is a wrong Condition in the LDAP Login code still using the Expire Date if the Option in AD is set to "Never Expire". (In Case someone doesnt know: If the AD-Option is set to Account never Expire, the AD automatically sets the current day as Expire Date.) Anyone has any idea where i can find the code for this? :) I opened a new Issue for this case #3341
unfortunately there is no chance for me to only use one specific OU, i also think that this is not a problem in my case because i can sign in with my Testuser which is in a recursive OU. In the LDAP Setting page the LDAP Test works with every user i used for this test.
I edited the AD-Object of the abouth Tesuser, i switched of the "Password never Expired" button and switched in on again. I dont know why, but now i can log in to Teampass. I even deleted the User from TeamPass and resynced it .. login still works.
For an other user i edited the Teampass login to domain\user, the login is not working. Actually i dont even get an error or something .. its just doing nothing. The same probnlem occures with the testuser.
The next try was to change the whole LDAP-Sync (Usern name attribute) from samaccountname to userprincipalname .. the Login with my Testuser works .. with other users i have the same Problem.
The last try was to switch on and of the "Password never Expires" for my normal user .. i dont yet get why .. but its not working for this one. It still says "User Expired".
Do you have any other Idea? Thx, Simon
i solved my problem.
in identity.php
// Check shadowexpire attribute - if === 1 then user disabled if ( (isset($userADInfos['shadowexpire'][0]) === true && (int) $userADInfos['shadowexpire'][0] === 1) || !(isset($userADInfos['accountexpires'][0]) === true && (int) $userADInfos['accountexpires'][0] < time()) ) { return [ 'error' => true, 'message' => langHdl('error_ad_user_expired'), ]; }just inverse condition for accountexpires. (add a !) !(isset($userADInfos['accountexpires'][0]) === true && (int) $userADInfos['accountexpires'][0] < time())
because : accountexpires[0] exist every time ==> isset($userADInfos['accountexpires'][0]) is always TRUE The value for user never expire is 0 so ===> (int) $userADInfos['accountexpires'][0] < time() is always TRUE
TRUE && TRUE is TRUE.
the if is TRUE and return error.
This is the Solution to my Problem as well !:) But the file is not the identity.php .. it is the identify.php (/var/www/html/teampass/sources)