LDAP Authentication on 1.7.Beta2

[ap]

I am trying to use LDAP in fengoffice 1.7.Beta2 and I get the following error (in log.php).

#1 ERROR: Error: ldap_bind() [<a href='function.ldap-bind'>function.ldap-bind</a>]: Unable to bind to server: Can't contact LDAP server in 'C:\Program Files (x86)\Apache Software Foundation\Apache2.2\htdocs\FengOffice\library\PEAR\Net\LDAP2.php' on line 357 (error code: 2)

Here is what is in my ldap.config.php file

  $config_ldap = array (
      'binddn'    => 'cn=Manager,dc=example,dc=com',
      'bindpw'    => 'passwd',
      'basedn'    => 'dc=example,dc=com',
      'host'      => 'localhost',
      'starttls'  => false,
      'port'      => 636,
      'version' => 3,
      'uid'       => 'admin' //Change in according with your settings to match the userid entry
  );
  return true;

I have used the following settings in JExplorer to successfully connect to the LDAP server

Host: localhost
Port: 636
Protocol: LDAP v3
Base DN: dc=example,dc=com
Security level: SSL + user +password
User DN: cn=Manager,dc=example,dc=com
password: 'passwd'

I alao created a user id ('admin') in fengoffice before I used the LDAP feature.  I am not sure what I am doing wrong. Is it the SSL I am using? Any help will be greatly appreciated.

[markc]

I don't think it is your current issue but one thing is that I think your uid parameter is incorrect. Unless something has changed (I'm on 1.6.2), the uid parameter says which field in LDAP should be used to validate the username. That is, if you try to log in as joebob1 your current config would tell fengoffice to look in LDAP for a field named admin, which probably isn't there. I think it is usually just 'cn' for the common name field in LDAP, but it could be different. Since I'm using AD and the cn field isn't consistent, I've got mine set to 'sAMAccountName'.

Next...just to be certain...does your config actually say dc=example,dc=com or are you just giving that as the example in this post?

HTH,
Mark

[ap]

I am sorry, if this is not the correct forum, I can move it to another forum. The "dc=example" is just a name that I gave, which is the same as what I have defined in the OpenLDAP.
  I am actually running this on a stand alone windows 7 computer using localhost as my ip address. Another thing I noticed, every time I try to log in,  is the error that OpenLDAP returns.

conn=0 fd=1280 ACCEPT from IP=127.0.0.1:63568 (IP=0.0.0.0:636)
TLS: can't accept.
TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol s23_srvr.c:562
conn=0 fd=1280 closed

I am guessing that this is because I am using SSL on OpenLDAP. 

Thanks,

[markc]

Well, does it work if you turn off the ssl?

[ap]

It works without SSL. However, there was one error I had to correct before it worked. It was 'uid' = 'admin' in the ldap.config.php file. I changed it to 'uid' = 'uid' and also had to change the port to 389 (non-ssl port) and 'password_encoding'=>'MD5',.

  $config_ldap = array (
      'binddn'    => 'cn=Manager,dc=example, dc=com',
      'bindpw'    => 'passwd',
      'basedn'    => 'dc=example,dc=com',
      'host'      => 'localhost',
      'starttls'  => false,
      'password_encoding'=>'MD5',
      'port'      => 389,
      'version' => 3,
      'uid'       => 'uid' //Change in according with your settings to match the userid entry
  );

But this did not work when I use ssl (after changing the port back to 636 and running openLDAP with ssl)

Also, when I run it under non-ssl mode, it authenticates the user on my openLDAP server, but when I create a new user it creates it in my MySQl database. I am not sure if this is because I started fengoffice with mysql and then shifted to LDAP.

Thanks in advance

[markc]

Glad to see the that fixing the uid parameter worked!

Not sure about your SSL issue. Need a client-side cert. or something? I've only really set up openvpn before when it comes to using SSL...so I dunno.

The MySQL thing for your users is normal. The patch checks MySQL first to make sure that the username is valid in F.O. and then looks up that user in ldap and sees if that user can bind to ldap. This is so that some random user in ldap won't be allowed in F.O. even if they have no account there.

I usually let F.O. assign a random password and turn off the email notification on new user creation. Since it is already in ldap I just tell people to use the login they use for everything else, so they don't need the email.

[ap]

Thanks for the reply.  On the Userid creation, when a new user is created in F.O. will it create a user in LDAP? Assuming that the user is not in the LDAP database.

[ignacio]

It doesn't.