[Bug 18947] New: Active Directory LDAP authentication broken

classic Classic list List threaded Threaded
33 messages Options
12
Reply | Threaded
Open this post in threaded view
|

[Bug 18947] New: Active Directory LDAP authentication broken

bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947

            Bug ID: 18947
           Summary: Active Directory LDAP authentication broken
 Change sponsored?: ---
           Product: Koha
           Version: 17.05
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5 - low
         Component: Authentication
          Assignee: [hidden email]
          Reporter: [hidden email]
        QA Contact: [hidden email]
                CC: [hidden email]

Commit 68c365ea8ab536a85d92d3769b0bbaa0e1691116 introduced the following line
in Auth_with_ldap.pm:

$ldap->{anonymous_bind} = 1 unless $ldapname && $ldappassword;

There is no comment in the code or the Git commit log as to why.

This change silently overrides the settings in koha-conf.xml and causes a
previously functional setup with LDAP authentication against Active Directory
to fail unless koha-conf.xml defines values for <user> and <pass>. As user and
pass are only used if auth_by_bind and anonymous_bind are both false, their
values should not come into play in the other cases.

Prior to this change, KOHA would bind against AD with the user supplied
credentials, as expected. With the change, KOHA attempts an anonymous bind and
then tries to search for the supplied user name. As there was no valid bind in
place, AD rejects the attempt.

Workaround: enter some value for <user> and <pass> in the ldapserver
configuration block. These do not have to be real credentials as KOHA will not
attempt to use them now that auth_by_bind has priority again.

Note: there is an apparent duplicate attempt to do the same further down, by
setting $config{anonymous} to ($ldapname and $ldappassword) ? 0 : 1, although
that key is not used anywhere in Auth_by_ldap.pm

--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 18947] Unexpected Active Directory LDAP authentication failure mode

bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947

Sven Coenye <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Active Directory LDAP       |Unexpected Active Directory
                   |authentication broken       |LDAP authentication failure
                   |                            |mode

--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 18947] Unexpected Active Directory LDAP authentication failure mode

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947

Mason James <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]
           See Also|                            |https://bugs.koha-community
                   |                            |.org/bugzilla3/show_bug.cgi
                   |                            |?id=6979

--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 18947] Unexpected Active Directory LDAP authentication failure mode

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947

Nick Clemens <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]
           Severity|normal                      |major

--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 18947] Unexpected Active Directory LDAP authentication failure mode

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947

Nick Clemens <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|[hidden email]-commun |[hidden email]
                   |ity.org                     |

--- Comment #1 from Nick Clemens <[hidden email]> ---
This broke LDAP configuration after upgrade to 17.05, will tyr to provide a
patch shortly

--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 18947] Unexpected Active Directory LDAP authentication failure mode

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947

Liz Rea <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--- Comment #2 from Liz Rea <[hidden email]> ---
Thanks for writing this down Nick, just had this problem and couldn't even get
in with the DB admin.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 18947] Unexpected Active Directory LDAP authentication failure mode

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947

Nick Clemens <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |Needs Signoff

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 18947] Unexpected Active Directory LDAP authentication failure mode

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947

--- Comment #3 from Nick Clemens <[hidden email]> ---
Created attachment 69777
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=69777&action=edit
Bug 18947 - LDAP: do not assume anonymous bind if no user or password

To test:
Ideally tested on a working ldap server with bind by auth and no
anonymous bind
1  - Define an LDAP config with bind by auth
2  - Don't define user/pass
3  - Define anonymous_bind = 0
4  - Attempt bind by auth
5  - Error is something like:
LDAP search failed to return object : XXXXXXXXX: LdapErr: XXXX-XXXXXX,
     comment: In order to perform this operation a successful bind must
     be completed on the connection., data 0, v2580 at
     /usr/share/koha/lib/C4/Auth_with_ldap.pm line 102.
6  - Define user/pass
7  - Now bind by auth should work
8  - remove user/pass
9  - Apply patch
10 - Attempt again
11 - Bind by auth shoudl succeed

prove -v t/db_dependent/Auth_with_ldap.t

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 18947] Unexpected Active Directory LDAP authentication failure mode

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947

Bob Birchall <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 18947] Unexpected Active Directory LDAP authentication failure mode

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947

Martin Renvoize <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #69777|0                           |1
        is obsolete|                            |

--- Comment #4 from Martin Renvoize <[hidden email]> ---
Created attachment 76879
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=76879&action=edit
Bug 18947 - LDAP: do not assume anonymous bind if no user or password

To test:
Ideally tested on a working ldap server with bind by auth and no
anonymous bind
1  - Define an LDAP config with bind by auth
2  - Don't define user/pass
3  - Define anonymous_bind = 0
4  - Attempt bind by auth
5  - Error is something like:
LDAP search failed to return object : XXXXXXXXX: LdapErr: XXXX-XXXXXX,
     comment: In order to perform this operation a successful bind must
     be completed on the connection., data 0, v2580 at
     /usr/share/koha/lib/C4/Auth_with_ldap.pm line 102.
6  - Define user/pass
7  - Now bind by auth should work
8  - remove user/pass
9  - Apply patch
10 - Attempt again
11 - Bind by auth shoudl succeed

prove -v t/db_dependent/Auth_with_ldap.t

Signed-off-by: Martin Renvoize <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 18947] Unexpected Active Directory LDAP authentication failure mode

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947

Martin Renvoize <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |martin.renvoize@ptfs-europe
                   |                            |.com
             Status|Needs Signoff               |Signed Off

--- Comment #5 from Martin Renvoize <[hidden email]> ---
Can't believe I hadn't come across this until now!

Signing Off.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 18947] Unexpected Active Directory LDAP authentication failure mode

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947

--- Comment #6 from Liz Rea <[hidden email]> ---
I just had to add the extra configs because of this last night lol.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 18947] Unexpected Active Directory LDAP authentication failure mode

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947

Katrin Fischer <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--- Comment #7 from Katrin Fischer <[hidden email]> ---
Hi Liz, could you sign off so we can count Martin for QA?

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 18947] Unexpected Active Directory LDAP authentication failure mode

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947

--- Comment #8 from Katrin Fischer <[hidden email]> ---
Is this also valid for master?

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 18947] Unexpected Active Directory LDAP authentication failure mode

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947

--- Comment #9 from Liz Rea <[hidden email]> ---
I don't have a non-production LDAP to test against :(

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 18947] Unexpected Active Directory LDAP authentication failure mode

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947

Jonathan Druart <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]-c
                   |                            |ommunity.org
         Depends on|                            |6979


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6979
[Bug 6979] LDAP authentication fails during password comparison
--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 18947] Unexpected Active Directory LDAP authentication failure mode

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947

Jonathan Druart <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Version|17.05                       |master

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 18947] Unexpected Active Directory LDAP authentication failure mode

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947

Jonathan Druart <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--- Comment #10 from Jonathan Druart <[hidden email]> ---
Alex, could you have a look at this one and QA it?

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 18947] Unexpected Active Directory LDAP authentication failure mode

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947

Brendan Gallagher <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #76879|0                           |1
        is obsolete|                            |

--- Comment #11 from Brendan Gallagher <[hidden email]> ---
Created attachment 78001
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=78001&action=edit
Bug 18947 - LDAP: do not assume anonymous bind if no user or password

To test:
Ideally tested on a working ldap server with bind by auth and no
anonymous bind
1  - Define an LDAP config with bind by auth
2  - Don't define user/pass
3  - Define anonymous_bind = 0
4  - Attempt bind by auth
5  - Error is something like:
LDAP search failed to return object : XXXXXXXXX: LdapErr: XXXX-XXXXXX,
     comment: In order to perform this operation a successful bind must
     be completed on the connection., data 0, v2580 at
     /usr/share/koha/lib/C4/Auth_with_ldap.pm line 102.
6  - Define user/pass
7  - Now bind by auth should work
8  - remove user/pass
9  - Apply patch
10 - Attempt again
11 - Bind by auth shoudl succeed

prove -v t/db_dependent/Auth_with_ldap.t

Signed-off-by: Martin Renvoize <[hidden email]>

Signed-off-by: Brendan A Gallagher <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 18947] Unexpected Active Directory LDAP authentication failure mode

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947

--- Comment #12 from Katrin Fischer <[hidden email]> ---
Thx, Brendan. Martin, are you ok with switching to PQA counting yours as QA?

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 18947] Unexpected Active Directory LDAP authentication failure mode

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947

Martin Renvoize <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Signed Off                  |Passed QA

--- Comment #13 from Martin Renvoize <[hidden email]> ---
Certainly, the code is solid and I'm more than happy for my SO to count as QA
:)

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 18947] Unexpected Active Directory LDAP authentication failure mode

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947

Nick Clemens <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Passed QA                   |Pushed to Master

--- Comment #14 from Nick Clemens <[hidden email]> ---
Awesome work all!

Pushed to master for 18.11

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 18947] Unexpected Active Directory LDAP authentication failure mode

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947

Martin Renvoize <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Pushed to Master            |Pushed to Stable
  Text to go in the|                            |This corrects an
      release notes|                            |

--- Comment #15 from Martin Renvoize <[hidden email]> ---
Pushed to 18.05.x for 18.05.03

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 18947] Unexpected Active Directory LDAP authentication failure mode

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947

Martin Renvoize <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Text to go in the|This corrects an            |
      release notes|                            |

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 18947] Unexpected Active Directory LDAP authentication failure mode

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947

Fridolin SOMERS <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]
                   |                            |m

--- Comment #16 from Fridolin SOMERS <[hidden email]> ---
Pushed to 17.11.x for 17.11.09

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 18947] Unexpected Active Directory LDAP authentication failure mode

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947

Fridolin SOMERS <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Pushed to Stable            |RESOLVED
         Resolution|---                         |FIXED

--- Comment #17 from Fridolin SOMERS <[hidden email]> ---
Pushed to 17.05.x for 17.05.14

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 18947] Unexpected Active Directory LDAP authentication failure mode

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947

[hidden email] changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--- Comment #18 from [hidden email] ---
I think something is broken here yet...

I updated from 17.11.04-1 to 18.05.04-1 stock Debian packages. This update
broke my functioning ldap configuration.

What I see is that if ldap is enabled and using auth_by_bind, I am not able to
login either using any local accounts or AD ones, and I get this error:

LDAP search failed to return object : 000004DC: LdapErr: DSID-0C09075A,
comment: In order to perform this operation a successful bind must be completed
on the connection., data 0, v1db1 at /usr/share/koha/lib/C4/Auth_with_ldap.pm
line 101.

My version is:

root@newkoha:~# apt-cache show koha-common
Package: koha-common
Source: koha
Version: 18.05.04-1
Architecture: all


My koha ldap config is:

<ldapserver id="ldapserver">
  <hostname>some.ip.address.here</hostname>
  <!--base>ou=alumnos,dc=aulas,dc=campus,dc=local</base -->
  <base>dc=aulas,dc=campus,dc=local</base>
  <user>[hidden email]</user><!-- DN, if not anonymous -->
  <pass>some.password</pass><!-- password, if not anonymous -->
  <replicate>1</replicate>       <!-- add new users from LDAP to Koha database
-->
  <update>1</update>             <!-- update existing users in Koha database
-->
  <auth_by_bind>1</auth_by_bind>
  <anonymous_bind>0</anonymous_bind>
  <principal_name>%[hidden email]</principal_name>
  <!-- optional, for auth_by_bind: a printf format to make userPrincipalName
from koha userid -->
  <mapping>             <!-- match koha SQL field names to your LDAP record
field names -->
   <userid       is="cn"></userid>
   <password     is=""></password>
   <email        is="userprincipalname"></email>
   <firstname    is="givenName"></firstname>
   <surname      is="displayName"></surname>
   <dateexpiry   is="">2100-01-01</dateexpiry>
   <categorycode is="">PT</categorycode>
  </mapping>
</ldapserver>


My ldap infrastructure works just fine:

root@newkoha:~# shelldap --server some.ip.address.here --basedn
DC=aulas,DC=campus,DC=local --binddn [hidden email]
~ > ls
CN=Builtin
CN=Computers
CN=ForeignSecurityPrincipals
CN=Infrastructure
CN=Keys
CN=LostAndFound
CN=Managed Service Accounts
CN=NTDS Quotas
CN=Program Data
CN=System
CN=TPM Devices
CN=Users
CN=kms
OU=Actualizador
OU=Alumnos
OU=Aula S1-02
OU=Aula S2-01
OU=Aula S2-02
OU=AulaS1-2_Mac
OU=Aulas Teoria
OU=Domain Controllers
OU=GRUPOS_ALUMNOS
OU=Impresoras
OU=Mac
OU=Ordenadores
OU=Profesores
~ >

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 18947] Unexpected Active Directory LDAP authentication failure mode

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947

--- Comment #19 from Martin Renvoize <[hidden email]> ---
Hi Jesus,

I'm just trying to get to the bottom of this one.. could you verify a 'grep'
(or 'search') works using your shelldap client using the biblio user for
connection?  That's is a bit closer to how Koha functions internally than the
'ls' command you included.

The basic flow in your configuration after the patch is to bind as biblio then
ldapsearch for user, and finally bind as the user that has been found.  Before
the patch, contrary to the documentation the initial service bind was not
taking place, the search was not executed and instead a direct bind was
attempted using the constructed ldapuser name of the user (constructed using
the principal_name configuration).

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 18947] Unexpected Active Directory LDAP authentication failure mode

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947

--- Comment #20 from Martin Renvoize <[hidden email]> ---
Hang on.. I just re-read the code again.

So.. it will be binding on the 'user' (not the service user as defined in the
config, but the user whose trying to login).. then as you've got 'update' and
'replicate' enabled that same just bound user will do an ldapsearch upon
themselves.

That doesn't feel right. I bet you're normal koha users don't have search
permissions (even to search for themselves) on the ldap directory (and nor
should they).

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 18947] Unexpected Active Directory LDAP authentication failure mode

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947

--- Comment #21 from Martin Renvoize <[hidden email]> ---
(In reply to Martin Renvoize from comment #20)
> That doesn't feel right. I bet you're normal koha users don't have search
> permissions (even to search for themselves) on the ldap directory (and nor
> should they).

Ignore the 'and nor should they' there.. it seems in LDAP to only way to get
back the ldapentry for yourself is indeed to search for yourself, so it does
make sense for a uesr to be able to bind and then search for themselves.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
12