[OBS-3611] ldap_compare not working against certain system - Observium

Details

Type: Bug
Resolution: Fixed
Priority: Major
Fix Version/s: None
Affects Version/s: Professional Edition
Component/s: Authentication
Labels:
None

Description

It looks like some 'cloud' LDAP implementations such as Okta does not support ldap_compare. Also, currently LDAP auth is using the binded-as user, but that causes issues if that cannot do group lookups.

I've attached a patch that solves this and appreciate if it can be landed upstream. It also addresses ~~OBS-1976~~

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

ldap.patch
1 kB
2021/01/13 07:47 PM

Issue Links

mentions

OBS-1976 ldap auth not working properly with groups and non anonymous bind

Closed

Activity

[OBS-3611] ldap_compare not working against certain system

Mike Stupalov added a comment - 2021/01/15 03:20 PM

Yah, sure.. was changed to more strict option validate.
Fixed in r10948.

Mike Stupalov added a comment - 2021/01/15 03:20 PM Yah, sure.. was changed to more strict option validate. Fixed in r10948.

Mohammed Naser added a comment - 2021/01/14 08:21 PM

OK, it is working perfectly for me. The issue was that we had the following:

$config['auth_ldap_starttls'] = true;

but it looks like new versions of the code seem to use `require` or `optional`, updating to `require` fixed it. Perhaps it would be beneficial to maybe fallback true value to require

Mohammed Naser added a comment - 2021/01/14 08:21 PM OK, it is working perfectly for me. The issue was that we had the following: $config[ 'auth_ldap_starttls' ] = true ; but it looks like new versions of the code seem to use `require` or `optional`, updating to `require` fixed it. Perhaps it would be beneficial to maybe fallback true value to require

Mohammed Naser added a comment - 2021/01/14 08:18 PM

I've found in Okta's logs that it is logging the following:

failure : A secure connection cannot be established. To admin: This service requires TLS.

I'm looking at what's the reason

Mohammed Naser added a comment - 2021/01/14 08:18 PM I've found in Okta's logs that it is logging the following: failure : A secure connection cannot be established. To admin: This service requires TLS. I'm looking at what's the reason

Mohammed Naser added a comment - 2021/01/14 03:03 PM

BTW, we are a pro customer, I'm happy to provide access to the system that's not working for you to run some tests.

Mohammed Naser added a comment - 2021/01/14 03:03 PM BTW, we are a pro customer, I'm happy to provide access to the system that's not working for you to run some tests.

Mohammed Naser added a comment - 2021/01/14 03:01 PM

Hey Mike:

I've actually reverted my patch, running trunk (r10937) and now I seem to be running into this (logging in with `/debug/`):

Error binding to LDAP server: <org>.ldap.okta.com: Server is unwilling to perform

svn diff shows no output at all.

Mohammed Naser added a comment - 2021/01/14 03:01 PM Hey Mike: I've actually reverted my patch, running trunk (r10937) and now I seem to be running into this (logging in with `/debug/`): Error binding to LDAP server: <org>.ldap.okta.com: Server is unwilling to perform svn diff shows no output at all.

Mike Stupalov added a comment - 2021/01/14 02:43 PM

For correct results revert your local changes:

svn revert html/includes/authentication/ldap.inc.php

Mike Stupalov added a comment - 2021/01/14 02:43 PM For correct results revert your local changes: svn revert html/includes/authentication/ldap.inc.php

Mike Stupalov added a comment - 2021/01/14 02:20 PM

Ok, can you check with latest revision my workaround.
I added check errors if ldap_compare() return error.

Fixed in r10937.

Mike Stupalov added a comment - 2021/01/14 02:20 PM Ok, can you check with latest revision my workaround. I added check errors if ldap_compare() return error. Fixed in r10937.

Mohammed Naser added a comment - 2021/01/14 01:00 PM

Indeed, it's two seperate issues.

I'm not an expert at LDAP, but it seems like ldap_compare() is a request that is sent to the server. When using the LDAP interface provided by Okta, the result of an ldap_compare is a failure (where the error is "Server is unwilling to perform") – perhaps it would be useful to add error handling for that using ldap_error() as it took me a while to troubleshoot it.

You can see a few other examples of folks who ran into something similiar here:

https://www.reddit.com/r/okta/comments/dp9nig/okta_django_ldap/f6gasrc/?utm_source=reddit&utm_medium=web2x&context=3

Mohammed Naser added a comment - 2021/01/14 01:00 PM Indeed, it's two seperate issues. I'm not an expert at LDAP, but it seems like ldap_compare() is a request that is sent to the server. When using the LDAP interface provided by Okta, the result of an ldap_compare is a failure (where the error is "Server is unwilling to perform") – perhaps it would be useful to add error handling for that using ldap_error() as it took me a while to troubleshoot it. You can see a few other examples of folks who ran into something similiar here: https://www.reddit.com/r/okta/comments/dp9nig/okta_django_ldap/f6gasrc/?utm_source=reddit&utm_medium=web2x&context=3

Mike Stupalov added a comment - 2021/01/14 12:46 PM

Hrm, probably problem with ldap_compare exactly related to bind issue (~~OBS-1976~~)?

Not understand how any service can "not support" ldap_compare() while this is just php function with calls to ldap read..

Mike Stupalov added a comment - 2021/01/14 12:46 PM Hrm, probably problem with ldap_compare exactly related to bind issue ( OBS-1976 )? Not understand how any service can "not support" ldap_compare() while this is just php function with calls to ldap read..

Mike Stupalov added a comment - 2021/01/14 11:53 AM

I fixed ~~OBS-1976~~ by more correct way.

Can you check your ldap but without ldap rebind here:

-  unset($cache['ldap_bind_result']);

-  ldap_bind_dn();

Mike Stupalov added a comment - 2021/01/14 11:53 AM I fixed OBS-1976 by more correct way. Can you check your ldap but without ldap rebind here: - unset($cache['ldap_bind_result']); - ldap_bind_dn();

People

Assignee:: Mike Stupalov

Reporter:: Mohammed Naser

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2021/01/13 07:47 PM

Updated:: 2021/02/14 06:10 PM

Resolved:: 2021/01/14 02:20 PM