Uploaded image for project: 'Observium'
  1. Observium
  2. OBS-3611

ldap_compare not working against certain system

Details

    • Bug
    • Resolution: Fixed
    • Major
    • None
    • Professional Edition
    • Authentication
    • None

    Description

      It looks like some 'cloud' LDAP implementations such as Okta does not support ldap_compare.  Also, currently LDAP auth is using the binded-as user, but that causes issues if that cannot do group lookups.

      I've attached a patch that solves this and appreciate if it can be landed upstream.  It also addresses OBS-1976

      Attachments

        Issue Links

          Activity

            [OBS-3611] ldap_compare not working against certain system
            bot Observium Bot made changes -
            Status Original: Resolved [ 5 ] New: Closed [ 6 ]

            Yah, sure.. was changed to more strict option validate.
            Fixed in r10948.

            landy Mike Stupalov added a comment - Yah, sure.. was changed to more strict option validate. Fixed in r10948.

            OK, it is working perfectly for me.  The issue was that we had the following:

             

            $config['auth_ldap_starttls'] = true;
            

            but it looks like new versions of the code seem to use `require` or `optional`, updating to `require` fixed it.  Perhaps it would be beneficial to maybe fallback true value to require

             

             

            mnaser Mohammed Naser added a comment - OK, it is working perfectly for me.  The issue was that we had the following:   $config[ 'auth_ldap_starttls' ] = true ; but it looks like new versions of the code seem to use `require` or `optional`, updating to `require` fixed it.  Perhaps it would be beneficial to maybe fallback true value to require    

            I've found in Okta's logs that it is logging the following:

            failure : A secure connection cannot be established. To admin: This service requires TLS.

            I'm looking at what's the reason

            mnaser Mohammed Naser added a comment - I've found in Okta's logs that it is logging the following: failure : A secure connection cannot be established. To admin: This service requires TLS. I'm looking at what's the reason

            BTW, we are a pro customer, I'm happy to provide access to the system that's not working for you to run some tests.

            mnaser Mohammed Naser added a comment - BTW, we are a pro customer, I'm happy to provide access to the system that's not working for you to run some tests.

            Hey Mike:

            I've actually reverted my patch, running trunk (r10937) and now I seem to be running into this (logging in with `/debug/`):

             

            Error binding to LDAP server: <org>.ldap.okta.com: Server is unwilling to perform

             

            svn diff shows no output at all.

            mnaser Mohammed Naser added a comment - Hey Mike: I've actually reverted my patch, running trunk (r10937) and now I seem to be running into this (logging in with `/debug/`):   Error binding to LDAP server: <org>.ldap.okta.com: Server is unwilling to perform   svn diff shows no output at all.

            For correct results revert your local changes:

            svn revert html/includes/authentication/ldap.inc.php

            landy Mike Stupalov added a comment - For correct results revert your local changes: svn revert html/includes/authentication/ldap.inc.php
            landy Mike Stupalov made changes -
            Resolution New: Fixed [ 1 ]
            Status Original: In Progress [ 3 ] New: Resolved [ 5 ]

            Ok, can you check with latest revision my workaround.
            I added check errors if ldap_compare() return error.

            Fixed in r10937.

            landy Mike Stupalov added a comment - Ok, can you check with latest revision my workaround. I added check errors if ldap_compare() return error. Fixed in r10937.
            landy Mike Stupalov made changes -
            Status Original: In Review [ 10101 ] New: In Progress [ 3 ]

            People

              landy Mike Stupalov
              mnaser Mohammed Naser
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: