Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4465
  • Last Modified:

mantis ldap active directory bad search filter error

hi all, i am new for php and mantis,i configured my ldap setting to access active dir.
i am getting authentication failed error .. can any body suggest me where i am wrong
ldap setting ::
i am getting following error

SYSTEM WARNING: ldap_search() [function.ldap-search]: Search: Bad search filter

SYSTEM WARNING: ldap_get_entries(): supplied argument is not a valid ldap result resource

SYSTEM WARNING: ldap_free_result(): supplied argument is not a valid ldap result resource





 
$g_login_method = LDAP;
        
         $g_ldap_server = '10.202.0.41';  
        $g_ldap_port = '389';
        $g_ldap_root_dn = 'DC=tcstatacap,DC=com[10.202.0.41],DC=tcstatacap,DC=com';           $g_ldap_organization = 'Tata Consultancy Services';
        $g_ldap_uid_field = 'sAMAccountName';
              $g_ldap_bind_dn = OU=Tata Capital,OU=Users,DC=tcstatacap,DC=com,CN=Users,CN=Builtin,DC=tcstatacap,DC=com';          $g_ldap_bind_passwd = ''; 
        $g_use_ldap_email		= OFF; 
 
ldap api::
 
	function ldap_connect_bind( $p_binddn = '', $p_password = '' ) {
		$t_ldap_server	= config_get( 'ldap_server' );
		$t_ldap_port	= config_get( 'ldap_port' );
 
		if (!extension_loaded('ldap')) {
			trigger_error(ERROR_LDAP_EXTENSION_NOT_LOADED,ERROR);
		}
		
		$t_ds = @ldap_connect ( $t_ldap_server, $t_ldap_port );
	      
 
			if ( $t_ds > 0 ) {
			$t_protocol_version = config_get( 'ldap_protocol_version' );
 
			if ( $t_protocol_version > 0 ) {
				ldap_set_option( $t_ds, LDAP_OPT_PROTOCOL_VERSION, $t_protocol_version );
			}
 
			# If no Bind DN and Password is set, attempt to login as the configured
			#  Bind DN.
			if ( is_blank( $p_binddn ) && is_blank( $p_password ) ) {
				$p_binddn	= config_get( 'ldap_bind_dn', '' );
				$p_password	= config_get( 'ldap_bind_passwd', '' );
			  
			}
 
			if ( !is_blank( $p_binddn ) && !is_blank( $p_password ) ) {
				$t_br = @ldap_bind( $t_ds, $p_binddn, $p_password );
            //echo "jjjjjjjjjj".$p_binddn.$p_password.$t_br;
        	//echo $t_ds."connect".$t_ldap_server."server::".$t_ldap_port."port::". $p_binddn."DN::".$p_password."::password";
			} else {
				# Either the Bind DN or the Password are empty, so attempt an anonymous bind.
				$t_br = @ldap_bind( $t_ds );
				
			
			}
			if ( !$t_br ) {
				trigger_error( ERROR_LDAP_AUTH_FAILED, ERROR );
				
			}
		} else {
			trigger_error( ERROR_LDAP_SERVER_CONNECT_FAILED, ERROR );
			
		}
//echo $t_ds;
		return $t_ds;
	}

Open in new window

0
taruntiwari
Asked:
taruntiwari
  • 8
  • 6
1 Solution
 
Chris DentPowerShell DeveloperCommented:

It would be easier to help you if you'd stick in one question...

Where are you getting these values?

$g_ldap_root_dn = 'DC=tcstatacap,DC=com[10.202.0.41],DC=tcstatacap,DC=com';
$g_ldap_organization = 'Tata Consultancy Services';
$g_ldap_bind_dn = OU=Tata Capital,OU=Users,DC=tcstatacap,DC=com,CN=Users,CN=Builtin,DC=tcstatacap,DC=com';

Because I honestly cannot see any of them being correct. I do realise the "documentation" Mantis has for configuring LDAP is somewhat lacking, but there is a bit of it if you dig around.

I would say the root DN should be:

$g_ldap_root_dn = 'DC=tcstatacap,DC=com';

Organization has no meaning or context here so I'd leave it blank:

$g_ldap_organization = '';

Your Bind DN cannot be an OU, it must be a user account. This is the account used to search the directory to find the user, the result of the search is used to authenticate the user account logging in.

Where in AD is the user you want to use to perform the search?

I would imagine it to look something like this:

$g_ldap_bind_dn  = 'CN=LDAP User,OU=somewhere,DC=tcstatacap,DC=com';

Chris
0
 
taruntiwariAuthor Commented:
hi charis thanks for ur valuable comments..... i am really unaware with process of ldap.....i really willing for correct values

i made changes accordingly...

  $g_login_method = LDAP;
       
         $g_ldap_server = '10.202.0.41';  # I'm pretty sure just 'localhost' works too
        $g_ldap_port = '389';
        $g_ldap_root_dn = 'DC=tcstatacap,DC=com'; # tutorials also have 'ou=Users,dc=example,dc=com'
        $g_ldap_organization = '';
         $g_ldap_bind_dn = 'CN=Tarun Sadan Tiwari,OU=Users,OU=Tata Capital,DC=tcstatacap,DC=com';  
        $g_ldap_bind_passwd ='Netomat@april';
        $g_use_ldap_email            = OFF;

now system says:


SYSTEM WARNING: ldap_search() [function.ldap-search]: Search: Operations error

SYSTEM WARNING: ldap_get_entries(): supplied argument is not a valid ldap result resource

SYSTEM WARNING: ldap_free_result(): supplied argument is not a valid ldap result resource

could u plz make some more closure to solution.....

thanks in advance.
0
 
Chris DentPowerShell DeveloperCommented:

It managed to get past the authentication error this time? That would be a pleasant improvement :)

Do you have to configure any other values for it? There's talk of telling it a uid value somewhere, if so the value should be 'sAMAccountName' rather than UID.

Chris
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
taruntiwariAuthor Commented:
thanks chris

what i suppose somethink wrong with the filter  variable could u  plz look on this

                $t_search_filter       = "(&$t_ldap_organization($t_ldap_uid_field=$t_username))";
        $t_search_attrs        = array( $t_ldap_uid_field, 'dn' );
        $t_ds                  = ldap_connect_bind();
            
            # Search for the user id
      $t_sr= ldap_search( $t_ds, $t_ldap_root_dn, $t_search_filter, $t_search_attrs );


and $t_sr wont get any value.
have i need to change filter variable or operation error just because i dont have access to ldap database
            thanks
0
 
Chris DentPowerShell DeveloperCommented:

> $t_ldap_uid_field

What value have you given this? This is the one I would want to be "sAMAccountName".

And since we made the org name blank that means it would make a filter like this:

(&(sAMAccountName=<Username>))

> $t_search_attrs        = array( $t_ldap_uid_field, 'dn' );

This one just tells it to return the username field and the dn. We need the DN to authenticate the user, so that's all good.

Chris
0
 
taruntiwariAuthor Commented:
thanks.

its working till fine but value of

      $t_sr      = @ldap_search( $t_ds, $t_ldap_root_dn, $t_search_filter, $t_search_attrs );
            
            $t_info      = ldap_get_entries( $t_ds, $t_sr );

not working and hence got error

SYSTEM WARNING: ldap_search() [function.ldap-search]: Search: Operations error

SYSTEM WARNING: ldap_get_entries(): supplied argument is not a valid ldap result resource

SYSTEM WARNING: ldap_free_result(): supplied argument is not a valid ldap result resource


how can i make my code excute.. without error with sucessful compilation

thanks.
0
 
Chris DentPowerShell DeveloperCommented:

We need to know why it's producing an operations error on the search.

Can you confirm the value for $t_ldap_uid_field because that one is quite involved in the search process. An invalid field, or invalid filter may produce an operations error.

Chris
0
 
taruntiwariAuthor Commented:
$t_ldap_uid_field =sAMAccountName

it is getting value properly. i checked with echo...

can that error also play a part on it.


APPLICATION ERROR #18
Page redirection error, ensure that there are no spaces outside the PHP block (<?php ?>) in config_inc.php or custom_*.php files.
 
Please use the "Back" button in your web browser to return to the previous page. There you can correct whatever problems were identified in this error or select another action. You can also click an option from the menu bar to go directly to a new section.
 
0
 
Chris DentPowerShell DeveloperCommented:

Ah. I know what's wrong.

> $t_search_attrs        = array( $t_ldap_uid_field, 'dn' );

Change "dn" to "distinguishedName". No such attribute as dn in AD, it's just shortened to dn because it's easier to type.

Chris
0
 
taruntiwariAuthor Commented:
it doesnt make change to error... dear.....

      $t_ldap_organization      = config_get( 'ldap_organization' );
            $t_ldap_root_dn                  = config_get( 'ldap_root_dn' );
            $t_username            = user_get_field( $p_user_id, 'username' );
            $t_ldap_uid_field      = config_get( 'ldap_uid_field', 'uid' ) ;
      



        $t_search_filter       = "(&$t_ldap_organization($t_ldap_uid_field=$t_username))";
 
        
        $t_search_attrs        = array( $t_ldap_uid_field, 'distinguishedName' );
 
        $t_ds                  = ldap_connect_bind();
 
            
            # Search for the user id
            //$t_sr      = ldap_search( $t_ds, $t_ldap_root_dn, $t_search_filter, $t_search_attrs );
                  $t_sr      = ldap_search( $t_ds, $t_ldap_root_dn, $t_search_filter, $t_search_attrs );
      
            $t_info      = ldap_get_entries( $t_ds, $t_sr );

            $t_authenticated = false;



i am not getting value for
$t_sr      = ldap_search( $t_ds, $t_ldap_root_dn, $t_search_filter, $t_search_attrs );
 
thanks for ur continious valuable feed back/
0
 
Chris DentPowerShell DeveloperCommented:

Would you be able to echo out the values for:

$t_ldap_root_dn
$t_search_filter

And loop and echo the contents of the array $t_search_attrs?

Just before it runs ldap_search.

Chris
0
 
Chris DentPowerShell DeveloperCommented:

We might also consider making all those attribute and names lower case. I'm not aware of it having problems with case, but I so rarely use the PHP search...

Chris
0
 
taruntiwariAuthor Commented:
1::sAMAccountName2::distinguishedName3::

$t_ldap_root_dn
=DC=tcstatacap,DC=com
$t_search_filter

=
 (&(sAMAccountName=243917))

 $t_search_attrs===

sAMAccountName
distinguishedName:

it is not case sensetve...

0
 
Chris DentPowerShell DeveloperCommented:

It worked?

Was contemplating installing PHP so I could test it.

Chris
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now