LDAP query - piler-webui[3876]: cannot bind to...
Issue #316
resolved
Hello.
I am trying to setup LDAP query and I am using piler-0.1.24 with nginx. The module php5-ldap is installed. For the test purposes I've setup as helper user with domain admin priviledges.
config-site.php LDAP configuration section looks like this:
$config['ENABLE_LDAP_AUTH'] = 1; $config['LDAP_HOST'] = 'dc01.domain.sk'; $config['LDAP_HELPER_DN'] = 'CN=admin,OU=Admins,DC=domain,DC=sk'; $config['LDAP_HELPER_PASSWORD'] = '****'; $config['LDAP_MAIL_ATTR'] = 'mail'; $config['LDAP_ACCOUNT_OBJECTCLASS'] = 'user'; //$config['LDAP_DISTRIBUTIONLIST_OBJECTCLASS'] = 'group'; //$config['LDAP_DISTRIBUTIONLIST_ATTR'] = 'member';
I can see the following in /var/log/mail.log : Jun 9 10:03:56 mailarchive piler-webui[3876]: cannot bind to 'dc01.domain.sk' as 'CN=admin,OU=Admins,DC=domain,DC=sk'
The aforementioned settings are altered because of the privacy. I've checked connectivity (ping, telnet dc01.domain.sk 389), also dig to the dc01.domain.sk. Everything seems to be OK with connection. I did restart nginx before try.
What does the message in logs mean and what can be an issue?
Michal
Comments (12)
-
repo owner
-
repo owner
-
assigned issue to
Janos SUTO
-
assigned issue to
-
reporter
Hi jsuto.
Thank you for the suggestion. The issue was MS AD domain controller hardening. ldapsearchquery showed that simple authentication is not allowed. The GPO policy which should be turned off is Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Domain controller: LDAP server signing requirements = None .
After aforementioned settings was made the mail.log shows following, when I tried to log in with username admin@domain.sk: piler-webui[3876]: ldap query: base dn='', filter='(&(objectClass=user)(mail=admin@domain.sk))', attr='', 0 hits
I checked that the user object has its property "mail" set to admin@domain.sk. Why there are no hits? Did I miss something?
-
repo owner
OK, now search for your email address using ldapsearch.
-
reporter
Shouldn't be the result something else than 0?
ldapsearch -x -h dc01.domain.sk -b "CN=admin,OU=Admins,DC=domain,DC=sk" -D "CN=admin,OU=Admins,DC=domain,DC=sk" -w * mail
# extended LDIF # # LDAPv3 # base <CN=admin,OU=Admins,DC=domain,DC=sk> with scope subtree # filter: (objectclass=*) # requesting: mail # # admin, Admins, domain.sk dn: CN=admin,OU=Admins,DC=domain,DC=sk mail: admin@domain.sk # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 -
repo owner
Yes, it should have 1 result. At least this explains why the gui also can't find any match. Can you check with another (existing) email address?
-
reporter
I am doing something wrong. If I do the same ldapsearch for another user, the result is the same. I created a new user especially for this test with the name "testldap".
ldapsearch -x -h dc01.domain.sk -b "CN=testldap,OU=Users,DC=domain,DC=sk" -D "CN=admin,OU=Admins,DC=domain,DC=sk" -w ** mail
# extended LDIF # # LDAPv3 # base <CN=testldap,OU=Users,DC=domain,DC=sk> with scope subtree # filter: (objectclass=*) # requesting: mail # # testldap, Users, MIL, domain.sk dn: CN=testldap,OU=Users,DC=domain,DC=sk mail: testldap@domain.sk # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 -
repo owner
I think -b is the base dn, a container to search within, so -b "CN=testldap,OU=Users,DC=domain,DC=sk" is definitely not ok. Try -b "OU=Users,DC=domain,DC=sk" - provided your users are actually inside "OU=Users,DC=domain,DC=sk".
I use the following for my exchange test:
ldapsearch -h aaaa.acts.hu -D 'cn=piler1,cn=Users,dc=aaaaa,dc=acts,dc=hu' -b 'cn=Users,dc=aaaa,dc=acts,dc=hu' -x -W '(&(objectClass=user)(mail=bela@aaaa.acts.hu))'
Note that I didn't see that you actually had results for the search, although the query still should be fixed to find a real user with an email.
-
reporter
Janos, your suggestion helped in something. You are right. The search base should be the container like OU. I did another mistake, because I've searched in wrong OU for the user ldaptest. The correct one is following:
ldapsearch -h dc01.domain.sk -D 'CN=admin,OU=Admins,DC=domain,DC=sk' -b 'OU=Users,DC=domain,DC=sk' -x -W '(&(objectClass=user)(mail=testldap@domain.sk))'
# extended LDIF # # LDAPv3 # base <OU=Users,DC=domain,DC=sk> with scope subtree # filter: (&(objectClass=user)(mail=testldap@domain.sk)) # requesting: ALL # # testldap, Users, MIL, domain.sk dn: CN=testldap,OU=Users,DC=domain,DC=sk objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: testldap givenName: testldap distinguishedName: CN=testldap,OU=Users,DC=domain,DC=sk instanceType: 4 whenCreated: 20140610162428.0Z whenChanged: 20140610162446.0Z displayName: testldap uSNCreated: 2418063 uSNChanged: 2418074 name: testldap objectGUID:: 8hyNZiXwp0Ke76GFP/Qczg== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 130468910687948027 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAq7KVpAwoSIYS01bjzwYAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: testldap sAMAccountType: 805306368 userPrincipalName: testldap@domain.sk objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=sk dSCorePropagationData: 20140610162428.0Z dSCorePropagationData: 16010101000000.0Z mail: testldap@domain.sk # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1It looks better than the last time for ldapsearch. But still result 0 success. Does mailpiler look for the result which is returned as a number from ldapsearch? If I make a change in the config-site.php, which services should be restarted for applying a change? nginx or piler or both of them?
-
repo owner
I think "result: 0" is the return code from ldapsearch. As you can see you have a proper answer from the ldap server. If you can retrieve an existing real user as well (other than testldap), then you may fix config-site.php. No need to restart anything.
-
reporter
Janos, it works! Thank you!
-
repo owner
- changed status to resolved
I'm glad to hear it
- Log in to comment
Hello Michal, as the error message suggests it's probably an ldap authentication error. There may be a typo in either the helper dn or the password. Please try to make an ldap query with ldapsearch using the specified helper account. Btw. the helper account needs no special privileges.