ZF-8388: Binding problem
Description
Hello!
Again a problem with {{Zend_Auth_Adapter_Ldap}}. In ZF's version 1.9.5 the problem was retrieving LDAP's object after user authenticated.
In ZF's version 1.9.6, {{Zend_Auth_Adapter_Ldap}} has a calling to bind without parameters, and that just don't do the job.
{{Zend_Auth_Adapter_Ldap}}
#323 $ldap->bind();
When commenting this line, {{Zend_Auth_Adapter_Ldap}} works!
Comments
Posted by Stephen Rees-Carter (valorin) on 2009-12-21T19:40:01.000+0000
I have the same problem - commenting out that line solved it for me as well.
Posted by Stefan Gehrig (sgehrig) on 2009-12-23T02:40:38.000+0000
I'll have a look into this. As far as I can remember, there has been a problem that required rebinding with the default user/password to retrieve user account information or check group membership status.
Could you please check if the most recent version from the SVN trunk shows the same behaviour?
As I workaround could you please try setting a username/password in the {{Zend_Auth_Ldap}} configuration with which {{Zend_Ldap}} would be able to access the user account object?
Which LDAP server are you authenticating against?
Posted by Rodrigo Novelo Primolan (primolan) on 2009-12-23T02:49:26.000+0000
Yes, there was a problem and it was mentioned by me.
The problem was to order the object LDAP after authentication. After verification, the problem remained, being resolved as explained in the description of this error.
I'm authenticating users on the Microsoft Active Directory.
Posted by Stephen Rees-Carter (valorin) on 2010-01-10T17:02:55.000+0000
I am also trying to authenticate against Microsoft Active Directory, and the latest version in SVN trunk still has the same problem.
My configuration is:
server.host = "ahq.net.au" server.password = "********" server.accountDomainName = "ahq.net.au" server.accountCanonicalForm = 4 server.baseDn = "DC=ahq,DC=net,DC=au"
Is this simply a case of us using the wrong configuration, or is there a bug that needs to be fixed?
Posted by Rodrigo Novelo Primolan (primolan) on 2010-01-11T02:24:29.000+0000
Maybe it's a problem with your configuration.
The problem with this component is about retrieving information after authentication (connecting, at least for me, is ok).
Try the workaround described here.
Posted by Stephen Rees-Carter (valorin) on 2010-01-11T15:23:55.000+0000
Yes, the work-around works fine for me (i.e. commenting out that line)..
The error I am getting when I use the latest version is:
object(Zend_Auth_Result)#113 (3) { ["_code:protected"] => int(0) ["_identity:protected"] => string(6) "s.rees" ["_messages:protected"] => array(6) { [0] => string(30) "An unexpected failure occurred" [1] => string(227) "0x1 (Operations error; 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece): searching: (&(objectClass=user)(sAMAccountName=s.rees))" [2] => string(109) "host=ahq.net.au,password=*****,accountDomainName=ahq.net.au,accountCanonicalForm=4,baseDn=DC=ahq,DC=net,DC=au" [3] => string(294) "/var/www/development/workspaces/s.rees/library/Zend/Ldap.php(916): 0x1 (Operations error; 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece): searching: (&(objectClass=user)(sAMAccountName=s.rees))" [4] => string(1681) "#0 /var/www/development/workspaces/s.rees/library/Zend/Ldap.php(631): Zend_Ldap->search('(&(objectClass=...', 'DC=ahq,DC=net,D...', 1, Array)
1 /var/www/development/workspaces/s.rees/library/Zend/Ldap.php(503): Zend_Ldap->_getAccount('s.rees', Array)
2 /var/www/development/workspaces/s.rees/library/Zend/Ldap.php(570): Zend_Ldap->_getAccountDn('s.rees@ahq.net....')
3 /var/www/development/workspaces/s.rees/library/Zend/Auth/Adapter/Ldap.php(324): Zend_Ldap->getCanonicalAccountName('s.rees@ahq.net....', 1)
4 /var/www/development/workspaces/s.rees/library/Zend/Auth.php(117): Zend_Auth_Adapter_Ldap->authenticate()
5 /var/www/development/workspaces/s.rees/domsys08/webapp/application/controllers/IndexController.php(500): Zend_Auth->authenticate(Object(Zend_Auth_Adapter_Ldap))
6 /var/www/development/workspaces/s.rees/domsys08/webapp/application/controllers/IndexController.php(342): IndexController->loginAsStaff('s.rees', '*****')
7 /var/www/development/workspaces/s.rees/domsys08/webapp/application/controllers/IndexController.php(279): IndexController->doLogin(Object(Zend_Form))
8 /var/www/development/workspaces/s.rees/library/Zend/Controller/Action.php(513): IndexController->loginAction()
9 /var/www/development/workspaces/s.rees/library/Zend/Controller/Dispatcher/Standard.php(289): Zend_Controller_Action->dispatch('loginAction')
10 /var/www/development/workspaces/s.rees/library/Zend/Controller/Front.php(946): Zend_Controller_Dispatcher_Standard->dispatch(Object(Zend_Controller_Request_Http), Object(Zend_Controller_Response_Http))
11 /var/www/development/workspaces/s.rees/domsys08/webapp/html/index.php(99): Zend_Controller_Front->dispatch()
12 {main}"
} }
I don't really understand LDAP, so I am not sure what is happening...
Posted by Rodrigo Novelo Primolan (primolan) on 2010-01-12T02:29:47.000+0000
You must bind username and password before every search to perform it.
Try:
Posted by Stefan Gehrig (sgehrig) on 2010-02-09T06:07:16.000+0000
Should be fixed in trunk (r21008) and in 1.10-release branch (r21009)
At least we're not re-authenticating with an empty {{$ldap->bind()}}. This requires the authenticated user to be allowed to retrieve its own LDAP entry (should be no problem), but this also requires the authenticated user to be able to check its own group membership status if the group membership feature is used.