Issues

ZF-8388: Binding problem

Description

Hello!

Again a problem with {{Zend_Auth_Adapter_Ldap}}. In ZF's version 1.9.5 the problem was retrieving LDAP's object after user authenticated.

In ZF's version 1.9.6, {{Zend_Auth_Adapter_Ldap}} has a calling to bind without parameters, and that just don't do the job.

{{Zend_Auth_Adapter_Ldap}}


#323 $ldap->bind();

When commenting this line, {{Zend_Auth_Adapter_Ldap}} works!

Comments

I have the same problem - commenting out that line solved it for me as well.

I'll have a look into this. As far as I can remember, there has been a problem that required rebinding with the default user/password to retrieve user account information or check group membership status.

Could you please check if the most recent version from the SVN trunk shows the same behaviour?

As I workaround could you please try setting a username/password in the {{Zend_Auth_Ldap}} configuration with which {{Zend_Ldap}} would be able to access the user account object?

Which LDAP server are you authenticating against?

Yes, there was a problem and it was mentioned by me.

The problem was to order the object LDAP after authentication. After verification, the problem remained, being resolved as explained in the description of this error.

I'm authenticating users on the Microsoft Active Directory.

I am also trying to authenticate against Microsoft Active Directory, and the latest version in SVN trunk still has the same problem.

My configuration is:

server.host = "ahq.net.au" server.password = "********" server.accountDomainName = "ahq.net.au" server.accountCanonicalForm = 4 server.baseDn = "DC=ahq,DC=net,DC=au"

Is this simply a case of us using the wrong configuration, or is there a bug that needs to be fixed?

Maybe it's a problem with your configuration.

The problem with this component is about retrieving information after authentication (connecting, at least for me, is ok).

Try the workaround described here.

Yes, the work-around works fine for me (i.e. commenting out that line)..

The error I am getting when I use the latest version is:

object(Zend_Auth_Result)#113 (3) { ["_code:protected"] => int(0) ["_identity:protected"] => string(6) "s.rees" ["_messages:protected"] => array(6) { [0] => string(30) "An unexpected failure occurred" [1] => string(227) "0x1 (Operations error; 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece): searching: (&(objectClass=user)(sAMAccountName=s.rees))" [2] => string(109) "host=ahq.net.au,password=*****,accountDomainName=ahq.net.au,accountCanonicalForm=4,baseDn=DC=ahq,DC=net,DC=au" [3] => string(294) "/var/www/development/workspaces/s.rees/library/Zend/Ldap.php(916): 0x1 (Operations error; 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece): searching: (&(objectClass=user)(sAMAccountName=s.rees))" [4] => string(1681) "#0 /var/www/development/workspaces/s.rees/library/Zend/Ldap.php(631): Zend_Ldap->search('(&(objectClass=...', 'DC=ahq,DC=net,D...', 1, Array)

1 /var/www/development/workspaces/s.rees/library/Zend/Ldap.php(503): Zend_Ldap->_getAccount('s.rees', Array)

2 /var/www/development/workspaces/s.rees/library/Zend/Ldap.php(570): Zend_Ldap->_getAccountDn('s.rees@ahq.net....')

3 /var/www/development/workspaces/s.rees/library/Zend/Auth/Adapter/Ldap.php(324): Zend_Ldap->getCanonicalAccountName('s.rees@ahq.net....', 1)

4 /var/www/development/workspaces/s.rees/library/Zend/Auth.php(117): Zend_Auth_Adapter_Ldap->authenticate()

5 /var/www/development/workspaces/s.rees/domsys08/webapp/application/controllers/IndexController.php(500): Zend_Auth->authenticate(Object(Zend_Auth_Adapter_Ldap))

6 /var/www/development/workspaces/s.rees/domsys08/webapp/application/controllers/IndexController.php(342): IndexController->loginAsStaff('s.rees', '*****')

7 /var/www/development/workspaces/s.rees/domsys08/webapp/application/controllers/IndexController.php(279): IndexController->doLogin(Object(Zend_Form))

8 /var/www/development/workspaces/s.rees/library/Zend/Controller/Action.php(513): IndexController->loginAction()

9 /var/www/development/workspaces/s.rees/library/Zend/Controller/Dispatcher/Standard.php(289): Zend_Controller_Action->dispatch('loginAction')

10 /var/www/development/workspaces/s.rees/library/Zend/Controller/Front.php(946): Zend_Controller_Dispatcher_Standard->dispatch(Object(Zend_Controller_Request_Http), Object(Zend_Controller_Response_Http))

11 /var/www/development/workspaces/s.rees/domsys08/webapp/html/index.php(99): Zend_Controller_Front->dispatch()

12 {main}"

[5] => string(257) "s.rees authentication failed: 0x1 (Operations error; 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece): searching: (&(objectClass=user)(sAMAccountName=s.rees))"

} }

I don't really understand LDAP, so I am not sure what is happening...

You must bind username and password before every search to perform it.

Try:


$ldap->bind($username, $password);
$ldap->search(...)

Should be fixed in trunk (r21008) and in 1.10-release branch (r21009)

At least we're not re-authenticating with an empty {{$ldap->bind()}}. This requires the authenticated user to be allowed to retrieve its own LDAP entry (should be no problem), but this also requires the authenticated user to be able to check its own group membership status if the group membership feature is used.