Issues

ZF-8388: Binding problem

Issue Type: Bug Created: 2009-11-25T02:03:04.000+0000 Last Updated: 2010-02-09T06:07:16.000+0000 Status: Resolved Fix version(s): - 1.10.1 (10/Feb/10)

Reporter: Rodrigo Novelo Primolan (primolan) Assignee: Stefan Gehrig (sgehrig) Tags: - Zend_Auth_Adapter_Ldap

Related issues: Attachments:

Description

Hello!

Again a problem with Zend_Auth_Adapter_Ldap. In ZF's version 1.9.5 the problem was retrieving LDAP's object after user authenticated.

In ZF's version 1.9.6, Zend_Auth_Adapter_Ldap has a calling to bind without parameters, and that just don't do the job.

Zend_Auth_Adapter_Ldap

<pre class="highlight">
#323 $ldap->bind();

When commenting this line, Zend_Auth_Adapter_Ldap works!

Comments

Posted by Stephen Rees-Carter (valorin) on 2009-12-21T19:40:01.000+0000

I have the same problem - commenting out that line solved it for me as well.

Posted by Stefan Gehrig (sgehrig) on 2009-12-23T02:40:38.000+0000

I'll have a look into this. As far as I can remember, there has been a problem that required rebinding with the default user/password to retrieve user account information or check group membership status.

Could you please check if the most recent version from the SVN trunk shows the same behaviour?

As I workaround could you please try setting a username/password in the Zend_Auth_Ldap configuration with which Zend_Ldap would be able to access the user account object?

Which LDAP server are you authenticating against?

Posted by Rodrigo Novelo Primolan (primolan) on 2009-12-23T02:49:26.000+0000

Yes, there was a problem and it was mentioned by me.

The problem was to order the object LDAP after authentication. After verification, the problem remained, being resolved as explained in the description of this error.

I'm authenticating users on the Microsoft Active Directory.

Posted by Stephen Rees-Carter (valorin) on 2010-01-10T17:02:55.000+0000

I am also trying to authenticate against Microsoft Active Directory, and the latest version in SVN trunk still has the same problem.

My configuration is:

server.host = "ahq.net.au" server.password = "********" server.accountDomainName = "ahq.net.au" server.accountCanonicalForm = 4 server.baseDn = "DC=ahq,DC=net,DC=au"

Is this simply a case of us using the wrong configuration, or is there a bug that needs to be fixed?

Posted by Rodrigo Novelo Primolan (primolan) on 2010-01-11T02:24:29.000+0000

Maybe it's a problem with your configuration.

The problem with this component is about retrieving information after authentication (connecting, at least for me, is ok).

Try the workaround described here.

Posted by Stephen Rees-Carter (valorin) on 2010-01-11T15:23:55.000+0000

Yes, the work-around works fine for me (i.e. commenting out that line)..

The error I am getting when I use the latest version is:

object(Zend_Auth_Result)#113 (3) { ["_code:protected"] => int(0) ["_identity:protected"] => string(6) "s.rees" ["_messages:protected"] => array(6) { [0] => string(30) "An unexpected failure occurred" [1] => string(227) "0x1 (Operations error; 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece): searching: (&(objectClass=user)(sAMAccountName=s.rees))" [2] => string(109) "host=ahq.net.au,password=*****,accountDomainName=ahq.net.au,accountCanonicalForm=4,baseDn=DC=ahq,DC=net,DC=au" [3] => string(294) "/var/www/development/workspaces/s.rees/library/Zend/Ldap.php(916): 0x1 (Operations error; 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece): searching: (&(objectClass=user)(sAMAccountName=s.rees))" [4] => string(1681) "#0 /var/www/development/workspaces/s.rees/library/Zend/Ldap.php(631): Zend_Ldap->search('(&(objectClass=...', 'DC=ahq,DC=net,D...', 1, Array)

1 /var/www/development/workspaces/s.rees/library/Zend/Ldap.php(503): Zend_Ldap->_getAccount('s.rees', Array)

2 /var/www/development/workspaces/s.rees/library/Zend/Ldap.php(570): Zend_Ldap->_getAccountDn('s.rees@ahq.net....')

3 /var/www/development/workspaces/s.rees/library/Zend/Auth/Adapter/Ldap.php(324): Zend_Ldap->getCanonicalAccountName('s.rees@ahq.net....', 1)

4 /var/www/development/workspaces/s.rees/library/Zend/Auth.php(117): Zend_Auth_Adapter_Ldap->authenticate()

5 /var/www/development/workspaces/s.rees/domsys08/webapp/application/controllers/IndexController.php(500): Zend_Auth->authenticate(Object(Zend_Auth_Adapter_Ldap))

6 /var/www/development/workspaces/s.rees/domsys08/webapp/application/controllers/IndexController.php(342): IndexController->loginAsStaff('s.rees', '*****')

7 /var/www/development/workspaces/s.rees/domsys08/webapp/application/controllers/IndexController.php(279): IndexController->doLogin(Object(Zend_Form))

8 /var/www/development/workspaces/s.rees/library/Zend/Controller/Action.php(513): IndexController->loginAction()

9 /var/www/development/workspaces/s.rees/library/Zend/Controller/Dispatcher/Standard.php(289): Zend_Controller_Action->dispatch('loginAction')

10 /var/www/development/workspaces/s.rees/library/Zend/Controller/Front.php(946): Zend_Controller_Dispatcher_Standard->dispatch(Object(Zend_Controller_Request_Http), Object(Zend_Controller_Response_Http))

11 /var/www/development/workspaces/s.rees/domsys08/webapp/html/index.php(99): Zend_Controller_Front->dispatch()

12 {main}"

[5] => string(257) "s.rees authentication failed: 0x1 (Operations error; 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece): searching: (&(objectClass=user)(sAMAccountName=s.rees))"

} }

I don't really understand LDAP, so I am not sure what is happening...

Posted by Rodrigo Novelo Primolan (primolan) on 2010-01-12T02:29:47.000+0000

You must bind username and password before every search to perform it.

Try:

<pre class="highlight">
$ldap->bind($username, $password);
$ldap->search(...)

Posted by Stefan Gehrig (sgehrig) on 2010-02-09T06:07:16.000+0000

Should be fixed in trunk (r21008) and in 1.10-release branch (r21009)

At least we're not re-authenticating with an empty $ldap->bind(). This requires the authenticated user to be allowed to retrieve its own LDAP entry (should be no problem), but this also requires the authenticated user to be able to check its own group membership status if the group membership feature is used.

Have you found an issue?

See the Overview section for more details.

Copyright

© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts