LDAP Auth not working - user found, but error is wrong username/password

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • bandtank
    Active Community Member
    • Mar 2017
    • 379

    LDAP Auth not working - user found, but error is wrong username/password

    I am setting up a new installation of EspoCRM 5.7.11 to use LDAP Authentication. Testing the connection in the Authentication settings works, but no users are able to successfully login. The error at the login page is "Wrong username/password". Here is the LDAP configuration:

    Code:
        'authenticationMethod' => 'LDAP',
        'ldapUserNameAttribute' => 'uid',
        'ldapUserObjectClass' => 'inetOrgPerson',
        'ldapHost' => 'ldap.xxxxx.com',
        'ldapPort' => '389',
        'ldapAuth' => true,
        'ldapSecurity' => 'TLS',
        'ldapUsername' => 'uid=xxxxx.xxxxx,ou=Users,o=xxxxx,dc=xxxxx,dc=com',
        'ldapPassword' => 'xxxxx',
        'ldapBindRequiresDn' => true,
        'ldapBaseDn' => 'o=xxxxx,dc=xxxxx,dc=com',
        'ldapUserLoginFilter' => 'memberOf=cn=EspoCRM LDAP Users,ou=Users,o=xxxxx,dc=xxxxx,dc=com',
        'ldapTryUsernameSplit' => false,
        'ldapOptReferrals' => false,
        'ldapCreateEspoUser' => false,
        'ldapAccountCanonicalForm' => 'Dn'
    Here is what I'm seeing in the log when I try to login using the correct password:
    Code:
    [2020-01-09 20:40:35] Espo.DEBUG: LDAP: user search string: "(&(objectClass=inetOrgPerson)(uid=xxxxx.xxxxx)(memberOf=cn=EspoCRM LDAP Users,ou=Users,o=xxxxx,dc=xxxxx,dc=com))" [] []
    [2020-01-09 20:40:35] Espo.DEBUG: User [xxxxx.xxxxx] is found with this DN [uid=xxxxx.xxxxx,ou=Users,o=xxxxx,dc=xxxxx,dc=com]. [] []
    If I use the wrong password on purpose, the error changes to reflect the bad credential, which tells me it is authenticating correctly up to a certain point:
    Code:
    [2020-01-09 20:57:29] Espo.DEBUG: User [xxxxx.xxxxx] is found with this DN [uid=xxxxx.xxxxx,ou=Users,o=xxxxx,dc=xxxxx,dc=com]. [] []
    [2020-01-09 20:57:29] Espo.ERROR: LDAP: Authentication failed for user [xxxxx.xxxxx], details: 0x31 (Invalid credentials): uid=xxxxx.xxxxx,ou=Users,o=xxxxx,dc=xxxxx,dc=com [] []
    I know the LDAP server is able to accept the login because the following command works:
    Code:
    ldapsearch -D "uid=xxxxx.xxxxx,ou=Users,o=xxxxx,dc=xxxxx,dc=com" -h ldap.xxxxx.com -w 'xxxxx -b "o=xxxxx,dc=xxxxx,dc=com" "memberOf=cn=EspoCRM LDAP Users,ou=Users,o=xxxxx,dc=xxxxx,dc=com"
    Here is the output:
    Code:
    # extended LDIF
    #
    # LDAPv3
    # base <o=xxxxx,dc=xxxxx,dc=com> with scope subtree
    # filter: memberOf=cn=EspoCRM LDAP Users,ou=Users,o=xxxxx,dc=xxxxx,dc=com
    # requesting: ALL
    #
    
    # xxxxx.xxxxx, Users, xxxxx, xxxxx.com
    dn: uid=xxxxx.xxxxx,ou=Users,o=xxxxx,dc=xxxxx,dc=com
    uid: xxxxx.xxxxx
    mail: xxxxx@xxxxx.com
    cn: xxxxx xxxxx
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    objectClass: shadowAccount
    objectClass: posixAccount
    objectClass: jumpcloudUser
    uidNumber: 5001
    gidNumber: 5001
    memberOf: cn=EspoCRM LDAP Users,ou=Users,o=xxxxx,dc=xxxxx,dc=com
    
    # xxxxx.xxxxx, Users, xxxxx, xxxxx.com
    dn: uid=xxxxx.xxxxx,ou=Users,o=xxxxx,dc=xxxxx,dc=com
    uid: xxxxx.xxxxx
    mail: xxxxx@xxxxx.com
    cn: xxxxx xxxxx
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    objectClass: shadowAccount
    objectClass: posixAccount
    objectClass: jumpcloudUser
    uidNumber: 5001
    gidNumber: 5001
    memberOf: cn=EspoCRM LDAP Users,ou=Users,o=xxxxx,dc=xxxxx,dc=com
    
    ...
    
    # search result
    search: 2
    result: 0 Success
    
    # numResponses: 19
    # numEntries: 18

    I am able to login using ldapsearch with many users and the LDAP server will reject the connection if I specify the wrong credentials on purpose. It seems like Espo is correctly authenticating, but then rejecting the login for some reason. Am I using the wrong objectClass? What about the uid? It's setup as firstName.lastName and that's what I am using to login, e.g."uid: John.Doe" and then I try to login using "username: John.Doe, password: xxxx". If I use anything other than the uid to login, the log file shows an invalid credential error, which is what I would expect. That tells me it is accepting the uid field as the username, so I have no idea what to check next.
  • bandtank
    Active Community Member
    • Mar 2017
    • 379

    #2
    Of course, right after I spent 20 minutes creating a post, I figured it out. I did not realize that Espo requires a local user to exist in addition to the LDAP Authentication. I checked the box in the LDAP Authentication settings to "Create User in EspoCRM", which moved the login process past the "Wrong username/password" error. However, then it threw a 500 error:

    Code:
    [2020-01-09 21:04:38] Espo.INFO: Creating new user ... [] []
    [2020-01-09 21:04:38] Espo.DEBUG: LDAP: user data: Array (     [cn] => Array         ( xxxxx )  )  [] []
    [2020-01-09 21:04:38] Espo.DEBUG: LDAP: Create a user wtih [userName] = [xxxxx.xxxxx]. [] []
    [2020-01-09 21:04:38] Espo.DEBUG: LDAP: Create a user wtih [firstName] = [xxxxx]. [] []
    [2020-01-09 21:04:38] Espo.DEBUG: LDAP: Create a user wtih [lastName] = [xxxxx]. [] []
    [2020-01-09 21:04:38] Espo.DEBUG: LDAP: Create a user wtih [title] = [xxxxx]. [] []
    [2020-01-09 21:04:38] Espo.DEBUG: LDAP: Create a user wtih [emailAddress] = [xxxxx@xxxxx.com]. [] []
    [2020-01-09 21:04:38] Espo.DEBUG: LDAP: Create a user wtih [phoneNumber] = [xxx-xxx-xxx]. [] []
    [2020-01-09 21:04:38] Espo.ERROR: Uncaught Exception TypeError: "Argument 2 passed to Espo\Core\Acl::__construct() must be an instance of Espo\Entities\User, null given, called in /var/www/crm-beta/application/Espo/Core/Container.php on line 244" at /var/www/crm-beta/application/Espo/Core/Acl.php line 41 {"exception":"[object] (TypeError(code: 0): Argument 2 passed to Espo\\Core\\Acl::__construct() must be an instance of Espo\\Entities\\User, null given, called in /var/www/crm-beta/application/Espo/Core/Container.php on line 244 at /var/www/crm-beta/application/Espo/Core/Acl.php:41)"} []
    That seems like a real issue instead of the misconfiguration that caused my initial issue. With that said, I clicked the button again and it worked as expected:

    Code:
    [2020-01-09 21:10:12] Espo.DEBUG: LDAP: user search string: "(&(objectClass=inetOrgPerson)(uid=xxxxx.xxxxx)(memberOf=cn=EspoCRM LDAP Users,ou=Users,o=xxxxx,dc=xxxxx,dc=com))" [] []
    [2020-01-09 21:10:12] Espo.DEBUG: User [xxxxx.xxxxx] is found with this DN [uid=xxxxx.xxxxx,ou=Users,o=xxxxx,dc=xxxxx,dc=com]. [] []
    It seems like the login does not work the first time if it is also tasked with creating the user, but the user is successfully created. Therefore, successive attempts to login succeed as expected.
    Last edited by bandtank; 01-20-2020, 04:08 PM.

    Comment

    • tarasm
      Super Moderator
      • Mar 2014
      • 573

      #3
      Fixed, https://github.com/espocrm/espocrm/issues/1561
      Job Offers and Requests

      Comment

      • item
        Active Community Member
        • Mar 2017
        • 1476

        #4
        Hello Tarasm,
        can you provide a printscreen for setting with LDAP for macOS ?
        I try but not find how i can bind espocrm to OpenDirectory ..
        Regards
        If you could give the project a star on GitHub. EspoCrm believe our work truly deserves more recognition. Thanks.​

        Comment

        Working...