Announcement

Collapse
No announcement yet.

LDAP Auth not working - user found, but error is wrong username/password

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    LDAP Auth not working - user found, but error is wrong username/password

    I am setting up a new installation of EspoCRM 5.7.11 to use LDAP Authentication. Testing the connection in the Authentication settings works, but no users are able to successfully login. The error at the login page is "Wrong username/password". Here is the LDAP configuration:

    Code:
        'authenticationMethod' => 'LDAP',
    'ldapUserNameAttribute' => 'uid',
    'ldapUserObjectClass' => 'inetOrgPerson',
    'ldapHost' => 'ldap.xxxxx.com',
    'ldapPort' => '389',
    'ldapAuth' => true,
    'ldapSecurity' => 'TLS',
    'ldapUsername' => 'uid=xxxxx.xxxxx,ou=Users,o=xxxxx,dc=xxxxx,dc=com',
    'ldapPassword' => 'xxxxx',
    'ldapBindRequiresDn' => true,
    'ldapBaseDn' => 'o=xxxxx,dc=xxxxx,dc=com',
    'ldapUserLoginFilter' => 'memberOf=cn=EspoCRM LDAP Users,ou=Users,o=xxxxx,dc=xxxxx,dc=com',
    'ldapTryUsernameSplit' => false,
    'ldapOptReferrals' => false,
    'ldapCreateEspoUser' => false,
    'ldapAccountCanonicalForm' => 'Dn'
    Here is what I'm seeing in the log when I try to login using the correct password:
    Code:
    [2020-01-09 20:40:35] Espo.DEBUG: LDAP: user search string: "(&(objectClass=inetOrgPerson)(uid=xxxxx.xxxxx)(memberOf=cn=EspoCRM LDAP Users,ou=Users,o=xxxxx,dc=xxxxx,dc=com))" [] []
[2020-01-09 20:40:35] Espo.DEBUG: User [xxxxx.xxxxx] is found with this DN [uid=xxxxx.xxxxx,ou=Users,o=xxxxx,dc=xxxxx,dc=com]. [] []
    If I use the wrong password on purpose, the error changes to reflect the bad credential, which tells me it is authenticating correctly up to a certain point:
    Code:
    [2020-01-09 20:57:29] Espo.DEBUG: User [xxxxx.xxxxx] is found with this DN [uid=xxxxx.xxxxx,ou=Users,o=xxxxx,dc=xxxxx,dc=com]. [] []
[2020-01-09 20:57:29] Espo.ERROR: LDAP: Authentication failed for user [xxxxx.xxxxx], details: 0x31 (Invalid credentials): uid=xxxxx.xxxxx,ou=Users,o=xxxxx,dc=xxxxx,dc=com [] []
    I know the LDAP server is able to accept the login because the following command works:
    Code:
    ldapsearch -D "uid=xxxxx.xxxxx,ou=Users,o=xxxxx,dc=xxxxx,dc=com" -h ldap.xxxxx.com -w 'xxxxx -b "o=xxxxx,dc=xxxxx,dc=com" "memberOf=cn=EspoCRM LDAP Users,ou=Users,o=xxxxx,dc=xxxxx,dc=com"
    Here is the output:
    Code:
    # extended LDIF
#
# LDAPv3
# base <o=xxxxx,dc=xxxxx,dc=com> with scope subtree
# filter: memberOf=cn=EspoCRM LDAP Users,ou=Users,o=xxxxx,dc=xxxxx,dc=com
# requesting: ALL
#

# xxxxx.xxxxx, Users, xxxxx, xxxxx.com
dn: uid=xxxxx.xxxxx,ou=Users,o=xxxxx,dc=xxxxx,dc=com
uid: xxxxx.xxxxx
mail: xxxxx@xxxxx.com
cn: xxxxx xxxxx
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: posixAccount
objectClass: jumpcloudUser
uidNumber: 5001
gidNumber: 5001
memberOf: cn=EspoCRM LDAP Users,ou=Users,o=xxxxx,dc=xxxxx,dc=com

# xxxxx.xxxxx, Users, xxxxx, xxxxx.com
dn: uid=xxxxx.xxxxx,ou=Users,o=xxxxx,dc=xxxxx,dc=com
uid: xxxxx.xxxxx
mail: xxxxx@xxxxx.com
cn: xxxxx xxxxx
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: posixAccount
objectClass: jumpcloudUser
uidNumber: 5001
gidNumber: 5001
memberOf: cn=EspoCRM LDAP Users,ou=Users,o=xxxxx,dc=xxxxx,dc=com

...

# search result
search: 2
result: 0 Success

# numResponses: 19
# numEntries: 18

    I am able to login using ldapsearch with many users and the LDAP server will reject the connection if I specify the wrong credentials on purpose. It seems like Espo is correctly authenticating, but then rejecting the login for some reason. Am I using the wrong objectClass? What about the uid? It's setup as firstName.lastName and that's what I am using to login, e.g."uid: John.Doe" and then I try to login using "username: John.Doe, password: xxxx". If I use anything other than the uid to login, the log file shows an invalid credential error, which is what I would expect. That tells me it is accepting the uid field as the username, so I have no idea what to check next.
    Tags: None
  • #2
    Of course, right after I spent 20 minutes creating a post, I figured it out. I did not realize that Espo requires a local user to exist in addition to the LDAP Authentication. I checked the box in the LDAP Authentication settings to "Create User in EspoCRM", which moved the login process past the "Wrong username/password" error. However, then it threw a 500 error:

    Code:
    [2020-01-09 21:04:38] Espo.INFO: Creating new user ... [] []
[2020-01-09 21:04:38] Espo.DEBUG: LDAP: user data: Array (     [cn] => Array         ( xxxxx )  )  [] []
[2020-01-09 21:04:38] Espo.DEBUG: LDAP: Create a user wtih [userName] = [xxxxx.xxxxx]. [] []
[2020-01-09 21:04:38] Espo.DEBUG: LDAP: Create a user wtih [firstName] = [xxxxx]. [] []
[2020-01-09 21:04:38] Espo.DEBUG: LDAP: Create a user wtih [lastName] = [xxxxx]. [] []
[2020-01-09 21:04:38] Espo.DEBUG: LDAP: Create a user wtih [title] = [xxxxx]. [] []
[2020-01-09 21:04:38] Espo.DEBUG: LDAP: Create a user wtih [emailAddress] = [xxxxx@xxxxx.com]. [] []
[2020-01-09 21:04:38] Espo.DEBUG: LDAP: Create a user wtih [phoneNumber] = [xxx-xxx-xxx]. [] []
[2020-01-09 21:04:38] Espo.ERROR: Uncaught Exception TypeError: "Argument 2 passed to Espo\Core\Acl::__construct() must be an instance of Espo\Entities\User, null given, called in /var/www/crm-beta/application/Espo/Core/Container.php on line 244" at /var/www/crm-beta/application/Espo/Core/Acl.php line 41 {"exception":"[object] (TypeError(code: 0): Argument 2 passed to Espo\\Core\\Acl::__construct() must be an instance of Espo\\Entities\\User, null given, called in /var/www/crm-beta/application/Espo/Core/Container.php on line 244 at /var/www/crm-beta/application/Espo/Core/Acl.php:41)"} []
    That seems like a real issue instead of the misconfiguration that caused my initial issue. With that said, I clicked the button again and it worked as expected:

    Code:
    [2020-01-09 21:10:12] Espo.DEBUG: LDAP: user search string: "(&(objectClass=inetOrgPerson)(uid=xxxxx.xxxxx)(memberOf=cn=EspoCRM LDAP Users,ou=Users,o=xxxxx,dc=xxxxx,dc=com))" [] []
[2020-01-09 21:10:12] Espo.DEBUG: User [xxxxx.xxxxx] is found with this DN [uid=xxxxx.xxxxx,ou=Users,o=xxxxx,dc=xxxxx,dc=com]. [] []
    It seems like the login does not work the first time if it is also tasked with creating the user, but the user is successfully created. Therefore, successive attempts to login succeed as expected.
    Last edited by bandtank; 01-20-2020, 04:08 PM.
    • Likes 1

    Comment

    • #3
      Fixed, https://github.com/espocrm/espocrm/issues/1561
      Job Offers and Requests
      • Likes 2

      Comment

      • #4
        Hello Tarasm,
        can you provide a printscreen for setting with LDAP for macOS ?
        I try but not find how i can bind espocrm to OpenDirectory ..
        Regards

        Comment

        Previous template Next
        Working...
        X