LDAP not working

Ask your questions regarding TimeTrex installation here.
Post Reply
oyeaussie
Posts: 9
Joined: Mon May 11, 2015 4:04 am

LDAP not working

Post by oyeaussie »

Hello,

I am using a community version 8.0.7

The installation worked fine, but LDAP doesn't seem to work. Following are the logs during authentication. I dont see it initiating LDAP authentication. Any suggestions?

Thanks,
Guru.

---------------[ 11-May-2015 21:01:44 +1000 [1431342103.277] (PID: 6406) ]---------------
DEBUG [L0438] [7ms]: [Function](): URI: /api/json/api.php?Class=APIAuthentication&Method=Login&v=2&MessageID=0bdac497-c624-318d-0f19-6060ad67c6c5 IP Address: 10.8.0.11
DEBUG [L0441] [7ms]: [Function](): USER-AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36
DEBUG [L0445] [7ms]: [Function](): Version: 8.0.7 Edition: 10 Production: 1 Database: Type: mysqli Name: ess Config: /var/www/html/ess/includes/../timetrex.ini.php Demo Mode: 0
DEBUG [L0163] [27ms]: TTDate::setTimeZone(): Setting TimeZone: Australia/Melbourne
DEBUG [L0224] [28ms]: [Function](): Handling JSON Call To API Factory: APIAuthentication Method: Login Message ID: 0bdac497-c624-318d-0f19-6060ad67c6c5
DEBUG [L0259] [28ms] Array: [Function](): Arguments: (Size: 41)
array(2) {
[0]=>
string(4) "guru"
[1]=>
string(9) "********"
}


DEBUG [L0283] [31ms]: [Function](): No SessionID or calling non-authenticated function...
DEBUG [L0462] [32ms]: TTi18n::chooseBestLocale(): Choosing Best Locale...
DEBUG [L0433] [32ms]: TTi18n::getBrowserLanguage(): HTTP_ACCEPT_LANGUAGE: en-US,en;q=0.8
DEBUG [L0516] [32ms]: TTi18n::chooseBestLocale(): cSetting Locale: en_US
DEBUG [L0371] [32ms]: TTi18n::setLocale(): Generated/Passed In Locale: en_US
DEBUG [L0300] [32ms]: TTi18n::generateLocale(): Array of Locales to try in order for "en_US": en_US,en_US.UTF-8,en,en.UTF-8
DEBUG [L0258] [32ms]: TTi18n::tryLocale(): Found valid locale: en_US Default: 1
DEBUG [L0374] [32ms]: TTi18n::setLocale(): Attempting to set Locale(s) to: en_US Category: 6 Current Locale:
DEBUG [L0380] [32ms]: TTi18n::setLocale(): Setting currency/numeric Locale to: en_US
DEBUG [L0393] [36ms]: TTi18n::setLocale(): Setting translator to normalized locale: en_US
DEBUG [L0417] [36ms]: TTi18n::setLocale(): Set Master Locale To: en_US
DEBUG [L0516] [36ms]: TTi18n::chooseBestLocale(): cSetting Locale: en
DEBUG [L0371] [36ms]: TTi18n::setLocale(): Generated/Passed In Locale: en
DEBUG [L0300] [36ms]: TTi18n::generateLocale(): Array of Locales to try in order for "en": en,en.UTF-8,en_US,en_US.UTF-8
DEBUG [L0258] [36ms]: TTi18n::tryLocale(): Found valid locale: en_US Default: 1
DEBUG [L0374] [36ms]: TTi18n::setLocale(): Attempting to set Locale(s) to: en_US Category: 6 Current Locale: en_US
DEBUG [L0537] [36ms]: TTi18n::chooseBestLocale(): Unable to find and set a locale.
DEBUG [L0082] [36ms]: unauthenticatedInvokeService(): Handling UNAUTHENTICATED JSON Call To API Factory: APIAuthentication Method: Login Message ID: 0bdac497-c624-318d-0f19-6060ad67c6c5
DEBUG [L0054] [38ms]: APIAuthentication::Login(): User Name: guru Password Length: 9 Type: USER_NAME
DEBUG [L0608] [38ms]: Authentication::Login(): Login Type: USER_NAME
DEBUG [L0686] [53ms]: Authentication::Login(): Login Failed! Attempt: 2
DEBUG [L0828] [1063ms]: Validator::Error(): Validation Error: Label: user_name Value: "0" Msg: User Name or Password is incorrect
DEBUG [L0341] [1063ms] Array: APIFactory::returnHandler(): returnHandler v2 ERROR: 0
array(2) {
["api_retval"]=>
bool(false)
["api_details"]=>
array(7) {
["code"]=>
string(10) "VALIDATION"
["description"]=>
string(12) "INVALID DATA"
["record_details"]=>
array(3) {
["total"]=>
int(1)
["valid"]=>
int(0)
["invalid"]=>
int(1)
}
["user_generic_status_batch_id"]=>
bool(false)
["request"]=>
bool(false)
["pager"]=>
bool(false)
["details"]=>
array(1) {
[0]=>
array(1) {
["user_name"]=>
array(1) {
[0]=>
string(34) "User Name or Password is incorrect"
}
}
}
}
}


DEBUG [L0093] [1064ms]: ProgressBar::start(): start: '0bdac497-c624-318d-0f19-6060ad67c6c5' Iterations: 9999 Update Iterations: 9999 Key: 0bdac497-c624-318d-0f19-6060ad67c6c5(1431342104.3406) Message: INVALID DATA
DEBUG [L0287] [1064ms]: [Function](): Server Response Time: 1.0639040470123
---------------[ 11-May-2015 21:01:44 +1000 [1431342104.341] (PID: 6406) ]---------------
shaunw
Posts: 7839
Joined: Tue Sep 19, 2006 2:22 pm

Re: LDAP not working

Post by shaunw »

Its likely that your PHP installation does not have the PHP-LDAP module enabled.
oyeaussie
Posts: 9
Joined: Mon May 11, 2015 4:04 am

Re: LDAP not working

Post by oyeaussie »

Hello Shawn,

PHP-ldap is installed as the server also hosts other sites that has joomla, etc that has ldap working.

-bash-4.1# rpm -qa | grep php-ldap
php-ldap-5.4.35-1.el6.remi.x86_64

I got a little further with the authentication. First I found reading through various forum, that you need a same login on the timetrex system, so I created a employee account to match the user account and now I can see LDAP logs. Second, I was binding using our root account, that was causing password comparison issues, as we have md5 hash on the passwords. So, I went ahead and removed the bind username/pass and just use bind dn to uid. Please see attached screen shot of our LDAP configuration, LDAP tree and logs.

---------------[ 12-May-2015 11:15:21 +1000 [1431393319.489] (PID: 24244) ]---------------
DEBUG [L0438] [12ms]: [Function](): URI: /api/json/api.php?Class=APIAuthentication&Method=Login&v=2&MessageID=83d7a6e1-5ef3-6c53-57c9-cc2b94a0d4eb IP Address: 10.8.0.11
DEBUG [L0441] [12ms]: [Function](): USER-AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36
DEBUG [L0445] [12ms]: [Function](): Version: 8.0.7 Edition: 10 Production: 1 Database: Type: mysqli Name: ess Config: /var/www/html/ess/includes/../timetrex.ini.php Demo Mode: 0
DEBUG [L0163] [38ms]: TTDate::setTimeZone(): Setting TimeZone: Australia/Melbourne
DEBUG [L0224] [40ms]: [Function](): Handling JSON Call To API Factory: APIAuthentication Method: Login Message ID: 83d7a6e1-5ef3-6c53-57c9-cc2b94a0d4eb
DEBUG [L0259] [40ms] Array: [Function](): Arguments: (Size: 41)
array(2) {
[0]=>
string(4) "guru"
[1]=>
string(9) "******"
}


DEBUG [L0283] [43ms]: [Function](): No SessionID or calling non-authenticated function...
DEBUG [L0462] [44ms]: TTi18n::chooseBestLocale(): Choosing Best Locale...
DEBUG [L0433] [44ms]: TTi18n::getBrowserLanguage(): HTTP_ACCEPT_LANGUAGE: en-US,en;q=0.8
DEBUG [L0516] [44ms]: TTi18n::chooseBestLocale(): cSetting Locale: en_US
DEBUG [L0371] [44ms]: TTi18n::setLocale(): Generated/Passed In Locale: en_US
DEBUG [L0300] [44ms]: TTi18n::generateLocale(): Array of Locales to try in order for "en_US": en_US,en_US.UTF-8,en,en.UTF-8
DEBUG [L0258] [44ms]: TTi18n::tryLocale(): Found valid locale: en_US Default: 1
DEBUG [L0374] [44ms]: TTi18n::setLocale(): Attempting to set Locale(s) to: en_US Category: 6 Current Locale:
DEBUG [L0380] [44ms]: TTi18n::setLocale(): Setting currency/numeric Locale to: en_US
DEBUG [L0393] [48ms]: TTi18n::setLocale(): Setting translator to normalized locale: en_US
DEBUG [L0417] [48ms]: TTi18n::setLocale(): Set Master Locale To: en_US
DEBUG [L0516] [48ms]: TTi18n::chooseBestLocale(): cSetting Locale: en
DEBUG [L0371] [48ms]: TTi18n::setLocale(): Generated/Passed In Locale: en
DEBUG [L0300] [48ms]: TTi18n::generateLocale(): Array of Locales to try in order for "en": en,en.UTF-8,en_US,en_US.UTF-8
DEBUG [L0258] [48ms]: TTi18n::tryLocale(): Found valid locale: en_US Default: 1
DEBUG [L0374] [48ms]: TTi18n::setLocale(): Attempting to set Locale(s) to: en_US Category: 6 Current Locale: en_US
DEBUG [L0537] [48ms]: TTi18n::chooseBestLocale(): Unable to find and set a locale.
DEBUG [L0082] [48ms]: unauthenticatedInvokeService(): Handling UNAUTHENTICATED JSON Call To API Factory: APIAuthentication Method: Login Message ID: 83d7a6e1-5ef3-6c53-57c9-cc2b94a0d4eb
DEBUG [L0054] [51ms]: APIAuthentication::Login(): User Name: guru Password Length: 9 Type: USER_NAME
DEBUG [L0608] [51ms]: Authentication::Login(): Login Type: USER_NAME
DEBUG [L0259] [71ms]: Authentication::checkCompanyStatus(): Company Status: 10
DEBUG [L0254] [74ms]: TTLDAP::authenticate(): LDAP: Host: localhost Port: 389 Bind User Name: Bind Password: Bind DN: uid=guru, ou=Active,dc=bazaari,dc=com,dc=au Base DN: ou=Active,dc=bazaari,dc=com,dc=au Bind Authentication Mode: 1 Password: y
DEBUG [L0254] [74ms]: TTLDAP::authenticate(): 8Cbmr7te
DEBUG [L0264] [74ms]: TTLDAP::authenticate(): aLDAP Bind Authentication Mode...
DEBUG [L0268] [76ms]: TTLDAP::authenticate(): bLDAP Bind Authentication Mode...
DEBUG [L0283] [77ms]: TTLDAP::authenticate(): LDAP Connection Failed!: ldap error: [49: Binding: Invalid credentials] in CONNECT(localhost, 'uid=guru, ou=Active,dc=bazaari,dc=com,dc=au', '****', ou=Active,dc=bazaari,dc=com,dc=au)

DEBUG [L0287] [77ms]: TTLDAP::authenticate(): LDAP Filter User:
DEBUG [L0364] [77ms]: TTLDAP::authenticate(): LDAP authentication result: 0 Total Time: 0.0036931037902832s
DEBUG [L0815] [77ms]: UserFactory::checkPassword(): LDAP authentication failed, falling back to local password...
DEBUG [L1661] [80ms]: Factory::StartTransaction(): StartTransaction(): Transaction Count: 0 Trans Off: 0
DEBUG [L1727] [80ms]: Factory::Save(): Calling preSave()
DEBUG [L1765] [80ms]: Factory::Save(): Insert ID: 864 Table: system_log
DEBUG [L1639] [80ms]: Factory::getInsertQuery(): Insert
DEBUG [L1671] [87ms]: Factory::CommitTransaction(): CommitTransaction(): Transaction Count: 1 Trans Off: 1
DEBUG [L0091] [150ms]: TTLog::addEntry(): LogDetail Disabled... Object ID: 2 Action ID: 510 Table: users Description: LDAP Authentication failed, falling back to local password for username: guruIP Address: 10.8.0.11
DEBUG [L0686] [151ms]: Authentication::Login(): Login Failed! Attempt: 4
DEBUG [L0828] [2152ms]: Validator::Error(): Validation Error: Label: user_name Value: "0" Msg: User Name or Password is incorrect
DEBUG [L0341] [2152ms] Array: APIFactory::returnHandler(): returnHandler v2 ERROR: 0
array(2) {
["api_retval"]=>
bool(false)
["api_details"]=>
array(7) {
["code"]=>
string(10) "VALIDATION"
["description"]=>
string(12) "INVALID DATA"
["record_details"]=>
array(3) {
["total"]=>
int(1)
["valid"]=>
int(0)
["invalid"]=>
int(1)
}
["user_generic_status_batch_id"]=>
bool(false)
["request"]=>
bool(false)
["pager"]=>
bool(false)
["details"]=>
array(1) {
[0]=>
array(1) {
["user_name"]=>
array(1) {
[0]=>
string(34) "User Name or Password is incorrect"
}
}
}
}
}


DEBUG [L0093] [2153ms]: ProgressBar::start(): start: '83d7a6e1-5ef3-6c53-57c9-cc2b94a0d4eb' Iterations: 9999 Update Iterations: 9999 Key: 83d7a6e1-5ef3-6c53-57c9-cc2b94a0d4eb(1431393321.6414) Message: INVALID DATA
DEBUG [L0287] [2153ms]: [Function](): Server Response Time: 2.152685880661
---------------[ 12-May-2015 11:15:21 +1000 [1431393321.6418] (PID: 24244) ]---------------

The credentials are correct as they work on other systems just fine.
Attachments
Main Login Screen
Main Login Screen
LDAP Config
LDAP Config
LDAP browser
LDAP browser
oyeaussie
Posts: 9
Joined: Mon May 11, 2015 4:04 am

Re: LDAP not working

Post by oyeaussie »

Anyone with any suggestions?
oyeaussie
Posts: 9
Joined: Mon May 11, 2015 4:04 am

Re: LDAP not working

Post by oyeaussie »

So, I did more troubleshooting. Looking at the logs from LDAP, i found that the base DN that was being used for the UID was incorrect:

BIND dn="uid=guru,ou=Active,dc=bazaari,dc=com,dc=au"

Which is incorrect. So I changed the Base DN configuration on the Ldap configuration on timetrex to
cn=management,ou=Active,dc=bazaari,dc=com,dc=au

And this worked, I was able to bind properly and authenticate.
BIND dn="uid=guru,cn=management,ou=Active,dc=bazaari,dc=com,dc=au"

It seems like timetrex is not searching the subtrees for the UID. Any suggestions?
shaunw
Posts: 7839
Joined: Tue Sep 19, 2006 2:22 pm

Re: LDAP not working

Post by shaunw »

If you need to search LDAP sub-trees and re-bind based on information found that way, you have to specify a Bind Username/Password that is an Admin user with permissions to search your LDAP tree, as well as a Login attribute and Bind attribute.

Once that is specified, TimeTrex will connect to LDAP with the Bind Username/password, search the entire tree from the BaseDN for a Login Attribute matching the employees username, once found it should attempt to rebind to LDAP using the found path and the "Bind Attribute" to authenticate the password.
Post Reply