Hi at all,

I've a problem with ldap authentication, I've follow documentation and search in auth issue, but I cannot find solution.

I get this error when test LDAP server configuration

Result Messages

Binding with DN for non-anonymous search (cn=public-ldap,ou=Garda1UserTS,ou=service accounts,dc=garda1,dc=tlc). Using password entered in form.
Binding with DN for non-anonymous search (cn=public-ldap,ou=Garda1UserTS,ou=service accounts,dc=garda1,dc=tlc). Using password entered in form.
Failed to bind to server. ldap error #49 Invalid credentials

this is my ldap server configuration:

Server Properties

sid = garda1pdc
name = garda1pdc
status = 1
ldap_type = ad
address = 192.168.21.1
port = 389
tls = 0
bind_method = 1
basedn = Array ( )
binddn = cn=public-ldap,ou=Garda1UserTS,ou=service accounts,dc=garda1,dc=tlc
user_dn_expression =
user_attr = sAMAccountName
mail_attr = mail
mail_template =
unique_persistent_attr = objectsid
allow_conflicting_drupal_accts = 0
ldap_to_drupal_user =
testing_drupal_username = public-ldap
group_object_category =
search_pagination = 0
search_page_size = 1000

thanks for help

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

johnbarclay’s picture

I would do the following:

- to make sure the credentials are correct and the binding is not restricted to a certain ip address: install an ldap client on the server such as apache's ldap client and try to bind with those credentials. This can also be done with a couple lines of php if you are a coder.

- if you are using option #4 for the binding method, try 7.x-1.x-dev as a patch was recently committed for this.

erasmo83’s picture

Thanks for reply

I try with this lines of code:

$ldap = ldap_connect("garda1.tlc");
$username="public-ldap@garda1.tlc";
$password="xxxxxx";
if($bind = ldap_bind($ldap, $username,$password ))
echo "logged in";
else
echo "fail";
echo "<br/>done";

and I logged in!

In LDAP Server configuration --> BINDING METHOD, I use "Service Account Bind."

ywarnier’s picture

Maybe it doesn't help at all, but in my case the credentials were correct but the basedn was incorrect. I had it working in a Drupal 6 install and it failed with the exact same config in Drupal 7.

The old basedn config was:

DN=Users,DC=upx,DC=edu,DC=be
OU=Usuarios,DC=upx,DC=edu,DC=be

which, again, worked in D6.

I then tried connecting to my LDAP server with a small command-line tool (shelldap) and the DN=users was nowhere to be found (but OU=Usuarios was there), so I decided to remove that line completely.

OU=Usuarios,DC=upx,DC=edu,DC=be

From then, it started working.

The only plausible explanation I found is that in D6 it uses the last line of a multiple-line basedn while in D7 it uses all of them or just the first one (for the connection, that is).

In your case you don't have two lines, but maybe updating your basedn a little would fix it?

erasmo83’s picture

FileSize
34.48 KB

Thank's for your reply, I've try to change in "SERVICE ACCOUNT BINDING CREDENTIALS" --> "DN for non-anonymous search"

From:
cn=public-ldap,ou=Garda1UserTS,ou=service accounts,dc=garda1,dc=tlc

to:
ou=Garda1UserTS,ou=service accounts,dc=garda1,dc=tlc

but I get always the same error: "Failed to bind to server. ldap error #49 Invalid credentials"

in attached my current configuration

erasmo83’s picture

Sorry, I think I made ​​a mistake,

I've made test with ldap test tool

d:\project\LDAPTest>LDAPTest.exe public-ldap
LDAP DefaultNamingContext: LDAP://DC=GARDA1,DC=TLC
objectClass = 'top'
cn = 'public-ldap'
givenName = 'public-ldap'
distinguishedName = 'CN=public-ldap,OU=service accounts,OU=Garda1UserTS,DC=GARDA1,DC=TLC'
displayName = 'public-ldap'
memberOf = 'CN=Domain Admins,CN=Users,DC=GARDA1,DC=TLC'
name = 'public-ldap'
sAMAccountName = 'public-ldap'
userPrincipalName = 'public-ldap@GARDA1.TLC'
objectCategory = 'CN=Person,CN=Schema,CN=Configuration,DC=GARDA1,DC=TLC'

I've invert the Organization Unit (though in my domain controller the groups are Garda1UserTS -->service accounts)

my new ldap configuration is:
binddn = cn=public-ldap,ou=service accounts,ou=Garda1UserTS,dc=garda1,dc=tlc

but I get a strange error:

Result Messages:
Binding with DN for non-anonymous search (cn=public-ldap,ou=service accounts,ou=Garda1UserTS,dc=garda1,dc=tlc). Using password stored in configuration
Binding with DN for non-anonymous search (cn=public-ldap,ou=service accounts,ou=Garda1UserTS,dc=garda1,dc=tlc). Using password stored in configuration
Successfully bound to server
Failed to find test user public-ldap by searching on sAMAccountName = public-ldap. Error Message: Success
johnbarclay’s picture

Sounds like it can't find the user in the search. In your php, can you do an ldap search (see. http://us3.php.net/ldap_search) where the filter is (&(sAMAccountName="public-ldap") successfully?

erasmo83’s picture

I've try with this code:


<?php

  $SearchFor="public-ldap";               //What string do you want to find?
  $SearchField="sAMAccountName";   //In what Active Directory field do you want to search for the string?

  $LDAPHost = "192.168.21.1";       //Your LDAP server DNS Name or IP Address
  $dn = "OU=service accounts,OU=Garda1UserTS,DC=GARDA1,DC=TLC"; //Put your Base DN here
  $LDAPUserDomain = "@garda1.tlc";  //Needs the @, but not always the same as the LDAP server domain
  $LDAPUser = "public-ldap";        //A valid Active Directory login
  $LDAPUserPassword = "xxxxxx";
  $LDAPFieldsToFind = array("cn", "givenname", "samaccountname", "homedirectory", "telephonenumber", "mail");
   
  $cnx = ldap_connect($LDAPHost) or die("Could not connect to LDAP");
  ldap_set_option($cnx, LDAP_OPT_PROTOCOL_VERSION, 3);  //Set the LDAP Protocol used by your AD service
  ldap_set_option($cnx, LDAP_OPT_REFERRALS, 0);         //This was necessary for my AD to do anything
  ldap_bind($cnx,$LDAPUser.$LDAPUserDomain,$LDAPUserPassword) or die("Could not bind to LDAP");
  error_reporting (E_ALL ^ E_NOTICE);   //Suppress some unnecessary messages
  $filter="($SearchField=$SearchFor*)"; //Wildcard is * Remove it if you want an exact match
  $sr=ldap_search($cnx, $dn, $filter, $LDAPFieldsToFind);
  $info = ldap_get_entries($cnx, $sr);
 
  for ($x=0; $x<$info["count"]; $x++) {
    $sam=$info[$x]['samaccountname'][0];
    $giv=$info[$x]['givenname'][0];
    $tel=$info[$x]['telephonenumber'][0];
    $email=$info[$x]['mail'][0];
    $nam=$info[$x]['cn'][0];
    $dir=$info[$x]['homedirectory'][0];
    $dir=strtolower($dir);
    $pos=strpos($dir,"home");
    $pos=$pos+5;
	print "\nActive Directory says that:<br />";
	print "CN is: $nam <br />";
	print "SAMAccountName is: $sam <br />";
	print "Given Name is: $giv <br />";
	print "Telephone is: $tel <br />";
	print "Home Directory is: $dir <br />";

  }  
  if ($x==0) { print "Oops, $SearchField $SearchFor was not found. Please try again.\n"; }

?>

I get this:

Active Directory says that:
CN is: public-ldap
SAMAccountName is: public-ldap
Given Name is: public-ldap
Telephone is:
Home Directory is: 
ywarnier’s picture

Well, the error seems clear to me:

  • It could connect to the server (this part only is already on step further)
  • It searched successfully for "public-ldap"
  • It didn't find it ("Failed to find"), probably simply because it doesn't exist there... try using one single OU, maybe? Your next test seems fine indeed. Must be something about *where* it searches for that user
erasmo83’s picture

Hi, I've made these tests without success

cn=public-ldap,ou=service accounts,ou=Garda1UserTS,dc=garda1,dc=tlc

Result Messages

    Binding with DN for non-anonymous search (cn=public-ldap,ou=service accounts,ou=Garda1UserTS,dc=garda1,dc=tlc). Using password stored in configuration
    Binding with DN for non-anonymous search (cn=public-ldap,ou=service accounts,ou=Garda1UserTS,dc=garda1,dc=tlc). Using password stored in configuration
    Successfully bound to server
    Failed to find test user public-ldap by searching on sAMAccountName = public-ldap. Error Message: Success

cn=public-ldap,dc=garda1,dc=tlc

Result Messages

    Binding with DN for non-anonymous search (cn=public-ldap,dc=garda1,dc=tlc). Using password stored in configuration
    Binding with DN for non-anonymous search (cn=public-ldap,dc=garda1,dc=tlc). Using password stored in configuration
    Failed to bind to server. ldap error #49 Invalid credentials

cn=public-ldap,ou=Garda1UserTS,dc=garda1,dc=tlc

Result Messages

    Binding with DN for non-anonymous search (cn=public-ldap,ou=Garda1UserTS,dc=garda1,dc=tlc). Using password stored in configuration
    Binding with DN for non-anonymous search (cn=public-ldap,ou=Garda1UserTS,dc=garda1,dc=tlc). Using password stored in configuration
    Failed to bind to server. ldap error #49 Invalid credentials

cn=public-ldap,ou=Garda1UserTS,ou=service accounts,dc=garda1,dc=tlc

Result Messages

    Binding with DN for non-anonymous search (cn=public-ldap,ou=Garda1UserTS,ou=service accounts,dc=garda1,dc=tlc). Using password stored in configuration
    Binding with DN for non-anonymous search (cn=public-ldap,ou=Garda1UserTS,ou=service accounts,dc=garda1,dc=tlc). Using password stored in configuration
    Failed to bind to server. ldap error #49 Invalid credentials
erasmo83’s picture

Ho trovato la causa del problema: WampServer Version 2.1
Con la stessa configurazione su una macchina linux tutto è andato a buon fine.
Drupal non aveva colpe, vi ringrazio per il supporto

johnbarclay’s picture

Status: Active » Fixed

vi ringrazio per la finitura fuori il problema. LDAP è un dolore.

ywarnier’s picture

Translation: the problem was due to WampServer Version 2.1. On a Linux server, it ran fine. The Drupal module was not the problem.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

scsbns001’s picture

Just installed the latest stable version for Drupal 7 ldap-7.x-1.0-beta11.

I'm getting this same error on the "Test LDAP Server Configuraion" (just saw the missing T) --

    Binding with DN for non-anonymous search (cn=ldapsearch,dc=bus,dc=local). Using password entered in form.
    Binding with DN for non-anonymous search (cn=ldapsearch,dc=bus,dc=local). Using password entered in form.
    Failed to bind to server. ldap error #49 Invalid credentials

Server Properties

  • sid = bus-server2
  • name = bus-server2
  • status = 1
  • ldap_type = ad
  • address = 10.0.0.2
  • port = 389
  • tls = 0
  • bind_method = 1
  • basedn = Array ( [0] => dc=bus,dc=local )
  • binddn = cn=ldapsearch,dc=bus,dc=local
  • user_dn_expression =
  • user_attr = sAMAccountName
  • account_name_attr =
  • mail_attr = mail
  • mail_template =
  • unique_persistent_attr =
  • allow_conflicting_drupal_accts = 0
  • ldap_to_drupal_user =
  • testing_drupal_username =
  • group_object_category =
  • search_pagination = 0
  • search_page_size = 1000

Apparently, the LDAP is configured that there is an entry for user "ldapsearch" that authentication must occur through to actually bind the server. I think I understand that correctly?

Yet, LDAP is going to be both for individual authentication, as well as control access to Active Directory documents that the individuals will see.

Sounded like a simple project, at the beginning.

johnbarclay’s picture

In the ldap configuration, an "ldap server" is just a server configuration. If you need different bindings for different use case (authentication, provisioning, etc.) you are probably using the correct approach. Just add additional ldap server configurations with different base dns and binding methods and account as appropriate.

Does this make sense for what you are trying to do? It really depends on how your ldap is setup.

ywarnier’s picture

Once I got sure my config was perfect and after hours of the same kind of problem driving me crazy, I followed the recommendation in http://drupal.org/node/1623008#comment-6099148 (by John) to completely remove the module and it suddendly started working.

Just saying... it might not work, but it's definitely worth a shot.

Shaynes’s picture

Priority: Normal » Major
Status: Closed (fixed) » Needs work
FileSize
28.02 KB
14.54 KB

Hi all,

I am the beginner of Drupal community, and I am researching configured network. When I am trying to configure LDAP in Drupal 7, I followed the instruction from .

I tried to test by the LDAP test tool to the LDAP server, it connected, but when testing with the parameters in Configure Drupal picture, I tried to fill in the password with blank or the password from users in DC, it did not work and occured the result in result message picture.

I also had question, does it need to install Certificate Authority to configure LDAP successfully?

Please help me to solve it.

Thank you

P/S: Sorry if my English is not good.

johnbarclay’s picture

Status: Needs work » Closed (fixed)
akeel123’s picture

Hi ,

Thank you for your support regarding LDAP server and Active Directory.