Zend Framework

Binding problem

Details

  • Type: Bug Bug
  • Status: Resolved Resolved
  • Priority: Blocker Blocker
  • Resolution: Fixed
  • Affects Version/s: 1.9.6
  • Fix Version/s: 1.10.1
  • Component/s: Zend_Auth_Adapter_Ldap
  • Labels:
    None

Description

Hello!

Again a problem with Zend_Auth_Adapter_Ldap. In ZF's version 1.9.5 the problem was retrieving LDAP's object after user authenticated.

In ZF's version 1.9.6, Zend_Auth_Adapter_Ldap has a calling to bind without parameters, and that just don't do the job.

Zend_Auth_Adapter_Ldap

#323 $ldap->bind();

When commenting this line, Zend_Auth_Adapter_Ldap works!

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Stephen Rees-Carter added a comment -

I have the same problem - commenting out that line solved it for me as well.

Show
Stephen Rees-Carter added a comment - I have the same problem - commenting out that line solved it for me as well.
Hide
Permalink
Stefan Gehrig added a comment -

I'll have a look into this. As far as I can remember, there has been a problem that required rebinding with the default user/password to retrieve user account information or check group membership status.

Could you please check if the most recent version from the SVN trunk shows the same behaviour?

As I workaround could you please try setting a username/password in the Zend_Auth_Ldap configuration with which Zend_Ldap would be able to access the user account object?

Which LDAP server are you authenticating against?

Show
Stefan Gehrig added a comment - I'll have a look into this. As far as I can remember, there has been a problem that required rebinding with the default user/password to retrieve user account information or check group membership status. Could you please check if the most recent version from the SVN trunk shows the same behaviour? As I workaround could you please try setting a username/password in the Zend_Auth_Ldap configuration with which Zend_Ldap would be able to access the user account object? Which LDAP server are you authenticating against?
Hide
Permalink
Rodrigo Novelo Primolan added a comment -

Yes, there was a problem and it was mentioned by me.

The problem was to order the object LDAP after authentication. After verification, the problem remained, being resolved as explained in the description of this error.

I'm authenticating users on the Microsoft Active Directory.

Show
Rodrigo Novelo Primolan added a comment - Yes, there was a problem and it was mentioned by me. The problem was to order the object LDAP after authentication. After verification, the problem remained, being resolved as explained in the description of this error. I'm authenticating users on the Microsoft Active Directory.
Hide
Permalink
Stephen Rees-Carter added a comment -

I am also trying to authenticate against Microsoft Active Directory, and the latest version in SVN trunk still has the same problem.

My configuration is:

server.host = "ahq.net.au"
server.password = "********"
server.accountDomainName = "ahq.net.au"
server.accountCanonicalForm = 4
server.baseDn = "DC=ahq,DC=net,DC=au"

Is this simply a case of us using the wrong configuration, or is there a bug that needs to be fixed?

Show
Stephen Rees-Carter added a comment - I am also trying to authenticate against Microsoft Active Directory, and the latest version in SVN trunk still has the same problem. My configuration is: server.host = "ahq.net.au" server.password = "********" server.accountDomainName = "ahq.net.au" server.accountCanonicalForm = 4 server.baseDn = "DC=ahq,DC=net,DC=au" Is this simply a case of us using the wrong configuration, or is there a bug that needs to be fixed?
Hide
Permalink
Rodrigo Novelo Primolan added a comment -

Maybe it's a problem with your configuration.

The problem with this component is about retrieving information after authentication (connecting, at least for me, is ok).

Try the workaround described here.

Show
Rodrigo Novelo Primolan added a comment - Maybe it's a problem with your configuration. The problem with this component is about retrieving information after authentication (connecting, at least for me, is ok). Try the workaround described here.
Hide
Permalink
Stephen Rees-Carter added a comment -

Yes, the work-around works fine for me (i.e. commenting out that line)..

The error I am getting when I use the latest version is:

object(Zend_Auth_Result)#113 (3) {
["_code:protected"] => int(0)
["_identity:protected"] => string(6) "s.rees"
["_messages:protected"] => array(6) {
[0] => string(30) "An unexpected failure occurred"
[1] => string(227) "0x1 (Operations error; 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece): searching: (&(objectClass=user)(sAMAccountName=s.rees))"
[2] => string(109) "host=ahq.net.au,password=*****,accountDomainName=ahq.net.au,accountCanonicalForm=4,baseDn=DC=ahq,DC=net,DC=au"
[3] => string(294) "/var/www/development/workspaces/s.rees/library/Zend/Ldap.php(916): 0x1 (Operations error; 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece): searching: (&(objectClass=user)(sAMAccountName=s.rees))"
[4] => string(1681) "#0 /var/www/development/workspaces/s.rees/library/Zend/Ldap.php(631): Zend_Ldap->search('(&(objectClass=...', 'DC=ahq,DC=net,D...', 1, Array)
#1 /var/www/development/workspaces/s.rees/library/Zend/Ldap.php(503): Zend_Ldap->_getAccount('s.rees', Array)
#2 /var/www/development/workspaces/s.rees/library/Zend/Ldap.php(570): Zend_Ldap->_getAccountDn('s.rees@ahq.net....')
#3 /var/www/development/workspaces/s.rees/library/Zend/Auth/Adapter/Ldap.php(324): Zend_Ldap->getCanonicalAccountName('s.rees@ahq.net....', 1)
#4 /var/www/development/workspaces/s.rees/library/Zend/Auth.php(117): Zend_Auth_Adapter_Ldap->authenticate()
#5 /var/www/development/workspaces/s.rees/domsys08/webapp/application/controllers/IndexController.php(500): Zend_Auth->authenticate(Object(Zend_Auth_Adapter_Ldap))
#6 /var/www/development/workspaces/s.rees/domsys08/webapp/application/controllers/IndexController.php(342): IndexController->loginAsStaff('s.rees', '*****')
#7 /var/www/development/workspaces/s.rees/domsys08/webapp/application/controllers/IndexController.php(279): IndexController->doLogin(Object(Zend_Form))
#8 /var/www/development/workspaces/s.rees/library/Zend/Controller/Action.php(513): IndexController->loginAction()
#9 /var/www/development/workspaces/s.rees/library/Zend/Controller/Dispatcher/Standard.php(289): Zend_Controller_Action->dispatch('loginAction')
#10 /var/www/development/workspaces/s.rees/library/Zend/Controller/Front.php(946): Zend_Controller_Dispatcher_Standard->dispatch(Object(Zend_Controller_Request_Http), Object(Zend_Controller_Response_Http))
#11 /var/www/development/workspaces/s.rees/domsys08/webapp/html/index.php(99): Zend_Controller_Front->dispatch()
#12 {main}"
[5] => string(257) "s.rees authentication failed: 0x1 (Operations error; 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece): searching: (&(objectClass=user)(sAMAccountName=s.rees))"
}
}

I don't really understand LDAP, so I am not sure what is happening...

Show
Stephen Rees-Carter added a comment - Yes, the work-around works fine for me (i.e. commenting out that line).. The error I am getting when I use the latest version is: object(Zend_Auth_Result)#113 (3) { ["_code:protected"] => int(0) ["_identity:protected"] => string(6) "s.rees" ["_messages:protected"] => array(6) { [0] => string(30) "An unexpected failure occurred" [1] => string(227) "0x1 (Operations error; 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece): searching: (&(objectClass=user)(sAMAccountName=s.rees))" [2] => string(109) "host=ahq.net.au,password=*****,accountDomainName=ahq.net.au,accountCanonicalForm=4,baseDn=DC=ahq,DC=net,DC=au" [3] => string(294) "/var/www/development/workspaces/s.rees/library/Zend/Ldap.php(916): 0x1 (Operations error; 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece): searching: (&(objectClass=user)(sAMAccountName=s.rees))" [4] => string(1681) "#0 /var/www/development/workspaces/s.rees/library/Zend/Ldap.php(631): Zend_Ldap->search('(&(objectClass=...', 'DC=ahq,DC=net,D...', 1, Array) #1 /var/www/development/workspaces/s.rees/library/Zend/Ldap.php(503): Zend_Ldap->_getAccount('s.rees', Array) #2 /var/www/development/workspaces/s.rees/library/Zend/Ldap.php(570): Zend_Ldap->_getAccountDn('s.rees@ahq.net....') #3 /var/www/development/workspaces/s.rees/library/Zend/Auth/Adapter/Ldap.php(324): Zend_Ldap->getCanonicalAccountName('s.rees@ahq.net....', 1) #4 /var/www/development/workspaces/s.rees/library/Zend/Auth.php(117): Zend_Auth_Adapter_Ldap->authenticate() #5 /var/www/development/workspaces/s.rees/domsys08/webapp/application/controllers/IndexController.php(500): Zend_Auth->authenticate(Object(Zend_Auth_Adapter_Ldap)) #6 /var/www/development/workspaces/s.rees/domsys08/webapp/application/controllers/IndexController.php(342): IndexController->loginAsStaff('s.rees', '*****') #7 /var/www/development/workspaces/s.rees/domsys08/webapp/application/controllers/IndexController.php(279): IndexController->doLogin(Object(Zend_Form)) #8 /var/www/development/workspaces/s.rees/library/Zend/Controller/Action.php(513): IndexController->loginAction() #9 /var/www/development/workspaces/s.rees/library/Zend/Controller/Dispatcher/Standard.php(289): Zend_Controller_Action->dispatch('loginAction') #10 /var/www/development/workspaces/s.rees/library/Zend/Controller/Front.php(946): Zend_Controller_Dispatcher_Standard->dispatch(Object(Zend_Controller_Request_Http), Object(Zend_Controller_Response_Http)) #11 /var/www/development/workspaces/s.rees/domsys08/webapp/html/index.php(99): Zend_Controller_Front->dispatch() #12 {main}" [5] => string(257) "s.rees authentication failed: 0x1 (Operations error; 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece): searching: (&(objectClass=user)(sAMAccountName=s.rees))" } } I don't really understand LDAP, so I am not sure what is happening...
Hide
Permalink
Rodrigo Novelo Primolan added a comment -

You must bind username and password before every search to perform it.

Try:

$ldap->bind($username, $password);
$ldap->search(...)
Show
Rodrigo Novelo Primolan added a comment - You must bind username and password before every search to perform it. Try: 
$ldap->bind($username, $password);
$ldap->search(...)
Hide
Permalink
Stefan Gehrig added a comment -

Should be fixed in trunk (r21008) and in 1.10-release branch (r21009)

At least we're not re-authenticating with an empty $ldap->bind(). This requires the authenticated user to be allowed to retrieve its own LDAP entry (should be no problem), but this also requires the authenticated user to be able to check its own group membership status if the group membership feature is used.

Show
Stefan Gehrig added a comment - Should be fixed in trunk (r21008) and in 1.10-release branch (r21009) At least we're not re-authenticating with an empty $ldap->bind(). This requires the authenticated user to be allowed to retrieve its own LDAP entry (should be no problem), but this also requires the authenticated user to be able to check its own group membership status if the group membership feature is used.

People

Vote (2)
Watch (4)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Zend Framework. Try JIRA - bug tracking software for your team.