My reading of the code is that without TLS you will see this warning in the log, but it is an informational warning only. The code should still progress normally even if the ldap_start_tls() command fails.
If you are comfortable modifying PHP, we could add some additional warnings to indicate why the authentication is failing.
ok @ctgraham I could do that for me We could try it. What should I do?
In the section which actually performs the authentication, we’ll add some extra logging:
The added lines will be error_log(...);:
// try to connect
$ldapConn = $this->_plugin->_getLdapResource($ldapUrl);
// try anonymous bind
$ldapBind = null;
if (!$ldapBindUser && !$ldapBindPassword)
{
error_log('binding anonymous');
$ldapBind = ldap_bind($ldapConn);
}
// try admin bind
else
{
error_log('binding with password');
$ldapBind = ldap_bind($ldapConn, $ldapBindUser, $ldapBindPassword);
}
if ($ldapBind)
{
error_log('bound');
$ldapFilter = str_replace('%USER%', $username, $ldapFilter);
$ldapSearchResult = ldap_search($ldapConn, $ldapSuffix, $ldapFilter, ['dn', 'givenName', 'sn', 'mail', 'telephoneNumber']);
$data = ldap_get_entries($ldapConn, $ldapSearchResult);
// found in ldap, so
error_log(isset($data['count']) ? 'count: '.$data['count'] : 'no count');
if (isset($data['count']) && $data['count'] == 1)
{
$data = $data[0];
$givenName = $data['givenname'][0]??null;
$sn = $data['sn'][0]??null;
// test password
if (@ldap_bind($ldapConn, $data['dn'], $input['password']))
{
error_log('bound as '.$data['dn']);
$authDao = DAORegistry::getDAO('AuthSourceDAO');
$this->defaultAuth = $authDao->getDefaultPlugin();
// test if user exists in database
$userDao = DAORegistry::getDAO('UserDAO');
$user = $userDao->getByUsername($username);
if ($user)
{
error_log('found '.$user);
$user = $this->_updateUserInfoFromLDAP($userDao, $user, $input['password'], $data['mail'][0], $givenName, $sn, $data['telephonenumber'][0]??null, $data['streetaddress'][0]??null);
}
// user doesn't exist so create it in database
else
{
error_log('creating '.$user);
$user = $this->_registerFromLDAP($userDao, $username, $input['password'], $data['mail'][0], $givenName, $sn, $data['telephonenumber'][0]??null, $data['streetaddress'][0]??null);
}
// add user to default group so user will show up in "user & roles"
if ($user)
{
error_log('check roles');
$roles = $user->getRoles($this->_contextId);
if (count($roles) == 0)
{
$userGroupDao = DAORegistry::getDAO('UserGroupDAO');
$defaultReaderGroup = $userGroupDao->getDefaultByRoleId($this->_contextId, ROLE_ID_READER);
if ($defaultReaderGroup) $userGroupDao->assignUserToGroup($user->getId(), $defaultReaderGroup->getId(), $this->_contextId);
}
}
error_log('try login');
$result = Validation::login($username, $input['password'], $reason, $input['remember']);
error_log($result ? 'success' : 'failure');
if ($result)
return $this->_redirectAfterLogin($request);
}
Validation::logout();
}
}
These additional messages should then appear in your PHP error log.
this is what comes out in my php_error.log
[22-Jul-2019 18:07:49 UTC] binding with password
[22-Jul-2019 18:07:49 UTC] bound
[22-Jul-2019 18:07:49 UTC] count: 0
It is not finding a match for your user with the baseDN and filter you have selected. Can you share these?
Good news!! I have already achieved authentication through the LDAP plugin! The error I had was in the LDAP filter.
Thank you @ctgraham for the time you dedicated me !!
a question to finish, can I also change my LDAP password through the plugin?
Not directly. The purpose of the “Self Service URL” is to point a user to a place where they can change/reset their password.