Authentication failed if DN updated

[jonag]

Hi,

This morning I could not connect to my application which use this bundle to retrieve the users from our LDAP.

I found this error in the logs of the application :

DEBUG - 0x31 (Invalid credentials; 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1): CN=Jonathan GONÇALVES,OU=Stagiaires,OU=A5Sys,OU=A5 Groupe,DC=A5GROUPE,DC=local

After some research I have found that my field DN on the LDAP has been changed to CN=Jonathan GONÇALVES,OU=A5Sys,OU=A5 Groupe,DC=A5GROUPE,DC=local and since I store this field on the database the authentification didn't work.

I had to manually update the field on the database to be able to connect again.

Because the field can be changed for various reasons (for example a change of position), is there a way to prevent this issue? (Other than not storing the field in the database)

Thanks !

(I'm using the version 2.0.0 of the bundle with PHP 7.0.0RC1 or PHP 5.6.4 and Symfony 2.7.3)

[Maks3w]

Probably a solution could be if the authentication fails due missing DN then perform a ldap search without the cached DN.

[jonag]

Yes but the error doesn't seem to be "Missing DN" but "Invalid credentials". I have no experience with LDAP, is there a way to distinguish the two errors ?

If so I can try to fix that during this week.

[Maks3w]

Due security reasons ldap_bind don't discloure what parameters is wrong.

So:

1. You can avoid persist DN on your database. If DN is null the bundle automatically perform a search each time.
2. Create a patch for to perform a ldap_search when ldap_bind fails and retry ldap_bind with the DN found.

[Sullivan-Malher]

Hi,

I have the same problem.
Can you describe the solution to bypass the problem ?

Thanks !

[TomKrakott]

Hello,
Always same errors in v3.
Is there any possibility to give us more details to bypass this problem ?

Thanks

[TomKrakott]

OK so ... workaround ...
I've fire the DN in my database (not in entity surely) :

/**
* nothing here
*/
private $dn;

And in the LdapAuthenticationProvider.php, I've replace this line :

            if (!$this->ldapManager->bind($user, $presentedPassword)) {
                throw new BadCredentialsException('The presented password is invalid TOTORO.');
            }

By :

            $updatedUser = $this->ldapManager->findUserByUsername($user->getUsername());

            if (!$this->ldapManager->bind($updatedUser, $presentedPassword)) {
                throw new BadCredentialsException('The presented password is invalid TOTORO.');
            }

It's a bad workaround but it's work. I've to clone the FR3DLdapBundle before.

Bye :)

[Sullivan-Malher]

It works perfectly.
Thank you for your help !

[TomKrakott]

I've just seen, TOTORO is in my code. Forgot it, sorry 😄
Things always look better in the morning.

Due to the suppresion of DN in database, each connection will fail and generate the update of the DN.
I've change my code to replace this line :

    protected function checkAuthentication(UserInterface $user, UsernamePasswordToken $token)
    {
        $currentUser = $token->getUser();
        ...

To :

    protected function checkAuthentication(UserInterface $user, UsernamePasswordToken $token)
    {
        $currentUser = $this->ldapManager->findUserByUsername($user->getUsername());
        ...

Good coding ...