LDAP Auth to Active Directoy (ADS) - do not work - my Login
Posted: 07 Jan 2009, 12:55
Hello,
i try to connect a mantis-1.2a2 to our ADS, but the problem is that the
LDAP Request to do not send my Inprot from Login_Page, i sends only "administrator"
here are my config_inc.php
<?php
$g_hostname = 'localhost';
$g_db_type = 'mysql';
$g_database_name = 'mantis12';
$g_db_username = 'root';
$g_db_password = '';
$g_login_method = LDAP;
$g_ldap_server = 'ldap://server.domain.zzz/';
$g_ldap_port = '389';
$g_ldap_root_dn = 'cn=Users,DC=domain,DC=zzz';
$g_ldap_organization = ''; # e.g. '(organizationname=*Traffic)'
$g_ldap_uid_field = 'sAMAccountName'; # Use 'sAMAccountName' for Active Directory
$g_ldap_bind_dn = 'LDAPVIEW@...';
$g_ldap_bind_passwd = 'password';
$g_use_ldap_email = 'OFF'; # Should we send to the LDAP email address or what MySql tells us
$g_allow_anonymous_account = 'OFF';
# The LDAP Protocol Version, if 0, then the protocol version is not set.
$g_ldap_protocol_version = 3;
$g_allow_signup = 'OFF';
$g_use_ldap_email = 'OFF';
$g_lost_password_feature = 'OFF';
?>
I allways get the infotmation:
Your account may be disabled or blocked or the username/password you entered is incorrect.
But the data that is send to the ADS-Server includes User: administrator an not my inptuted username
i can see that the User: ldapview connect successfuly to the server.
my colleage has sniffed on the Windows 2008 Server, and thre we can see
that the user: adminisator is send, but not my inputed username from the login-form.
that i can see with wireshark, if i only open the broser to: http://192.168.1.1/mantis-1.2
tshark -R "ip.addr == 192.168.1.1" "tcp port 389"
0.000000 192.168.1.1 -> 192.168.1.250 TCP 12233 > ldap [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=23884586 TSER=0 WS=5
0.000390 192.168.1.250 -> 192.168.1.1 TCP ldap > 12233 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=8 TSV=17503364 TSER=23884586
0.000424 192.168.1.1 -> 192.168.1.250 TCP 12233 > ldap [ACK] Seq=1 Ack=1 Win=5856 Len=0 TSV=23884586 TSER=17503364
0.000579 192.168.1.1 -> 192.168.1.250 LDAP bindRequest(1) "LDAPVIEW@..." simple
0.002809 192.168.1.250 -> 192.168.1.1 LDAP bindResponse(1) success
0.002835 192.168.1.1 -> 192.168.1.250 TCP 12233 > ldap [ACK] Seq=51 Ack=23 Win=5856 Len=0 TSV=23884587 TSER=17503364
0.003047 192.168.1.1 -> 192.168.1.250 LDAP searchRequest(2) "cn=Users,DC=domain,DC=zzz" wholeSubtree
0.003958 192.168.1.250 -> 192.168.1.1 LDAP searchResEntry(2) "CN=Administrator,CN=Users,DC=domain,DC=zzz" | searchResDone(2) success [1 result]
0.004113 192.168.1.1 -> 192.168.1.250 LDAP bindRequest(3) "CN=Administrator,CN=Users,DC=domain,DC=zzz" simple
0.005303 192.168.1.250 -> 192.168.1.1 LDAP bindResponse(3) invalidCredentials (80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 775, v1771)
0.005459 192.168.1.1 -> 192.168.1.250 LDAP unbindRequest(4)
0.005541 192.168.1.1 -> 192.168.1.250 TCP 12233 > ldap [FIN, ACK] Seq=224 Ack=263 Win=6912 Len=0 TSV=23884587 TSER=17503364
0.006016 192.168.1.250 -> 192.168.1.1 TCP ldap > 12233 [ACK] Seq=263 Ack=225 Win=66304 Len=0 TSV=17503364 TSER=23884587
0.006016 192.168.1.250 -> 192.168.1.1 TCP ldap > 12233 [RST, ACK] Seq=263 Ack=225 Win=0 Len=0
that is the output of wireshark if i try to login:
tshark -R "ip.addr == 192.168.1.1" "tcp port 389"
0.000000 192.168.1.1 -> 192.168.1.250 TCP 26193 > ldap [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=23933815 TSER=0 WS=5
0.000169 192.168.1.250 -> 192.168.1.1 TCP ldap > 26193 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=8 TSV=17523042 TSER=23933815
0.000202 192.168.1.1 -> 192.168.1.250 TCP 26193 > ldap [ACK] Seq=1 Ack=1 Win=5856 Len=0 TSV=23933815 TSER=17523042
0.000361 192.168.1.1 -> 192.168.1.250 LDAP bindRequest(1) "LDAPVIEW@..." simple
0.002631 192.168.1.250 -> 192.168.1.1 LDAP bindResponse(1) success
0.002657 192.168.1.1 -> 192.168.1.250 TCP 26193 > ldap [ACK] Seq=51 Ack=23 Win=5856 Len=0 TSV=23933815 TSER=17523042
0.002867 192.168.1.1 -> 192.168.1.250 LDAP searchRequest(2) "cn=Users,DC=domain,DC=zzz" wholeSubtree
0.003439 192.168.1.250 -> 192.168.1.1 LDAP searchResEntry(2) "CN=Administrator,CN=Users,DC=domain,DC=zzz" | searchResDone(2) success [1 result]
0.003848 192.168.1.1 -> 192.168.1.250 LDAP bindRequest(3) "CN=Administrator,CN=Users,DC=domain,DC=zzz" simple
0.005168 192.168.1.250 -> 192.168.1.1 LDAP bindResponse(3) invalidCredentials (80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 775, v1771)
0.005320 192.168.1.1 -> 192.168.1.250 LDAP unbindRequest(4)
0.005457 192.168.1.1 -> 192.168.1.250 TCP 26193 > ldap [FIN, ACK] Seq=224 Ack=263 Win=6912 Len=0 TSV=23933816 TSER=17523043
0.005995 192.168.1.250 -> 192.168.1.1 TCP ldap > 26193 [ACK] Seq=263 Ack=225 Win=66304 Len=0 TSV=17523043 TSER=23933816
0.005996 192.168.1.250 -> 192.168.1.1 TCP ldap > 26193 [RST, ACK] Seq=263 Ack=225 Win=0 Len=0
what dit i wrong ?
thanks
i try to connect a mantis-1.2a2 to our ADS, but the problem is that the
LDAP Request to do not send my Inprot from Login_Page, i sends only "administrator"
here are my config_inc.php
<?php
$g_hostname = 'localhost';
$g_db_type = 'mysql';
$g_database_name = 'mantis12';
$g_db_username = 'root';
$g_db_password = '';
$g_login_method = LDAP;
$g_ldap_server = 'ldap://server.domain.zzz/';
$g_ldap_port = '389';
$g_ldap_root_dn = 'cn=Users,DC=domain,DC=zzz';
$g_ldap_organization = ''; # e.g. '(organizationname=*Traffic)'
$g_ldap_uid_field = 'sAMAccountName'; # Use 'sAMAccountName' for Active Directory
$g_ldap_bind_dn = 'LDAPVIEW@...';
$g_ldap_bind_passwd = 'password';
$g_use_ldap_email = 'OFF'; # Should we send to the LDAP email address or what MySql tells us
$g_allow_anonymous_account = 'OFF';
# The LDAP Protocol Version, if 0, then the protocol version is not set.
$g_ldap_protocol_version = 3;
$g_allow_signup = 'OFF';
$g_use_ldap_email = 'OFF';
$g_lost_password_feature = 'OFF';
?>
I allways get the infotmation:
Your account may be disabled or blocked or the username/password you entered is incorrect.
But the data that is send to the ADS-Server includes User: administrator an not my inptuted username
i can see that the User: ldapview connect successfuly to the server.
my colleage has sniffed on the Windows 2008 Server, and thre we can see
that the user: adminisator is send, but not my inputed username from the login-form.
that i can see with wireshark, if i only open the broser to: http://192.168.1.1/mantis-1.2
tshark -R "ip.addr == 192.168.1.1" "tcp port 389"
0.000000 192.168.1.1 -> 192.168.1.250 TCP 12233 > ldap [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=23884586 TSER=0 WS=5
0.000390 192.168.1.250 -> 192.168.1.1 TCP ldap > 12233 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=8 TSV=17503364 TSER=23884586
0.000424 192.168.1.1 -> 192.168.1.250 TCP 12233 > ldap [ACK] Seq=1 Ack=1 Win=5856 Len=0 TSV=23884586 TSER=17503364
0.000579 192.168.1.1 -> 192.168.1.250 LDAP bindRequest(1) "LDAPVIEW@..." simple
0.002809 192.168.1.250 -> 192.168.1.1 LDAP bindResponse(1) success
0.002835 192.168.1.1 -> 192.168.1.250 TCP 12233 > ldap [ACK] Seq=51 Ack=23 Win=5856 Len=0 TSV=23884587 TSER=17503364
0.003047 192.168.1.1 -> 192.168.1.250 LDAP searchRequest(2) "cn=Users,DC=domain,DC=zzz" wholeSubtree
0.003958 192.168.1.250 -> 192.168.1.1 LDAP searchResEntry(2) "CN=Administrator,CN=Users,DC=domain,DC=zzz" | searchResDone(2) success [1 result]
0.004113 192.168.1.1 -> 192.168.1.250 LDAP bindRequest(3) "CN=Administrator,CN=Users,DC=domain,DC=zzz" simple
0.005303 192.168.1.250 -> 192.168.1.1 LDAP bindResponse(3) invalidCredentials (80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 775, v1771)
0.005459 192.168.1.1 -> 192.168.1.250 LDAP unbindRequest(4)
0.005541 192.168.1.1 -> 192.168.1.250 TCP 12233 > ldap [FIN, ACK] Seq=224 Ack=263 Win=6912 Len=0 TSV=23884587 TSER=17503364
0.006016 192.168.1.250 -> 192.168.1.1 TCP ldap > 12233 [ACK] Seq=263 Ack=225 Win=66304 Len=0 TSV=17503364 TSER=23884587
0.006016 192.168.1.250 -> 192.168.1.1 TCP ldap > 12233 [RST, ACK] Seq=263 Ack=225 Win=0 Len=0
that is the output of wireshark if i try to login:
tshark -R "ip.addr == 192.168.1.1" "tcp port 389"
0.000000 192.168.1.1 -> 192.168.1.250 TCP 26193 > ldap [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=23933815 TSER=0 WS=5
0.000169 192.168.1.250 -> 192.168.1.1 TCP ldap > 26193 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=8 TSV=17523042 TSER=23933815
0.000202 192.168.1.1 -> 192.168.1.250 TCP 26193 > ldap [ACK] Seq=1 Ack=1 Win=5856 Len=0 TSV=23933815 TSER=17523042
0.000361 192.168.1.1 -> 192.168.1.250 LDAP bindRequest(1) "LDAPVIEW@..." simple
0.002631 192.168.1.250 -> 192.168.1.1 LDAP bindResponse(1) success
0.002657 192.168.1.1 -> 192.168.1.250 TCP 26193 > ldap [ACK] Seq=51 Ack=23 Win=5856 Len=0 TSV=23933815 TSER=17523042
0.002867 192.168.1.1 -> 192.168.1.250 LDAP searchRequest(2) "cn=Users,DC=domain,DC=zzz" wholeSubtree
0.003439 192.168.1.250 -> 192.168.1.1 LDAP searchResEntry(2) "CN=Administrator,CN=Users,DC=domain,DC=zzz" | searchResDone(2) success [1 result]
0.003848 192.168.1.1 -> 192.168.1.250 LDAP bindRequest(3) "CN=Administrator,CN=Users,DC=domain,DC=zzz" simple
0.005168 192.168.1.250 -> 192.168.1.1 LDAP bindResponse(3) invalidCredentials (80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 775, v1771)
0.005320 192.168.1.1 -> 192.168.1.250 LDAP unbindRequest(4)
0.005457 192.168.1.1 -> 192.168.1.250 TCP 26193 > ldap [FIN, ACK] Seq=224 Ack=263 Win=6912 Len=0 TSV=23933816 TSER=17523043
0.005995 192.168.1.250 -> 192.168.1.1 TCP ldap > 26193 [ACK] Seq=263 Ack=225 Win=66304 Len=0 TSV=17523043 TSER=23933816
0.005996 192.168.1.250 -> 192.168.1.1 TCP ldap > 26193 [RST, ACK] Seq=263 Ack=225 Win=0 Len=0
what dit i wrong ?
thanks