Frontend login with LDAP

Hallo,

today I’ve added and configured the neos/ldap module because our marketing would like to have a member area for our employees. I’ve configured everything like in the documentation but after submitting the login form the page isn’t working. It literally says «This page isn’t working. […] didn’t send any data.». There no clear error message (even in the log). The standard Neos frontend login was working. Is here anybody who successfully integrated the ldap module into his website and can help me with this problem?

Thanks
Michael

Hi Michael,

I use the LDAP package since several years in a project.
As the configuration is quite a struggle sometimes it’s best to start debugging with the included command controller.
So trying to bind, authenticate and query via the cli is the best start.
When that works you can continue from there.

Good morning,

at first: thanks for your answer! :slight_smile:
I’ve successfully executed an «ldapsearch» on the command line. The next thing I did was some debugging and I figured out that at some point the execution stops and exits.

  1. LdapProvider -> authenticate()
  2. DirectoryService -> authenticate()
  3. DirectoryService -> bind()
  4. LdapBind -> bind()
  5. AbstractBindProvider -> bindWithDn()

In the last method «bindWithDn» the command “ldap_bind” will be executed and this is the command that fails without an exception. There’s a try catch around it but the error / exception won’t be caught. The next thing is that the code runs two times. It fails on «ldap_bind», executes «Ldap-Provider->authenticate()» and fails on «ldap_bind» again.

What I can see is that the password (for «ldap_bind») is the one that I’ve entered in the login mask. Shouldn’t it be the password for the bind user? Because the other parameter «userDn» is the string of the bind dn (configuration) and looks like “cn=bind user,cn=Users,dc=company,dc=com.”

I don’t know, maybe you or someone else can help me?

FYI: I’m using PHP 7.2.22 and Apache 2.4.37 on a local machine (Mac).

Can you post your anonymised AuthenticationProvider config and the LDAP config?

I got the problem: I used “ldaps://” because our support said so. When I use “ldap://” it works. But nevertheless the credentials are wrong and now I’ll get an exception. And I think that’s because the passwords are wrong. Like I said: when the method «ldap_bind» is executed the «$password» is the same that I’ve entered in the login mask and not the LDAP user password of my configuration (Settings.yaml).

Here’s the LDAP configuration.

Neos:
  Flow:
    security:
      authentication:
        providers:
          LdapProvider:
            provider: Neos\Ldap\Security\Authentication\Provider\LdapProvider
            providerOptions:
              host: 'ldap://ldap.domain.com'
              port: 389

              baseDn: 'DC=company,DC=com'

              # How to authenticate towards the server. Normally this is a given
              # service account and password. Other options are also available,
              # consult the bind provider class LdapBind for more examples.
              bind:
                dn: 'CN=user,CN=Users,DC=company,DC=com'
                password: 'asdf'
                anonymous: FALSE

              # All PHP Ldap options can be set here. Make the constant lowercase
              # and remove the ldap_opt_ prefix.
              # Example: LDAP_OPT_PROTOCOL_VERSION becomes protocol_version
              ldapOptions:
                protocol_version: 3
                network_timeout: 10

              filter:
                # %s will be replaced with the username / dn provided
                account: '(sAMAccountName=%s)'
                memberOf: '(&(objectClass=posixGroup)(memberUid=%s))'

                # this will use the filter with domain, set it to yes to remove it for search
                ignoreDomain: TRUE

              # will be prefixed to a given username if no other domain was specified
              domain: 'MY-DOMAIN'

If you get an exception you should have a useful message in your logs.
The authentication process throws a lot of different messages.

It’s really hard to help, when the exact problem is only a guess.

I think the LDAP package docs really need some updates.

Oh sorry I forgot to add the exception message. But it is not really useful.

Error during Ldap user search: 1

The connection and the binding works now, but it is the search that fails. I don’t know why. I wrote a simple ldap script from scratch (vanilla php) and there is everything fine. Also the settings of the neos/ldap module seem to be correct.

It’s really hard to help, when the exact problem is only a guess.

Yes that’s true.