[ISSUE] LDAP authentication with JumpCloud backend not working
lravelo opened this issue · 8 comments
Please prefix your issue title with one of the following: [BUG], [ISSUE], [FEATURE REQUEST], [MODULE REQUEST], [OTHER].
Replace everything between stars with current version of your facileManager and module installations:
fM Version : 4.5.0
fmDNSVersion : 5.3.3
In raising this issue, I confirm the following (please check boxes, eg [X]):
- I have read and understood the contributors guide.
- I have checked that the bug-fix I am reporting can be replicated, or that the feature I am suggesting isn't already present.
- I have checked that the issue I'm posting isn't already reported.
- I have checked that the issue I'm posting isn't already solved and no duplicates exist in closed issues and opened issues
- I have checked the pull requests tab for existing solutions/implementations to my issue/suggestion.
(BUG | ISSUE) Expected Behavior:
Expecting that LDAP users in JumpCloud can authenticate (JumpCloud uses an OpenLDAP type backend)
(BUG | ISSUE) Actual Behavior:
Does not authenticate. The server doesn't even make an attempt to communicate with JumpCloud. I can see errors in /var/log/php-fpm/www-error.log which says the following:
PHP Notice: Undefined property: fmdb::$last_result in /var/www/html/facileManager/fm-modules/facileManager/classes/class_logins.php on line 265
(BUG | ISSUE) Steps to reproduce:
- Configured LDAP auth in the UI
- LDAP Server: ldap.jumpcloud.com
- Standard Port: 389
- SSL Port: 636
- Protocol Version: Version 3
- Encryption: TLS
- Certificate File:
- Root CA Certificate:
- Referrals: Enabled
- Distinguished Name (DN): uid=,ou=Users,o=<jumpcloud_org_id>,dc=jumpcloud,dc=com (not sure if the "o=<jumpcloud_org_id>" portion of it might cause issues)
- Require Group Membership: True
- Group Distinguished Name (DN) cn=<group_name>,ou=Users,o=<jumpcloud_org_id>,dc=jumpcloud,dc=com
- Group Member Attribute: member
- Search Start DN: ou=Users,o=<jumpcloud_org_id>,dc=jumpcloud,dc=com
- User Template: admin
This config is pretty typical and I have comparable config on other sources and works just fine.
I think your DN is missing the placeholder. It should look like this:
Distinguished Name (DN): uid=<username>,ou=Users,o=[jumpcloud_org_id],dc=jumpcloud,dc=com
<username> will be automatically replaced with the username entered at the login page.
Hi @WillyXJ this was actually an error on my part. For some reason I forgot to add <username> when opening the issue but yet that placeholder is there and it does not work:
I don't think the issue is your DN at this point. Have you tried using "memberOf" for the Group Member Attribute? That is the supported attribute according to https://jumpcloud.com/blog/how-to-connect-your-application-to-ldap.
You could also try authenticating without a required group membership to help isolate where the problem is at.
ok so removing the require group membership restriction does allow me to log in. Doing an ldapsearch of this group shows the following:
it uses the member attribute. Not sure if what's going on here is that the query is run against the uid to see what groups the account is a member of. In that case it would be memberOf. Despite that, neither option works when using requiring group membership.
I've opened an account with JumpCloud and am able to reproduce the issue. I've also found using ldap_compare() is not working quite right with JumpCloud. I did find a working solution for you though.
Set the Group Member Attribute to "memberof" (case-sensitive) and replace class_logins.php line 575 with
$ldap_group_response = $this->checkGroupMembership($ldap_connect, $ldap_dn, $ldap_group_dn, $ldap_group_attribute);
More research and testing needs to be done to ensure this change does not break authentication with other LDAP servers before it's included in the next release.
I tried this fix but no dice. Still the same outcome. Any sort of debug logging I can enable to see more details?
Unfortunately there isn't any debug logging with fM for LDAP auth. However, I created another test user and it was unable to authenticate until I gave it bind permissions within JumpCloud (under User Security Settings and Permissions for the user).
Please ensure this option is checked for your users if you want to require the group membership.
I'll have to consider changing the LDAP auth implementation within fM to utilize a bind account to perform the lookups with instead of relying on the authenticating account to do that.