Search code examples
laravelauthenticationactive-directoryadldap

BindException: Local Error Laravel Adldap2/Adldap2


I am totally new with laravel and more with AD authentication. I've been following the tutorial of these and I encountered the following problem, which can not find solution when trying to launch the application.

I have set the ' auto_connect '=> true and this error appears any attempt to access any direction from my page. If you can also explain to me how these two functions bind and bindAsAdministrator are based and what items they want to link, can be great:

BindException: Local Error Browser Image

It is worth mentioning that my table has a username field.

My config/adldap.php:

 /*
|--------------------------------------------------------------------------
| Connections
|--------------------------------------------------------------------------
|
| This array stores the connections that are added to Adldap. You can add
| as many connections as you like.
|
| The key is the name of the connection you wish to use and the value is
| an array of configuration settings.
|
*/

'connections' => [

    'default' => [

        /*
        |--------------------------------------------------------------------------
        | Auto Connect
        |--------------------------------------------------------------------------
        |
        | If auto connect is true, anytime Adldap is instantiated it will automatically
        | connect to your AD server. If this is set to false, you must connect manually
        | using: Adldap::connect().
        |
        */

        'auto_connect' => true,

        /*
        |--------------------------------------------------------------------------
        | Connection
        |--------------------------------------------------------------------------
        |
        | The connection class to use to run operations on.
        |
        | You can also set this option to `null` to use the default connection class.
        |
        | Custom connection classes must implement \Adldap\Contracts\Connections\ConnectionInterface
        |
        */

        'connection' => Adldap\Connections\Ldap::class,

        /*
        |--------------------------------------------------------------------------
        | Schema
        |--------------------------------------------------------------------------
        |
        | The schema class to use for retrieving attributes and generating models.
        |
        | You can also set this option to `null` to use the default schema class.
        |
        | Custom schema classes must implement \Adldap\Contracts\Schemas\SchemaInterface
        |
        */

        'schema' => Adldap\Schemas\ActiveDirectory::class,

        /*
        |--------------------------------------------------------------------------
        | Connection Settings
        |--------------------------------------------------------------------------
        |
        | This connection settings array is directly passed into the Adldap constructor.
        |
        | Feel free to add or remove settings you don't need.
        |
        */

        'connection_settings' => [

            /*
            |--------------------------------------------------------------------------
            | Account Prefix
            |--------------------------------------------------------------------------
            |
            | The account prefix option is the prefix of your user accounts in AD.
            |
            | For example, if you'd prefer your users to use only their username instead
            | of specifying a domain ('ACME\jdoe'), enter your domain name.
            |
            */

            'account_prefix' => '',

            /*
            |--------------------------------------------------------------------------
            | Account Suffix
            |--------------------------------------------------------------------------
            |
            | The account suffix option is the suffix of your user accounts in AD.
            |
            | For example, if your domain DN is DC=corp,DC=acme,DC=org, then your
            | account suffix would be @corp.acme.org. This is then appended to
            | then end of your user accounts on authentication.
            |
            */

            'account_suffix' => '',

            /*
            |--------------------------------------------------------------------------
            | Domain Controllers
            |--------------------------------------------------------------------------
            |
            | The domain controllers option is an array of servers located on your
            | network that serve Active Directory. You can insert as many servers or
            | as little as you'd like depending on your forest (with the
            | minimum of one of course).
            |
            | These can be IP addresses of your server(s), or the host name.
            |
            */

            'domain_controllers' => ['190.168.124.147'],

            /*
            |--------------------------------------------------------------------------
            | Port
            |--------------------------------------------------------------------------
            |
            | The port option is used for authenticating and binding to your AD server.
            |
            */

            'port' => 80,

            /*
            |--------------------------------------------------------------------------
            | Timeout
            |--------------------------------------------------------------------------
            |
            | The timeout option allows you to configure the amount of time in
            | seconds that your application waits until a response
            | is received from your LDAP server.
            |
            */

            'timeout' => 5,

            /*
            |--------------------------------------------------------------------------
            | Base Distinguished Name
            |--------------------------------------------------------------------------
            |
            | The base distinguished name is the base distinguished name you'd like
            | to perform operations on. An example base DN would be DC=corp,DC=acme,DC=org.
            |
            | If one is not defined, then Adldap will try to find it automatically
            | by querying your server. It's recommended to include it to
            | limit queries executed per request.
            |
            */

            'base_dn' => '',

            /*
            |--------------------------------------------------------------------------
            | Administrator Account Suffix
            |--------------------------------------------------------------------------
            |
            | This option allows you to set a different account suffix for your
            | configured administrator account upon binding.
            |
            | If left empty, your `account_suffix` option will be used.
            |
            */

            'admin_account_suffix' => '',

            /*
            |--------------------------------------------------------------------------
            | Administrator Username & Password
            |--------------------------------------------------------------------------
            |
            | When connecting to your AD server, a username and password is required
            | to be able to query and run operations on your server(s). You can
            | use any user account that has these permissions. This account
            | does not need to be a domain administrator unless you
            | require changing and resetting user passwords.
            |
            */

            'admin_username' => env('ADLDAP_ADMIN_USERNAME', 'foo\saaa'),
            'admin_password' => env('ADLDAP_ADMIN_PASSWORD', 'kaa@taa'),

            /*
            |--------------------------------------------------------------------------
            | Follow Referrals
            |--------------------------------------------------------------------------
            |
            | The follow referrals option is a boolean to tell active directory
            | to follow a referral to another server on your network if the
            | server queried knows the information your asking for exists,
            | but does not yet contain a copy of it locally.
            |
            | This option is defaulted to false.
            |
            */

            'follow_referrals' => false,

            /*
            |--------------------------------------------------------------------------
            | SSL & TLS
            |--------------------------------------------------------------------------
            |
            | If you need to be able to change user passwords on your server, then an
            | SSL or TLS connection is required. All other operations are allowed
            | on unsecured protocols. One of these options are definitely recommended
            | if you have the ability to connect to your server securely.
            |
            */

            'use_ssl' => false,
            'use_tls' => false,

My Auth\Guard.php line with problem:

 public function bind($username, $password, $prefix = null, $suffix = null)
{
    // We'll allow binding with a null username and password
    // if their empty. This will allow us to anonymously
    // bind to our servers if needed.
    $username = $username ?: null;
    $password = $password ?: null;

    if ($username) {
        // If the username isn't empty, we'll append the configured
        // account prefix and suffix to bind to the LDAP server.
        $prefix = is_null($prefix) ? $this->configuration->getAccountPrefix() : $prefix;
        $suffix = is_null($suffix) ? $this->configuration->getAccountSuffix() : $suffix;

        $username = $prefix.$username.$suffix;
    }

    // We'll mute any exceptions / warnings here. All we need to know
    // is if binding failed and we'll throw our own exception.
    if (!@$this->connection->bind($username, $password)) {
        throw new BindException($this->connection->getLastError(), $this->connection->errNo());
    }
}

My config\auth.php:

 /*
|--------------------------------------------------------------------------
| Authentication Defaults
|--------------------------------------------------------------------------
|
| This option controls the default authentication "guard" and password
| reset options for your application. You may change these defaults
| as required, but they're a perfect start for most applications.
|
*/

'defaults' => [
    'guard' => 'web',
    'passwords' => 'users',
],

/*
|--------------------------------------------------------------------------
| Authentication Guards
|--------------------------------------------------------------------------
|
| Next, you may define every authentication guard for your application.
| Of course, a great default configuration has been defined for you
| here which uses session storage and the Eloquent user provider.
|
| All authentication drivers have a user provider. This defines how the
| users are actually retrieved out of your database or other storage
| mechanisms used by this application to persist your user's data.
|
| Supported: "session", "token"
|
*/

'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'users',
    ],

    'api' => [
        'driver' => 'token',
        'provider' => 'users',
    ],
],

/*
|--------------------------------------------------------------------------
| User Providers
|--------------------------------------------------------------------------
|
| All authentication drivers have a user provider. This defines how the
| users are actually retrieved out of your database or other storage
| mechanisms used by this application to persist your user's data.
|
| If you have multiple user tables or models you may configure multiple
| sources which represent each model / table. These sources may then
| be assigned to any extra authentication guards you have defined.
|
| Supported: "database", "eloquent"
|
*/

'providers' => [
    'users' => [
        'driver' => 'adldap',
        'model' => App\User::class,
    ],

    // 'users' => [
    //     'driver' => 'database',
    //     'table' => 'users',
    // ],
],

/*
|--------------------------------------------------------------------------
| Resetting Passwords
|--------------------------------------------------------------------------
|
| Here you may set the options for resetting passwords including the view
| that is your password reset e-mail. You may also set the name of the
| table that maintains all of the reset tokens for your application.
|
| You may specify multiple password reset configurations if you have more
| than one user table or model in the application and you want to have
| separate password reset settings based on the specific user types.
|
| The expire time is the number of minutes that the reset token should be
| considered valid. This security feature keeps tokens short-lived so
| they have less time to be guessed. You may change this as needed.
|
*/

'passwords' => [
    'users' => [
        'provider' => 'users',
        'email' => 'auth.emails.password',
        'table' => 'password_resets',
        'expire' => 60,
    ],
],

My User.php:

<?php

namespace App;

use Illuminate\Foundation\Auth\User as Authenticatable;

class User extends Authenticatable
{
    /**
     * The attributes that are mass assignable.
     *
     * @var array
     */
    protected $fillable = [
        'name', 'email', 'password','username'
    ];

    /**
     * The attributes that should be hidden for arrays.
     *
     * @var array
     */
    protected $hidden = [
        'password', 'remember_token',
    ];
}

My AuthController.php:

namespace App\Http\Controllers\Auth;

use App\User;
use Validator;

use Illuminate\Support\Facades\Auth;
use Illuminate\Http\Request;

use App\Http\Controllers\Controller;
use Illuminate\Foundation\Auth\ThrottlesLogins;
use Illuminate\Foundation\Auth\AuthenticatesAndRegistersUsers;

use Adldap\Contracts\AdldapInterface;

class AuthController extends Controller
{
    /*
    |--------------------------------------------------------------------------
    | Registration & Login Controller
    |--------------------------------------------------------------------------
    |
    | This controller handles the registration of new users, as well as the
    | authentication of existing users. By default, this controller uses
    | a simple trait to add these behaviors. Why don't you explore it?
    |
    */

    use AuthenticatesAndRegistersUsers, ThrottlesLogins;

    /**
     * Where to redirect users after login / registration.
     *
     * @var string
     */
    protected $redirectTo = '/tickets';

    /**
     * @var Adldap
     */
    protected $adldap;

    /**
     * Create a new authentication controller instance.
     *
     * @return void
     */
    public function __construct(AdldapInterface $adldap)
    {
        $this->middleware($this->guestMiddleware(), ['except' => 'logout']);
        $this->adldap = $adldap;
    }

    /**
     * Get a validator for an incoming registration request.
     *
     * @param  array  $data
     * @return \Illuminate\Contracts\Validation\Validator
     */
    protected function validator(array $data)
    {
        return Validator::make($data, [
            'name' => 'required|max:255',
            'email' => 'required|email|max:255|unique:users',
            'password' => 'required|min:6|confirmed',
        ]);
    }

    /**
     * Create a new user instance after a valid registration.
     *
     * @param  array  $data
     * @return User
     */
    protected function create(array $data)
    {
        return User::create([
            'name' => $data['name'],
            'email' => $data['email'],
            'password' => bcrypt($data['password']),
        ]);
    }

    /**
     * Handle a login request to the application.
     *
     * @param  \Illuminate\Http\Request  $request
     * @return \Illuminate\Http\Response
     */
    public function login(Request $request)
    {
        if ($this->adldap->auth()->attempt($request->email, $request->password, TRUE )) {
            return 'entro';            


            // $this->validateLogin($request);

            // // If the class is using the ThrottlesLogins trait, we can automatically throttle
            // // the login attempts for this application. We'll key this by the username and
            // // the IP address of the client making these requests into this application.
            // $throttles = $this->isUsingThrottlesLoginsTrait();

            // if ($throttles && $lockedOut = $this->hasTooManyLoginAttempts($request)) {
            //     $this->fireLockoutEvent($request);

            //     return $this->sendLockoutResponse($request);
            // }

            // $credentials = $this->getCredentials($request);

            // if (Auth::guard($this->getGuard())->attempt($credentials, $request->has('remember'))) {
            //     return $this->handleUserWasAuthenticated($request, $throttles);
            // }

            // // If the login attempt was unsuccessful we will increment the number of attempts
            // // to login and redirect the user back to the login form. Of course, when this
            // // user surpasses their maximum number of attempts they will get locked out.
            // if ($throttles && ! $lockedOut) {
            //     $this->incrementLoginAttempts($request);
            // }

            // return $this->sendFailedLoginResponse($request);
        }
    }

}

Solution

  • First sorry for my english. I found the solution and I'm sure there are colleagues who like me, are new to the world of laravel, Adldap2 / Adldap2 and Active Directory, so I share the answer :).

    I start by explaining important message error Adldap2 / Adldap2:

    Can not contact LDAP server: This occurs when the IP address that we offer to the library, which is supposedly our AD server is not reachable. It must be emphasized that if we provide any IP that can be accessed, whether or not an AD server, this will no longer display this error. In short, we can have a completely wrong IP and the library does not indicate this explicitly and / or display the error explained below.

    BindException: Local Error: It is quite possible that many of you will encounter this error, unlike other errors offered by the library, it lacks explicit description. This error is a consequence of what explained in the previous error. It happens when we have given to the library, a reachable IP but there is no AD server or configured on it. In my particular case, my AD server was not set.