Search code examples
phpauthenticationzend-frameworkldapzend-auth

Authentication Failure with Zend_Auth and SME LDAP


I'm trying to connect a Zend application to an SME server running LDAP with an SQL backend.

On every request I'm getting err=49, indicating an authentication failure, but the username/password combo I'm trying is correct.

My Zend app's configs are set up as:

ldap.server1.host                   = primary.example.info
ldap.server1.accountDomainName      = example.info
ldap.server1.accountDomainNameShort = example
ldap.server1.accountCanonicalForm   = 2
ldap.server1.username               = "CN=admin,DC=example,DC=info"
ldap.server1.password               = "password"
ldap.server1.baseDn                 = "DC=example,DC=info"
ldap.server1.bindRequiresDn         = true

I'm trying to log in using the format:

Username: Alice
Password: password

Inside my AuthController, the function I'm using to attempt auth against LDAP:

protected function _process($values) {
    $auth = Zend_Auth::getInstance();

    $config = new Zend_Config_Ini(APPLICATION_PATH . '/configs/application.ini', 'production');
    $options = $config->ldap->toArray();

    $adapter = new Zend_Auth_Adapter_Ldap($options, $values['username'], $values['password']);

    $result = $auth->authenticate($adapter);

    if ($result->isValid()) {
        $user = $adapter::getAccountObject();
        $auth->getStorage()->write($user);
        return true;
    }

    return false;
}

The errors I'm getting in /var/log/messages:

Mar 27 02:35:44 primary slapd[4589]: conn=1 fd=7 ACCEPT from IP=142.25.97.141:51711 (IP=0.0.0.0:389) 
Mar 27 02:35:44 primary slapd[4589]: conn=1 op=0 BIND dn="cn=admin,dc=kjenkins,dc=info" method=128 
Mar 27 02:35:44 primary slapd[4589]: conn=1 op=0 RESULT tag=97 err=49 text= 
Mar 27 02:35:44 primary slapd[4589]: conn=1 op=1 UNBIND 
Mar 27 02:35:44 primary slapd[4589]: conn=1 fd=7 closed

I know the credentials I'm using are correct, and I've tried using all variants of accountCanonicalForm, but none seem to work.

Can anyone find what I'm doing wrong?


Solution

  • The result code decimal 49 indicates that the credentials supplied were incorrect (in some cases for security reasons, this result code can be returned when an entry does not exist in order to mislead an attacker). The application coder should verify that the bind distinguished name has the correct credentials by auhenticating using a known correct tool such as ldapsearch. For example, try:

    ldapsearch -h hostname -p port -D cn=admin,dc=kjenkins,dc=info -w password -b '' -s base '(&)' 
    

    The above search establishes a connection, changes the authorization state of the connection to the auth ID cn=admin,dc=kjenkins,dc=info uses the given credentials and then retrieves attributes from the root DSE. If this search is successful, then the application coder can be assured that the credentials are correct.

    see also