[horde] Horde 4 and Active Directory Problems? (worked with H3)

Harald Hutter hutter at ihs.ac.at
Thu Jul 15 10:08:38 UTC 2010 

On Wednesday 14 July 2010, Michael Rubinsky wrote:
> Quoting Harald Hutter <hutter at ihs.ac.at>:
> > [2] Clicking on Groups (logged in as administrator) returns the following
> > error:
> > A fatal error has occurred
> > Could not reach the LDAP server
> > [line 556 of .../horde/framework/Group/lib/Horde/Group/Ldap.php]
> >
> > Path in the last line was abbreviated by me. Looking in Ldap.php
> > it seems that _connect in listGroups succeeds (also verified with tcpdump
> > and changing the code to write custom debug messages to the log; setting
> > Log Level
> > to DEBUG didn't reveal more useful information).
> >
> > I also verified that the parameters are correct and the ldap handle is
> > still the same as returned by _connect with the following lines inserted
> > before the line "$search = @ldap_search($this->_ds,
> > $this->_params['basedn'], $this->_filter, array($this->_params['gid']));"
> >
> > $entry = sprintf('basedn %s filter %s gid %s ds %s',
> > $this->_params['basedn'],
> > $this->_filter, $this->_params['gid'], $this->_ds);
> > Horde::logMessage($entry, 'NOTICE');
> >
> > All the variables written to the log are looking fine. So I think the
> > problem is the line $search = @ldap_search...
> >
> > Can anybody point me to the file containing the function ldap_search?
> > Google was of no help (maybe I did it wrong?). Should I find it in the
> > documentation at dev.horde.org? Has anyone a clue what might be wrong
> > here?
>
> ldap_search is a native php function that is available when php is
> compiled with ldap support. Perhaps a a wireshark trace of the
> conversation between horde and ldap would be useful here?
>

I did some wireshark investigation and found some strange thing.
It seems that the ldap_connect call succeeds but the ldap_bind fails.
Sorry for not catching this, yesterday.

Looking at the code (horde/framework/Group/lib/Horde/Group/Ldap.php)
you find the folowing snippet:
        if (isset($this->_params['binddn'])) {
            $bind = @ldap_bind($this->_ds, $this->_params['binddn'],
                               $this->_params['password']);
        } else {
            $bind = @ldap_bind($this->_ds);
        }

        if (!$bind) {
            throw new Horde_Group_Exception('Could not bind to LDAP server');
        }

Well I don't know why one don't see the error "Could not bind to LDAP Server",
maybe it's overwritten by the following Horde_Group_Exeption from the 
ldap_search call. Nevertheless, binddn is empty, so an anonymous bind is 
tried. Windows 2008 AD Server prevents anonymous binds by default. I couldn't
find any setting in the conf.php named "binddn" nor any in conf.php.dist.
So I replaced those with searchdn and it works.
Fix in diff format:
diff Ldap.php Ldap.php.org 
96,98c96,98
<         if (isset($this->_params['searchdn'])) {
<             $bind = @ldap_bind($this->_ds, $this->_params['searchdn'],
<                                $this->_params['searchpw']);
---
>         if (isset($this->_params['binddn'])) {
>             $bind = @ldap_bind($this->_ds, $this->_params['binddn'],
>                                $this->_params['password']);

Now I can see all the groups in Horde.

Note: binddn and password where settings in H3.
If it is really intended to use binddn here, where shoul it be configured? 

Maybe just another git pull resolves this issue (although it didn't do so 
now). 

Harald

More information about the horde mailing list