LDAP Authentication denies login; asks for email address

This forum is for general questions about extensions for Joomla! version 1.5.x.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
jpcabrales
Joomla! Apprentice
Joomla! Apprentice
Posts: 29
Joined: Mon Jun 23, 2008 9:39 am
Location: Cebu City, Philippines
Contact:

LDAP Authentication denies login; asks for email address

Post by jpcabrales » Mon Jun 23, 2008 9:57 am

I'm setting up LDAP on a local network. Other PHP (but non-Joomla!) projects are able to communicate with the Active Directory pretty well.

1. The settings that I have entered in the "Authentication - LDAP" plugin seem to be fine. If I create a user based on its LDAP username (regardless of the email entered), that user can login using his LDAP credentials. (Entering a wrong password denies login, so that's why I can say the LDAP settings I have entered are correct.)

2. However, if a user hasn't been previously registered manually, this error appears: "Please enter a valid e-mail address." The Auto-create Users option in the "Users - Joomla!" plugin has been enabled.

3. Furthermore, on $/libraries/joomla/database/table/user.php, if I comment out lines 158-161 (codes for checking on email address), the auto-registration gets through, but when I check on the user list, the newly-created user doesn't have a value on its email address field.

4. On the "Map: Email" plugin parameter of LDAP authentication, the value is "mail", which is the same with the other projects we have and we can retrieve the email address successfully.

5. Doing a little debugging, I have changed the "Map: Email" value to "cn" (because I assume that value is correctly retrieved), but even printing its retrieved value to the setError function call in line 159 of users.php prints an empty value.

Anyone out there who can help me figure out how to retrieve the email address, so auto-creation of users would be supported? Thank you very much in advance. :)

mauderific
Joomla! Apprentice
Joomla! Apprentice
Posts: 26
Joined: Sun Jul 22, 2007 7:34 pm

Re: LDAP Authentication denies login; asks for email address

Post by mauderific » Tue Jul 15, 2008 11:29 pm

Did you find the answer ??

I've got the same problem here !

Thx

jpcabrales
Joomla! Apprentice
Joomla! Apprentice
Posts: 29
Joined: Mon Jun 23, 2008 9:39 am
Location: Cebu City, Philippines
Contact:

Re: LDAP Authentication denies login; asks for email address

Post by jpcabrales » Wed Jul 16, 2008 5:40 am

mauderific,

One of my teammates managed to find the correct configuration for our Active Directory, very different from the "usual" but this might be able to help you. Here are the Plugin Parameters that we currently have for LDAP Authentication:

Host: xxx.xxx.xxx.xxx [IP Address of our host]
Port: 389
LDAP V3: Yes
Negotiate TLS: No
Follow referrals: No
Authorization Method: Bind directly as user:
Base DN: CN=Users,DC=talker,DC=com [Where talker.com is just an example]
Search String: userPrincipalName=johnny@talker.com [Here we placed a static entry]
Users DN: [Left blank]
Connect username: [Left blank]
Connect password: [Left blank]
Map Full Name: displayName
Map E-mail: userPrincipalName
Map User ID: uid

mauderific
Joomla! Apprentice
Joomla! Apprentice
Posts: 26
Joined: Sun Jul 22, 2007 7:34 pm

Re: LDAP Authentication denies login; asks for email address

Post by mauderific » Wed Jul 16, 2008 2:25 pm

Hi !

On our side we find how something else, and it's working very well:

Host: xxx.xxx.xxx.xxx [IP Address]
Port: 389
LDAP V3: Yes
Negotiate TLS: No
Follow referrals: No
Authorization Method: Bind directly as user:
Base DN: CN=Users,DC=talker,DC=com
Search String: cn=[search]
Users DN: cn=[username],cn=Users,dc=talker,dc=com
Connect username: [Left blank]
Connect password: [Left blank]
Map Full Name: displayName
Map E-mail: userPrincipalName
Map User ID: sAMAccountName

toby77jo
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Tue Jun 24, 2008 6:28 pm

Re: LDAP Authentication denies login; asks for email address

Post by toby77jo » Mon Aug 04, 2008 5:33 pm

Host: xxx.xxx.xxx.xxx [IP Address]
Port: 389
LDAP V3: Yes
Negotiate TLS: No
Follow referrals: No
Authorization Method: Bind directly as user:
Base DN: CN=Users,DC=talker,DC=com
Search String: cn=[search]
Users DN: cn=[username],cn=Users,dc=talker,dc=com
Connect username: [Left blank]
Connect password: [Left blank]
Map Full Name: displayName
Map E-mail: userPrincipalName
Map User ID: sAMAccountName

Is working BUT, what do I change if i want to authenticate against many different OU's, not all my users are in OU=Users?

Also anybody knows a good lister for ldap?

craigreilly
Joomla! Apprentice
Joomla! Apprentice
Posts: 15
Joined: Wed Sep 17, 2008 11:25 pm

Re: LDAP Authentication denies login; asks for email address

Post by craigreilly » Tue Nov 11, 2008 8:54 pm

Anybody know how to authenticate properly a user without an email address? Some of our LDAP users have access to Programs and such but do not have email. Login fails.

jpcabrales
Joomla! Apprentice
Joomla! Apprentice
Posts: 29
Joined: Mon Jun 23, 2008 9:39 am
Location: Cebu City, Philippines
Contact:

Re: LDAP Authentication denies login; asks for email address

Post by jpcabrales » Thu Nov 13, 2008 3:01 am

craigreilly, if I understand correctly, this is your scenario:
  • Your Auto-create Users option is Enabled.
  • Some of your users which have an email address assigned can successfully log in.
  • However there are those in your Active Directory which are not assigned email addresses, and they cannot log in because of the email error.
So if this is the case for you, the trick here is to create a dummy email address value. (We can choose to have the email left blank and bypassed, but as Joomla! will require a unique value for email addresses, only one user can have the blank email address. To resolve this would require more modification on the code, so the dummy email address would be the way to have minimal changes to the core Joomla! code.)

What you must do is go to $/libraries/joomla/database/table/user.php, and modify this block (lines 157-160 on Joomla 1.5.7):

Code: Select all

if ((trim($this->email) == "") || ! JMailHelper::isEmailAddress($this->email) ) {
	$this->setError( JText::_( 'WARNREG_MAIL' ) );
	return false;
}
Change it to:

Code: Select all

if ((trim($this->email) == "") || ! JMailHelper::isEmailAddress($this->email) ) {
	$this->email = $this->username . "@dummydomain.com";
	// Find the explanation below
}
Here, when there is no email address retrieved from the Active Directory, instead of returning "false" (error), we assign this person's username ($this->username, or you can have $this->name instead) plus a dummy domain ("@dummydomain.com") for this person's email address. Actually, any non-empty value here would qualify. The key is to make each (dummy or real) email address unique for each user.

So finally, when users without email addresses attempt to log in, their accounts would be auto-created as if they have a real email address, and they can already successfully log in.

Hope this helps. Post back to tell if this solution works or not for you. Thanks!

craigreilly
Joomla! Apprentice
Joomla! Apprentice
Posts: 15
Joined: Wed Sep 17, 2008 11:25 pm

Re: LDAP Authentication denies login; asks for email address

Post by craigreilly » Thu Nov 13, 2008 3:14 pm

I found a solution that appears to be working. Once I found the table folder where all of the SQL queries are, it made things easier. I had no idea how the Joomla structure was organized.
My steps:
1) User.php - Do not check if user has passed valid email address. Comment out section. -> line: 157-160
2) User.php - Always return true on check if email address is in use. We do not care about dupes. -> line: 193
3) Allow NULLS in the Joomla database user table email field

I am not sure if one is better than the other. Maybe your way is better because I would have a value in the backend.

Thanks for your response. It would be nice if the Joomla Config would allow no email address for those who do not need it. In my case, we are using Joomla for a corporate intranet, so we know the people who have access because of A.D.

farhanfaisal
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Wed Apr 22, 2009 9:21 am

Re: LDAP Authentication denies login; asks for email address

Post by farhanfaisal » Wed Apr 22, 2009 9:41 am

I do have problem validating users on LDAP. We have
ou=Groups,dc=talker,dc=com
|--- cn=WebOperator
ou=Students,dc=talker,dc=com
ou=Staff,dc=talker,dc=com

cn=WebOperator is a static group, contains some of users in ou=Students and ou=Staff.
uid=user1,ou=Students,dc=talker,dc=com
uid=user2,ou=Staff,dc=talker,dc=com

I dont want other Students and Staff to be authenticated, just the users within cn=WebOperator

This is my Joomla LDAP plugin configuration
Base DN : OU=Groups,DC=talker,DC=com
Search String : uniqueMember=[search]
User's DN : uniqueMember=[username],cn= WebOperator,ou=Groups,dc=talker,dc=com

It can authenticate all users in Staff and Students for now. How to limit it to WebOperator only? Could anyone help me?

on1
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Mon Nov 16, 2009 7:38 am

Re: LDAP Authentication denies login; asks for email address

Post by on1 » Mon Nov 16, 2009 8:32 am

Hi,

I have the exact error mentioned in the topic, on a fresh install of Joomla 1.5.14:

- user are correctly authenticated to LDAP;
- autocreate fails requesting a valid email address.

So I resolved to use the "patch" proposed by jpcabrales; but that's dirty.

I have dumped the traffic between Joomla and my LDAP server: it never request for the email attribute, it never request any attribute in fact, all it does is bind and unbind. No wonder if the auto-create then complains that the email is empty.

jpcabrales
Joomla! Apprentice
Joomla! Apprentice
Posts: 29
Joined: Mon Jun 23, 2008 9:39 am
Location: Cebu City, Philippines
Contact:

Re: LDAP Authentication denies login; asks for email address

Post by jpcabrales » Mon Nov 16, 2009 9:30 am

Hi on1, can you share with us your current LDAP plugin configuration? Based on my experience, Joomla! does request for attributes from the LDAP server (such as the Full name and Email address), not just bind. There might be something off with your configuration that makes it unable to request any attribute (though it's correct enough to authenticate).

on1
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Mon Nov 16, 2009 7:38 am

Re: LDAP Authentication denies login; asks for email address

Post by on1 » Mon Nov 16, 2009 11:02 am

jpcabrales wrote:Hi on1, can you share with us your current LDAP plugin configuration? Based on my experience, Joomla! does request for attributes from the LDAP server (such as the Full name and Email address), not just bind. There might be something off with your configuration that makes it unable to request any attribute (though it's correct enough to authenticate).
Thanks for the quick reply.

I am not sure how to "cut/paste" the configuration. But the LDAP plugin is configured with a proper mapping of "Map: Email" into "mail" which is my LDAP attribute handling the mail address of the user.

I should add, in the same way, the full name is not mapped into the attribute gecos as I have configured it.

nnichols
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Mon Oct 18, 2010 9:41 pm

Re: LDAP Authentication denies login; asks for email address

Post by nnichols » Mon Sep 26, 2011 10:20 pm

Hi all, I had the exact same problem as originally described and solved it by using the "Bind and Search" method in the LDAP Authentication plugin. This does require that you have a service account created so that joomla can login to your ldap and search for the user.
so:
Host ldaps://example.com
Port 636
LDAP V3 Yes
Negotiate TLS No
Follow referrals No
Authorization Method Bind and Search
Base DN ou=All Users,DC=example,DC=com
Search String sAMAccountName=[search]
User's DN
Connect username service_account@example.com
Connect password ********
Map: Full Name displayName
Map: E-mail mail
Map: User ID cn


Locked

Return to “Extensions for Joomla! 1.5”