[SOLVED] - LDAP issues with 1.9 RC1

[bptsmith]

All,

I am running wamp on a Windows 2003 sp2 server.... Not my choice!!!
Apache 2.2.11
PHP 5.3
Testlink 1.9 rc1

I have attempted to configure the conf.php file in order to use LDAP authentication. When I change from MD5 to LDAP the login section disappears when you navigate to the log in page and only gives you a link to create a new user. I looked in the Active Directory logs and I can manually authenticate from the server, but I cannot get it to work through Testlink. Is there another configuration that I should be changing other than the conf.php of TestLink????? Is there Apache configs that need to go along with this?? Any help would be awesome!

Thank you,

[kam2012]

I am facing similar issue. Login section is not visible on the login screen after LDAP configuration.

Could you please let me know if there is any solution to this problem?

Thanks in advance

Regards,
Kamlesh

[kam2012]

I got the solution of this problem, LDAP module for php was not installed on the server.
1. Set php path in env variable
2. Uncomment following line in php.ini
extension=php_ldap.dll
3. Restart the server

[gmwen]

The same issue exists on Linux environment. However, I do not have the solution yet up to now.

Environment:

• OS: Ubuntu 11.10 Desktop
  TestLink: testlink-1.9.3
  LDAP: OpenLDAP 2.4.25

I edited the file custom_config.inc.php and add below content:

Code: Select all

$tlCfg->authentication['method'] = 'LDAP';
$tlCfg->authentication['ldap_server'] = '[my ldap server ip address here]';
$tlCfg->authentication['ldap_port'] = '389';
$tlCfg->authentication['ldap_version'] = '3'; // could be '2' in some cases
$tlCfg->authentication['ldap_root_dn'] = '[my root dn here, I used users' parent node's dn]';
$tlCfg->authentication['ldap_organization']     = '';    // e.g. '(organizationname=*Traffic)'
$tlCfg->authentication['ldap_uid_field'] = 'uid'; // Use 'sAMAccountName' for Active Directory
$tlCfg->authentication['ldap_bind_dn'] = ''; // Left empty for anonymous LDAP binding
$tlCfg->authentication['ldap_bind_passwd'] = ''; // Left empty for anonymous LDAP binding
$tlCfg->authentication['ldap_tls'] = false; // true -> use tls

I failed to login TestLink with LDAP user account.

I would to say TestLink cannot give helpful message for the login failure, which is necessary to improve. Maybe somebody has solve the issue, I think we can setup dedicated topic for the solution collection. Thus, for many newcomers of TestLink, it will be very helpful and save much time for them.

[fman]

>> I would to say TestLink cannot give helpful message for the login failure, which is necessary to improve
ok let us know how do you would improve the message .

This is normally an issue that has to be managed by a SysAdmin, who is if going to work on this, and do debugging.

[gmwen]

I get a big improvement today. I found that TestLink firstly check if the user login name exists in DB ($TESTLINK/lib/functions/doAuthorize.php). If exists, it will check if the password given by the login user matches the password in DB or LDAP. Thus, to use LDAP, the user must be created in DB firstly. Otherwise, the user will fail to login even the user exists in LDAP. LDAP authentication feature only provides one password management approach. LDAP users cannot be synchronized with DB users, which is a big problem for TestLink. Isn't it!

See below code in file $TESTLINK/lib/functions/doAuthorize.php:

Code: Select all

function doAuthorize(&$db,$login,$pwd)
{
        $result = array('status' => tl::ERROR, 'msg' => null);
        $_SESSION['locale'] = TL_DEFAULT_LOCALE; 
        if (!is_null($pwd) && !is_null($login))
        {
                $user = new tlUser();
                $user->login = $login;
                $login_exists = ($user->readFromDB($db,tlUser::USER_O_SEARCH_BYLOGIN) >= tl::OK);   // --- Check if the user exists in DB (gmwen)

                if ($login_exists)      // --- if the user exists in DB (gmwen)
                {
                        $password_check = auth_does_password_match($user,$pwd);      // --- check if the password is matched: MD5 --- DB; LDAP --- LDAP Server (gmwen)
                        if ($password_check->status_ok && $user->isActive)
                        {
                                // 20051007 MHT Solved  0000024 Session confusion 
                                // Disallow two sessions within one browser
                                if (isset($_SESSION['currentUser']) && !is_null($_SESSION['currentUser']))
                                {
                                        $result['msg'] = lang_get('login_msg_session_exists1') . 
                                                         ' <a style="color:white;" href="logout.php">' . 
                                                             lang_get('logout_link') . '</a>' . lang_get('login_msg_session_exists2');
                                }
                                else
                                { 
                                        //Setting user's session information
                                        $_SESSION['currentUser'] = $user;
                                        $_SESSION['lastActivity'] = time();
                                        
                                        global $g_tlLogger;
                                        $g_tlLogger->endTransaction();
                                        $g_tlLogger->startTransaction();
                                        setUserSession($db,$user->login, $user->dbID,$user->globalRoleID,$user->emailAddress, $user->locale,null);
                                        $result['status'] = tl::OK;
                                }
                        }
                        else
                        {
                                logAuditEvent(TLS("audit_login_failed",$login,$_SERVER['REMOTE_ADDR']),"LOGIN_FAILED",$user->dbID,"users");
                        }       
                }
        }
        return $result;
}

[fman]

>> LDAP authentication feature only provides one password management approach. LDAP users cannot be synchronized with DB users, which is a >> big problem for TestLink. Isn't it!
For TL Development Team is not an issue, and not a big problem, is a design choice.
Normally LDAP is used just for having only one place where to manage password police, because each system has it's own users attribute, then this particulars attributes are saved in a table, and not on LDAP schema.

I know that mantis allows automatic creation of user ON MANTIS DB USERS TABLE, if using LDAP and configuring mantis in some way.
Time ago a user have provided code to do same on TL, but because he refused to follow our requests, we deleted the contribution from mantis.

Just remember that systems do not work as you expect or think, but as detailed in documentation (when documentation exists)
On Installation manual page 27/28 there is some explanation, that absolutely we have to improve.

[gmwen]

Thanks a lot for fman's explanation!

However, my focus is to suggest one better choice - automatically create the account at the first time of login if the account just exists on LDAP. Bugzilla uses this approach - see below snapshot of Bugzilla document and I really tested it. At present, TestLink will deny login if the account only exists on LDAP, which is not a good use experience.



I agree with you about the idea that LDAP is just for having only one place where to manage password police. It is not necessary to completely synchronize all user account attributes between LDAP and the concrete system. But if we can provide one mechanism to synchronize them, users will feel more convenient.

[fman]

open a feature request on mantis, if you want.
This thread is not the right place

[gmwen]

Opened: http://mantis.testlink.org/view.php?id=5031