phpldapsimplesamlphp

SimpleSAML\Assert\AssertionFailedException: The value "192.168.1.2" does not match the expected pattern


I am trying to configure simplesamlphp with LDAP Auth. I get this error:

SimpleSAML\Error\Error: UNHANDLEDEXCEPTION
Backtrace:
2 public/_include.php:28 (SimpleSAML_exception_handler)
1 vendor/symfony/error-handler/ErrorHandler.php:541 (Symfony\Component\ErrorHandler\ErrorHandler::handleException)
0 [builtin] (N/A)
Caused by: SimpleSAML\Assert\AssertionFailedException: The value "192.168.1.2" does not match the expected pattern.
Backtrace:
13 vendor/simplesamlphp/assert/src/Assert.php:364 (SimpleSAML\Assert\Assert::__callStatic)
12 modules/ldap/src/Connector/Ldap.php:58 (SimpleSAML\Module\ldap\Connector\Ldap::__construct)
11 modules/ldap/src/ConnectorFactory.php:49 (SimpleSAML\Module\ldap\ConnectorFactory::fromAuthSource)
10 modules/ldap/src/Auth/Source/Ldap.php:66 (SimpleSAML\Module\ldap\Auth\Source\Ldap::__construct)
9 src/SimpleSAML/Auth/Source.php:326 (SimpleSAML\Auth\Source::parseAuthSource)
8 src/SimpleSAML/Auth/Source.php:368 (SimpleSAML\Auth\Source::getById)
7 src/SimpleSAML/Auth/Simple.php:72 (SimpleSAML\Auth\Simple::getAuthSource)
6 src/SimpleSAML/Auth/Simple.php:159 (SimpleSAML\Auth\Simple::login)
5 modules/admin/src/Controller/Test.php:142 (SimpleSAML\Module\admin\Controller\Test::main)
4 vendor/symfony/http-kernel/HttpKernel.php:163 (Symfony\Component\HttpKernel\HttpKernel::handleRaw)
3 vendor/symfony/http-kernel/HttpKernel.php:75 (Symfony\Component\HttpKernel\HttpKernel::handle)
2 vendor/symfony/http-kernel/Kernel.php:202 (Symfony\Component\HttpKernel\Kernel::handle)
1 src/SimpleSAML/Module.php:228 (SimpleSAML\Module::process)
0 public/module.php:14 (N/A)
            

Install on: Debian 12 , nginx/1.22.1 and PHP 8.2 with LDAP extension, SimpleSAMLphp 2.0.4 and i also tried it on Debian 11, nginx/1.18.0 and PHP 7.4 with LDAP extension, SimpleSAMLphp 2.0.4 Same Error

I installed the LDAP Module with: "php composer.phar require simplesamlphp/simplesamlphp-module-ldap"

The module is enabled in config.php:

'module.enable' => [
         'exampleauth' => false,
         'core' => true,
         'admin' => true,
         'ldap' => true,
         'saml' => true
],

config/authsources.php

// Example of a LDAP authentication source.
'Test' => [
    'ldap:Ldap',

                                                                               
                                                                                
                                           
                                           

    // The connection string for the LDAP-server.
    // You can add multiple by separating them with a space.
    'connection_string' => '192.168.1.2',

    // Whether SSL/TLS should be used when contacting the LDAP server.
    // Possible values are 'ssl', 'tls' or 'none'
    'encryption' => 'ssl',

    // The LDAP version to use when interfacing the LDAP-server.
    // Defaults to 3
    'version' => 3,

    // Set to TRUE to enable LDAP debug level. Passed to the LDAP connector class.
    //
    // Default: FALSE
    // Required: No
    'ldap.debug' => true,
    'ldap.port' => 389,
    // The LDAP-options to pass when setting up a connection
    // See [Symfony documentation][1]
    'options' => [

        // Set whether to follow referrals.
        // AD Controllers may require 0x00 to function.
        // Possible values are 0x00 (NEVER), 0x01 (SEARCHING),
        //   0x02 (FINDING) or 0x03 (ALWAYS).
        'referrals' => 0x00,
        
        'network_timeout' => 3,
    ],

    // The connector to use.
    // Defaults to '\SimpleSAML\Module\ldap\Connector\Ldap', but can be set
    // to '\SimpleSAML\Module\ldap\Connector\ActiveDirectory' when
    // authenticating against Microsoft Active Directory. This will
    // provide you with more specific error messages.
    'connector' => '\SimpleSAML\Module\ldap\Connector\Ldap',

    // Which attributes should be retrieved from the LDAP server.
    // This can be an array of attribute names, or NULL, in which case
    // all attributes are fetched.
    'attributes' => null,

     // Which attributes should be base64 encoded after retrieval from
     // the LDAP server.
    'attributes.binary' => [
        'jpegPhoto',
        'objectGUID',
        'objectSid',
        'mS-DS-ConsistencyGuid'
    ],

    // The pattern which should be used to create the user's DN given
    // the username. %username% in this pattern will be replaced with
    // the user's username.
    //
    // This option is not used if the search.enable option is set to TRUE.
    'dnpattern' => 'cn=%username%,ou=Klxx,ou=xxxx,ou=Benutzer,ou=xxx,ou=Sxx,o=mxx',

    // As an alternative to specifying a pattern for the users DN, it is
    // possible to search for the username in a set of attributes. This is
    // enabled by this option.
    'search.enable' => true,

    // An array on DNs which will be used as a base for the search. In
    // case of multiple strings, they will be searched in the order given.
    'search.base' => [
        'ou=xxx,ou=xxxx,ou=Bxxxxx,ou=xxxxxx,ou=xxxxxx,o=xxxxxxx',
    ],

    // The scope of the search. Valid values are 'sub' and 'one' and
    // 'base', first one being the default if no value is set.
    'search.scope' => 'sub',

    // The attribute(s) the username should match against.
    //
    // This is an array with one or more attribute names. Any of the
    // attributes in the array may match the value the username.
    'search.attributes' => ['uid', 'mail','cn','sn'],

                                                                
                                         

                                                                                    
                                                                        
                                                               
                                 

                                                  
                                                         
                                                               
                                                     
                         

    // Additional filters that must match for the entire LDAP search to
    // be true.
    //
    // This should be a single string conforming to [RFC 1960][2]
    // and [RFC 2544][3]. The string is appended to the search attributes
    //'search.filter' => '(&(objectClass=Person)(|(sn=Doe)(cn=John *)))',
     'search.filter' => '(objectclass=*)',
    // The username & password where SimpleSAMLphp should bind to before
    // searching. If this is left NULL, no bind will be performed before
    // searching.
    'search.username' => 'cn=xxxxxxxx,ou=sxxxxxx,ou=xxxxxxxx,o=mxxxxxx',
    'search.password' => 'xxxxxxxxxxxxxxxxxxxx',
],

Solution

  • The code (Assert::regex($connection_string, '#^ldap[s]?:\/\/#');) looks like it wants a leading ldap:// or ldaps://. If that fixes it for you, would you please make a PR to fix the documentation or file a github issue and ask whether the pattern check should be removed or if the documentation should be updated.