I'm trying to connect a Zend application to an SME server running LDAP with an SQL backend.
On every request I'm getting err=49
, indicating an authentication failure, but the username/password combo I'm trying is correct.
My Zend app's configs are set up as:
ldap.server1.host = primary.example.info
ldap.server1.accountDomainName = example.info
ldap.server1.accountDomainNameShort = example
ldap.server1.accountCanonicalForm = 2
ldap.server1.username = "CN=admin,DC=example,DC=info"
ldap.server1.password = "password"
ldap.server1.baseDn = "DC=example,DC=info"
ldap.server1.bindRequiresDn = true
I'm trying to log in using the format:
Username: Alice
Password: password
Inside my AuthController, the function I'm using to attempt auth against LDAP:
protected function _process($values) {
$auth = Zend_Auth::getInstance();
$config = new Zend_Config_Ini(APPLICATION_PATH . '/configs/application.ini', 'production');
$options = $config->ldap->toArray();
$adapter = new Zend_Auth_Adapter_Ldap($options, $values['username'], $values['password']);
$result = $auth->authenticate($adapter);
if ($result->isValid()) {
$user = $adapter::getAccountObject();
$auth->getStorage()->write($user);
return true;
}
return false;
}
The errors I'm getting in /var/log/messages
:
Mar 27 02:35:44 primary slapd[4589]: conn=1 fd=7 ACCEPT from IP=142.25.97.141:51711 (IP=0.0.0.0:389)
Mar 27 02:35:44 primary slapd[4589]: conn=1 op=0 BIND dn="cn=admin,dc=kjenkins,dc=info" method=128
Mar 27 02:35:44 primary slapd[4589]: conn=1 op=0 RESULT tag=97 err=49 text=
Mar 27 02:35:44 primary slapd[4589]: conn=1 op=1 UNBIND
Mar 27 02:35:44 primary slapd[4589]: conn=1 fd=7 closed
I know the credentials I'm using are correct, and I've tried using all variants of accountCanonicalForm
, but none seem to work.
Can anyone find what I'm doing wrong?
The result code decimal 49
indicates that the credentials supplied were incorrect (in some
cases for security reasons, this result code can be returned when an entry does not exist in
order to mislead an attacker). The application coder should verify that the bind distinguished
name has the correct credentials by auhenticating using a known correct tool such as
ldapsearch
. For example, try:
ldapsearch -h hostname -p port -D cn=admin,dc=kjenkins,dc=info -w password -b '' -s base '(&)'
The above search establishes a connection, changes the authorization state of the connection to the auth ID cn=admin,dc=kjenkins,dc=info
uses the given credentials and then retrieves attributes from the root DSE. If this search is successful, then
the application coder can be assured that the credentials are correct.