LDAP Authentication fails if using sAMAccountName

[hitenmandalia]

Steps to reproduce

1. Configure username for connecting to AD with sAMAccountname
2. User name attribute set to sAMAccountName
3. User Object Filter set to (objectCategory=Person)(sAMAccountName=*))
4. Test configuration with sAMAccountName of a user

Expected behaviour

Authentication succeeds

Actual behaviour

Caution
Error : 49 - Invalid credentials
80090308: LdapErr: DSID-0C090453, comment: AcceptSecurityContext error, data 52e, v3839

Server configuration

Operating system:
Alpine Linux

Web server:
Apache

Database:
Amazon Aurora RDS (mysql 5.7)

PHP version:
7.4

Teampass version:
3.0.0.8

Teampass configuration file:

Updated from an older Teampass or fresh install:
PLEASE attach to this issue the file /includes/config/tp.config.php.

Client configuration

Browser:

Operating system:

Logs

Web server error log

No Errors in Log

Log from the web-browser developer console (CTRL + SHIFT + i)

Insert the log here and especially the answer of the query that failed.

[nilsteampassnet]

Hello,
I have similar setup and it works smoothly.

While googling your error, I found this page https://ldapwiki.com/wiki/Common%20Active%20Directory%20Bind%20Errors
Perhaps this could help you but I don't see how the Adldap could be wrong there.
I would be greatly interested in having any feedback.
Perhaps something needs to be robustified.

[hitenmandalia]

This is the error I keep getting. I even get the same error when testing and using my own credentials which I know work.

[hitenmandalia]

weird thing. If I use cn as the username with which to bind, change the username attribute to cn and then test the configuration with the following:

"firstname" "surname" (theres a space between the two), it succesfully passes. as soon as I change back to samaccountname it fails. @nilsteampassnet the only difference i can see between both of our configs is that you are using OpenLDAP whereas I am using Active Directory.

I did read somewhere about issues when the cn and samaccountname's are different, but I cannot seem to find that link again and dont even know if this is a valid reason?

[hitenmandalia]

hi @nilsteampassnet. Do you have any further updates on this?

Has anyone got TeamPass 3.0.0.8 working using samAccountName with Active Directory?

[zorgman]

Hello,

For the life of me I can get LDAP to work. We have an old version of teampass (2.1.23) and rather than going through the upgrade path, I figured maybe installing the latest version would be better and then just manually transfer the passwords over.

Installation of 3.0.0.7 went fine but I can't get LDAP to function. I updated 3.0.0.7 to 3.0.0.8, and while I no longer get the "couldn't connect to LDAP" error, I'm either getting an authentication error or just "in progress" with errors in the apache log.

I've tried all sorts of combinations. I can't upload pictures from work, but if I use as the bind user the full distinguished name like for example:

Username : CN=sa_ldap,OU=ServiceAccounts,OU=foo,DC=bar,DC=com

User name attribute : cn

Then in the logs I get:

Uncaught LdapRecord\\Query\\ObjectNotFoundException: No LDAP query results for filter: [(**cn=CN=**sa_ldap,OU=ServiceAccounts,OU=foo,DC=bar,DC=com)] in: [] in /opt/websites/teampass-3.0.0.7/includes/libraries/LdapRecord/Query/ObjectNotFoundException.php

It adds this double CN=. Tried without, no luck. I must be doing something wrong. Is anyone getting LDAP to work with AD?

sAMAccountName does not work as others pointed out.

[zorgman]

Ok I ended up getting the ldap test to pass by doing the same thing as @hitenmandalia with cn as the user attribute and using the first name + last name combo in the test. However when I go to users and do an ldap synchronization, no users get listed?

Switching back to sAMAccountName and it no long works. Specifically I get:

Error : 49 - Invalid credentials
80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 52e, v3839

From a quick google search, "data 52e" points to the password being incorrect, even though it is correct since the same test using cn works. Here's the ldap wiki:

https://ldapwiki.com/wiki/Common%20Active%20Directory%20Bind%20Errors

[hitenmandalia]

hi @zorgman
Thanks for confirming that you are having the exact same issue as me. I've been through every configuration i can think of to try and get this to work with AD. Hopefully this can be fixed soon

[zorgman]

Yeah I have been scratching my head for the past 2 days wondering if I was doing something wrong, clearly this is a bug in teampass. I know 3.0.0.x are still considered beta at this point anyway and probably other things need to be sorted out.

I guess we'll stick to good old 2.1.23 for now :)

[nilsteampassnet]

@zorgman
I can see that the username used is: CN=sa_ldap,OU=ServiceAccounts,OU=foo,DC=bar,DC=com
Is sa_ldap a user account in your AD?

THis error you get in the log clearly indicates that the query returns nothing.
I don't know how works ActiveDirectory but there mus be something wrong in the settings.

Teampass uses a PHP library for LDAP. It creates a configuration that is sent to this library that performs on its own everything else. Then returns the results to Teampass that analyses them. That's all.

[nilsteampassnet]

@zorgman
Reviewing your screencapture, I've seen something.
The user you have defined for testing purpose in field "Username to use for testing purpose" should not be the username used by Teampass for the AD connection. It should be a normal user.

In this example, nils is an AD user

[zorgman]

Hi @nilsteampassnet,

Yes I realized I was using the wrong username to test the configuration. It had been a long day and I wasn't paying attention. sa_ldap is just a service account used to do the ldap queries.

However with any other regular user it never works when you use the sAMAccountName as the attribute. The only way the ldap test passes, is when I use the "cn" attribute, as @hitenmandalia pointed out and do the test query with the first and last name of any user, like "Jean Dupond" for example.

[hitenmandalia]

@nilsteampassnet
I have tried this using different binding user and testing users. Always get the same result. If I use sAMAccountName as user attribute and try the test it never works. Using the cn as the attribute and testing with firstname and surname (with space) always tests succesfully, but same as @zorgman, when trying to do an LDAP sync, it never seems to populate.

[liedekef]

I can testify that this pull request is needed. Reason: you can't expect to know how a DN of a user in ldap is built. From the original code it is assumed to be something like uid=login,dc=my,dc=site (just an example). But in many installations the DN is more cn=myname,dc=my,dc=site. So there's always the need to first search the user, get the DN from the resulting entry and then use that to login.
Also, it seems that sAMAccountName needs to be lowercased in order to work correctly. And this pull needs other fixes done later in time to actually make ldap logins work. Next to that, needing to manually do something in Teampass before someone from LDAP is able to login is weird, but maybe that'll be fixed too.

[jmechalas]

Next to that, needing to manually do something in Teampass before someone from LDAP is able to login is weird, but maybe that'll be fixed too.

Not weird at all. In large corporate environments, you can't assume that the people setting up TeamPass also have permission to create and manage groups in Active Directory. So it makes sense to require the account to exist in TeamPass as the master list of authorized users, with the authentication coming from AD.

[liedekef]

Many systems use AD (or LDAP) for auth and if auth succeeds, then create the relevant user in the application (with configurable groups sometimes). Asking to manually create users in teampass is an administrative task that can (and should) be avoided. Only for this behavior alone, we decided against teampass (well, that and in fact the poorly written ldap auth code).

[jmechalas]

Asking to manually create users in teampass is an administrative task that can (and should) be avoided

Then it needs to be an option. You can't assume that your users have permission to create and manage accounts in AD.

[hitenmandalia]

Many systems use AD (or LDAP) for auth and if auth succeeds, then create the relevant user in the application (with configurable groups sometimes). Asking to manually create users in teampass is an administrative task that can (and should) be avoided. Only for this behavior alone, we decided against teampass (well, that and in fact the poorly written ldap auth code).

@liedekef What did you end up choosing instead of teampass?

[dsnt02518]

Just to update this (the original issue) - it seems the LDAP library being used squashes the case of retrieved LDAP attribute names to lowercase, but the given field ('sAMAccountName' in this case) is looked up from the results case sensitively.

Workaround here is to use lower case attribute names ('samaccountname' and 'distinguishedname' for Active Directory), but the proper fix will be to lowercase these in the code before looking them up in the LDAP results.

I also agree that there should be an option to 'auto-create' LDAP users rather than requiring creation. Ideally this would be via a group (could just be part of the users LDAP filter once #3040 is fixed, possibly by #3118).

However I understand from the encryption details that I've stumbled across that this may be problematic - do you have thoughts on this @nilsteampassnet ? The initial encryption key seems to be the stumbling block, but I'm a little hazy on the details.

[phmorais55]

After doing the configuration of the LDAP service several times, I identified that the Bug is in the User name attribute, which in the documentation says to put it as sAMAccountName as it is written, but when I copy the way it is written it does not synchronize with AD, by the irony of fate I wrote everything in lower case and saved it synced. so I understood that the BUG is there, it worked in my environment I don't know if it will work in others.

[Arash9703]

I got the same error with my active directory sync and solved it. I didn't want to rollback the version of TeamPass only for an error.
hats of to @phmorais55

[Arash9703]

But I have a problem with the sync part. waiting since half an hour and no users listed in TeamPass

see the config below

thanks for ur help

[nikalasmd]

@nilsteampassnet
Install version 3.1.2.112.
The users are not synchronization

https://teampass.readthedocs.io/en/latest/install/ldap/#more-debug

Missing "$debugLdap = 0;"

Page on which it happened

index.php?page=roles

Steps to reproduce

Expected behaviour

Tell us what should happen

Actual behaviour

Tell us what happens instead

Server configuration

Operating system: Linux teampass 5.4.203-1-pve #1 SMP PVE 5.4.203-1 (Fri, 26 Aug 2022 14:43:35 +0200) x86_64

Web server: Apache/2.4.62 (Debian)

Database: 10.5.26-MariaDB-0+deb11u2

PHP version: 8.1.29

Teampass version: 3.1.2

Teampass configuration file:

'activate_expiration' => '0'
'admin_2fa_required' => '1'
'agses_authentication_enabled' => '0'
'allow_import' => '0'
'allow_print' => '0'
'anyone_can_modify' => '0'
'anyone_can_modify_bydefault' => '0'
'api' => '0'
'api_token_duration' => '60'
'bck_script_filename' => 'bck_teampass'
'bck_script_passkey' => '<removed>'
'bck_script_path' => '/var/www/html/TeamPass/backups'
'clean_orphan_objects_task' => ''
'clipboard_life_duration' => '30'
'copy_to_clipboard_small_icons' => '1'
'cpassman_dir' => '/var/www/html/TeamPass'
'cpassman_url' => 'http://<anonym_url>'
'create_item_without_password' => '0'
'custom_login_text' => ''
'custom_logo' => ''
'date_format' => 'd/m/Y'
'default_language' => 'romanian'
'default_session_expiration_time' => '60'
'delay_item_edition' => '0'
'disable_show_forgot_pwd_link' => '0'
'duo' => '0'
'duo_failmode' => 'secure'
'duo_host' => '<removed>'
'duo_ikey' => '<removed>'
'duo_skey' => '<removed>'
'duplicate_folder' => '0'
'duplicate_item' => '0'
'email_auth_pwd' => '<removed>'
'email_auth_username' => '<removed>'
'email_debug_level' => '0'
'email_from' => '<removed>'
'email_from_name' => 'Admin TeamPass'
'email_port' => '587'
'email_security' => 'tls'
'email_server_url' => ''
'email_smtp_auth' => '1'
'email_smtp_server' => '<removed>'
'enable_ad_user_auto_creation' => '0'
'enable_ad_users_with_ad_groups' => '0'
'enable_attachment_encryption' => '1'
'enable_delete_after_consultation' => '0'
'enable_email_notification_on_item_shown' => '0'
'enable_email_notification_on_user_pw_change' => '0'
'enable_favourites' => '1'
'enable_http_request_login' => '0'
'enable_kb' => '0'
'enable_massive_move_delete' => '0'
'enable_personal_saltkey_cookie' => '0'
'enable_pf_feature' => '0'
'enable_refresh_task_last_execution' => '1'
'enable_send_email_on_user_login' => '0'
'enable_server_password_change' => '0'
'enable_sts' => '0'
'enable_suggestion' => '0'
'enable_tasks_log' => '0'
'enable_tasks_manager' => '1'
'enable_user_can_create_folders' => '0'
'encryptClientServer' => '1'
'favicon' => 'http://<anonym_url>/favicon.ico'
'files_with_defuse' => 'done'
'ga_reset_by_user' => ''
'ga_website_name' => 'TeamPass for ChangeMe'
'get_tp_info' => '1'
'google_authentication' => '0'
'highlight_favorites' => '0'
'highlight_selected' => '0'
'insert_manual_entry_item_history' => '0'
'item_duplicate_in_same_folder' => '0'
'item_extra_fields' => '0'
'items_ops_job_frequency' => '1'
'items_statistics_job_frequency' => '5'
'ldap_and_local_authentication' => '1'
'ldap_bdn' => 'CN=Users,DC=dynamic,DC=local'
'ldap_dn_additional_user_dn' => ''
'ldap_group_objectclasses_attibute' => 'group'
'ldap_guid_attibute' => 'objectguid'
'ldap_hosts' => '<removed>'
'ldap_mode' => '1'
'ldap_new_user_is_administrated_by' => '0'
'ldap_password' => '<removed>'
'ldap_port' => '389'
'ldap_ssl' => '0'
'ldap_tls' => '0'
'ldap_tls_certifacte_check' => 'LDAP_OPT_X_TLS_NEVER'
'ldap_type' => 'ActiveDirectory'
'ldap_user_attribute' => 'sAMAccountName'
'ldap_user_dn_attribute' => ''
'ldap_user_object_filter' => '(objectClass=user)'
'ldap_username' => 'ldap'
'limited_search_default' => '0'
'log_accessed' => '1'
'log_connections' => '1'
'maintenance_mode' => '0'
'manager_edit' => '1'
'manager_move_item' => '0'
'max_latest_items' => '10'
'maximum_number_of_items_to_treat' => '100'
'maximum_session_expiration_time' => '60'
'mfa_for_roles' => ''
'migration_to_2127' => 'done'
'nb_bad_authentication' => '0'
'nb_items_by_query' => 'auto'
'number_of_used_pw' => '3'
'number_users_build_cache_tree' => '10'
'oauth2_client_appname' => 'Login with Azure'
'oauth2_client_endpoint' => ''
'oauth2_client_id' => '<removed>'
'oauth2_client_scopes' => 'openid,profile,email,User.Read,Group.Read.All'
'oauth2_client_secret' => '<removed>'
'oauth2_client_token' => ''
'oauth2_client_urlResourceOwnerDetails' => ''
'oauth2_enabled' => '0'
'oauth2_tenant_id' => '<removed>'
'offline_key_level' => '0'
'onthefly-backup-key' => '<removed>'
'onthefly-restore-key' => '<removed>'
'otv_expiration_period' => '7'
'otv_is_enabled' => '0'
'password_overview_delay' => '4'
'path_to_files_folder' => '/var/www/html/TeamPass/files'
'path_to_upload_folder' => '/var/www/html/TeamPass/upload'
'personal_saltkey_cookie_duration' => '31'
'personal_saltkey_security_level' => '50'
'proxy_ip' => '<removed>'
'proxy_port' => ''
'purge_temporary_files_task' => ''
'pw_life_duration' => '0'
'pwd_default_length' => '14'
'pwd_maximum_length' => '40'
'rebuild_config_file' => ''
'reload_cache_table_task' => ''
'restricted_to' => '0'
'restricted_to_roles' => '0'
'richtext' => '0'
'roles_allowed_to_print' => '0'
'roles_allowed_to_print_select' => ''
'saltkey_ante_2127' => 'none'
'secure_display_image' => '1'
'send_mail_on_user_login' => '0'
'send_statistics_items' => 'stat_country;stat_users;stat_items;stat_items_shared;stat_folders;stat_folders_shared;stat_admins;stat_managers;stat_ro;stat_mysqlversion;stat_phpversion;stat_teampassversion;stat_languages;stat_kb;stat_suggestion;stat_customfields;stat_api;stat_2fa;stat_agses;stat_duo;stat_ldap;stat_syslog;stat_stricthttps;stat_fav;stat_pf;'
'send_stats' => '0'
'send_stats_time' => '1724660431'
'sending_emails_job_frequency' => '2'
'settings_offline_mode' => '0'
'settings_tree_counters' => '0'
'show_description' => '1'
'show_item_data' => '0'
'show_last_items' => '1'
'show_only_accessible_folders' => '0'
'subfolder_rights_as_parent' => '0'
'syslog_enable' => '0'
'syslog_host' => '<removed>'
'syslog_port' => '514'
'task_maximum_run_time' => '300'
'tasks_log_retention_delay' => '30'
'tasks_manager_refreshing_period' => '20'
'teampass_version' => '3.1.2'
'time_format' => 'H:i:s'
'timestamp' => '1727276314'
'timezone' => 'UTC'
'tree_counters' => '0'
'upgrade_timestamp' => '1727252431'
'upload_all_extensions_file' => '0'
'upload_docext' => 'doc,docx,dotx,xls,xlsx,xltx,rtf,csv,txt,pdf,ppt,pptx,pot,dotx,xltx'
'upload_imageresize_height' => '600'
'upload_imageresize_options' => '1'
'upload_imageresize_quality' => '90'
'upload_imageresize_width' => '800'
'upload_imagesext' => 'jpg,jpeg,gif,png'
'upload_maxfilesize' => '10mb'
'upload_otherext' => 'sql,xml'
'upload_pkgext' => '7z,rar,tar,zip'
'upload_zero_byte_file' => '0'
'url_to_files_folder' => 'http://<anonym_url>/files'
'use_md5_password_as_salt' => '0'
'user_keys_job_frequency' => '1'
'users_personal_folder_task' => ''
'utf8_enabled' => '1'

Updated from an older Teampass or fresh install:

Client configuration

Browser: Chrome - 128.0.0.0

Operating system: Windows - 64bits

Logs

Web server error log

 -  ()

Teampass 10 last system errors

Log from the web-browser developer console (CTRL + SHIFT + i)

Insert the log here and especially the answer of the query that failed.

[nilsteampassnet]

Take a look to #4243 (comment)