AD/LDAP Integration

[LFrank2021]

Hi there,

I want to start integrating our openDCIM with AD/LDAP.
I tried looking at the WIKI and receive an error Exception encountered, of type "Error"
WIKI LDAP and
WIKI Modern_Auth

Can the site be fixed or is there another point for information?

Kind regards

[wilpig]

https://github.com/opendcim/openDCIM/wiki/LDAP
https://github.com/opendcim/openDCIM/wiki/ModernAuth

[LFrank2021]

Thank you for the links.
On the LDAP page, could the mentioned YouTube video (Step 1) be linked?
That would be helpful as well.

[LFrank2021]

I am yet unable to get a working AD/LDAP integration.
Can you maybe point me to where the Debugging information should be?
I would have expected httpd error.log or access.log, but I cannot find any useful information there.

edit: I think I found something within /var/opt/rh/rh-php73/log/php-fpm/www-error.log
[13-Jun-2023 13:20:32 UTC] Maintenance mode is set and invalid credentials were passed.

What is the maintenance mode and how do I get out of it?

[LFrank2021]

sadly I cannot upgrade that instance. Because I cannot simply upgrade to PHP8, which openDCIM 23.01 seems to require.
And I only want to test the integration without risking our production environment.
I understood the emergency password as a failback during AD/LDAP setup.
I was planning on deactivating it again, once I can successfully log in with my own credentials.
I have to disable the emergency password to be able to log in with correct credentials?
Then only way to get back to the site admin dialog is through falling back to Apache Basic Auth, correct?

[LFrank2021]

Is there a known bug with v20.01 that prevents successful attribute mapping?
I manage to get my sn, and mail but not givenName, telephoneNumber and mobileNumber1.
Though I clearly find them using the ldapsearch cmd line.

[samilliken]

At least use 21.01, as that version is the last one before the jump to PHP 8.

Also, use Modern Auth.

[LFrank2021]

You are right, I will look in the update to 21.01.
And I will try to gain a grain of understanding on how the Modern Auth (SAML) integration is supposed to work :)

[LFrank2021]

Update worked without any problems.
Still trying to work out Modern Auth.
Noticed something: Currently I get asked by Apache for a basic auth and then get redirected to login_ldap.php.
Is there a way to avoid being asked for the basic auth?

[samilliken]

You likely still have a .htaccess file at the root of your installation or you have the basic auth directive in your virtualhost config of apache. Scott From: LFrank2021 Sent: Thursday, June 15, 2023 11:50 AM To: opendcim/openDCIM ***@***.***> Cc: Scott Milliken ***@***.***>; State change ***@***.***> Subject: Re: [opendcim/openDCIM] AD/LDAP Integration (Discussion #1366) Update worked without any problems. Still trying to work out Modern Auth. Noticed something: Currently I get asked by Apache for a basic auth and then get redirected to login_ldap.php. Is there a way to avoid being asked for the basic auth? - Reply to this email directly, view it on GitHub <#1366 (comment) 7964> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAMTY62RLFYSGSGY3IBJTOLXL MVKVANCNFSM6AAAAAAYW2LQXM> . You are receiving this because you modified the open/close state. <https://github.com/notifications/beacon/AAMTY67SWVZBTEMHDUEQSQTXLMVKVA5CNFS M6AAAAAAYW2LQXOWGG33NNVSW45C7OR4XAZNRIRUXGY3VONZWS33OINXW23LFNZ2KUY3PNVWWK3T UL5UWJTQALZV3Y.gif> Message ID: ***@***.***>

[LFrank2021]

Currently I still have the infromation from initial install in there:

AuthType Basic
AuthName "openDCIM"
AuthUserFile /my/path/.htpasswd
Require valid-user

Would I change it to this?

AuthType None
Require all granted

[samilliken]

You’d just get rid of it. From: LFrank2021 Sent: Friday, June 16, 2023 9:57 AM To: opendcim/openDCIM ***@***.***> Cc: Scott Milliken ***@***.***>; State change ***@***.***> Subject: Re: [opendcim/openDCIM] AD/LDAP Integration (Discussion #1366) Currently I still have the infromation from initial install in there: AuthType Basic AuthName "openDCIM" AuthUserFile /my/path/.htpasswd Require valid-user Would I change it to this? AuthType None Require all granted — Reply to this email directly, view it on GitHub <#1366 (reply in thread)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAMTY62DWBNNO542JZ4XUFDXLRQ4JANCNFSM6AAAAAAYW2LQXM> . You are receiving this because you modified the open/close state. <https://github.com/notifications/beacon/AAMTY623IOYH6RL27KNOMBLXLRQ4JA5CNFSM6AAAAAAYW2LQXOWGG33NNVSW45C7OR4XAZNRIRUXGY3VONZWS33OINXW23LFNZ2KUY3PNVWWK3TUL5UWJTQAL2IUI.gif> Message ID: ***@***.*** ***@***.***> >

[LFrank2021]

You have this wonderful button to import the metadata.xml from the SAML IdP site.
Is there a similar feature from openDCIM site?
I have the option to upload a metadata.xml file to my SAML IdP for the configuration of the SP (openDCIM).
Else I am needed to provide

1. Entity ID
2. Logout URL (POST Binding and/or REDIRECT Binding)
3. Assertion Consumer Service URL (POST Binding and/or REDIRECT binding)

I assume the follwing:

1. the Entity ID I set on the SAML page (or the base URL?)
2. /saml/acs.php (found this in the ModernAuth documentation)
3. /saml/acs.php

[LFrank2021]

And do you have some information on how to get the memberOf Attribute up and running?
I am sorry, if this goes deep into SAML IdP setup.

[samilliken]

https://{$install_URL}/saml/metadata.php <https://%7b$install_URL%7d/saml/metadata.php> Though there is no error checking to make sure that you actually have sane/complete data, but it’s there. If you get XML at that URL, you’re good. If you get an error, read what it says and make sure you’ve filled that in. Scott From: LFrank2021 Sent: Tuesday, June 20, 2023 8:33 AM To: opendcim/openDCIM ***@***.***> Cc: Scott Milliken ***@***.***>; State change ***@***.***> Subject: Re: [opendcim/openDCIM] AD/LDAP Integration (Discussion #1366) You have this wonderful button to import the metadata.xml from the SAML IdP site. Is there a similar feature from openDCIM site? I have the option to upload a metadata.xml file to my SAML IdP for the configuration of the SP (openDCIM). Else I am needed to provide 1. Entity ID 2. Logout URL (POST Binding and/or REDIRECT Binding) 3. Assertion Consumer Service URL (POST Binding and/or REDIRECT binding) I assume the follwing: 1. the Entity ID I set on the SAML page 2. login_ldap.php? 3. login_ldap.php? — Reply to this email directly, view it on GitHub <#1366 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAMTY65VDULXDTWF6QGRLEDXMGKBHANCNFSM6AAAAAAYW2LQXM> . You are receiving this because you modified the open/close state. <https://github.com/notifications/beacon/AAMTY642JVIAJPMOEKRQISLXMGKBHA5CNFSM6AAAAAAYW2LQXOWGG33NNVSW45C7OR4XAZNRIRUXGY3VONZWS33OINXW23LFNZ2KUY3PNVWWK3TUL5UWJTQAL4IA2.gif> Message ID: ***@***.*** ***@***.***> >

[samilliken]

Watch the YouTube video for SAML. From: LFrank2021 Sent: Tuesday, June 20, 2023 8:58 AM To: opendcim/openDCIM ***@***.***> Cc: Scott Milliken ***@***.***>; State change ***@***.***> Subject: Re: [opendcim/openDCIM] AD/LDAP Integration (Discussion #1366) And do you have some information on how to get the memberOf Attribute up and running? I am sorry, if this goes deep into SAML IdP setup. — Reply to this email directly, view it on GitHub <#1366 (reply in thread)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAMTY67ISWQOQF4ZBOFMRBDXMGM5VANCNFSM6AAAAAAYW2LQXM> . You are receiving this because you modified the open/close state. <https://github.com/notifications/beacon/AAMTY66HVRUZFLEKLXEV34TXMGM5VA5CNFSM6AAAAAAYW2LQXOWGG33NNVSW45C7OR4XAZNRIRUXGY3VONZWS33OINXW23LFNZ2KUY3PNVWWK3TUL5UWJTQAL4ISM.gif> Message ID: ***@***.*** ***@***.***> >

[LFrank2021]

We worked it out (mostly).
Who is responsible for the redirection after login?
My openDCIM is running on https://myserver/dcim and after the login with SAML I get redirected to https://myserver.
And after Logout I get a failure page from IdP.
As mentioned before this might be a result of my lack of httpd-configuration knowledge.

[samilliken]

If you aren’t running at the root of your site – such as dcim.myserver.com – then you are asking for headaches. Period. Scott From: LFrank2021 ***@***.***> Sent: Friday, June 23, 2023 7:33 AM To: opendcim/openDCIM ***@***.***> Cc: Scott Milliken ***@***.***>; State change ***@***.***> Subject: Re: [opendcim/openDCIM] AD/LDAP Integration (Discussion #1366) We worked it out (mostly). Who is responsible for the redirection after login? My openDCIM is running on https://myserver/dcim and after the login with SAML I get redirected to https://myserver. And after Logout I get a failure page from IdP. As mentioned before this might be a result of my lack of httpd-configuration knowledge. — Reply to this email directly, view it on GitHub <#1366 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAMTY6YSBQRKM36QYBYY5E3XMV5GZANCNFSM6AAAAAAYW2LQXM> . You are receiving this because you modified the open/close state. <https://github.com/notifications/beacon/AAMTY66FX4JR7QRQY6NKB2LXMV5GZA5CNFSM6AAAAAAYW2LQXOWGG33NNVSW45C7OR4XAZNRIRUXGY3VONZWS33OINXW23LFNZ2KUY3PNVWWK3TUL5UWJTQAL6FIG.gif> Message ID: ***@***.*** ***@***.***> >

[LFrank2021]

Thank you!
I am planning to build a new test instance which will look like production and thus have a dcimtest.myserver.com URL.
Production has dcim.myserver.com so I hope I will have less trouble.

[LFrank2021]

Any idea why this is happening on my productive Instance?

[Mon Jun 26 15:54:35.542158 2023] [php:error] [pid 11542] [client XXXX:55816] PHP Fatal error:  Uncaught Error: Call to undefined function OneLogin\\Saml2\\curl_init() in /srv/openDCIM/openDCIM-23.01/vendor/onelogin/php-saml/src/Saml2/IdPMetadataParser.php:45\nStack trace:\n#0 /srv/openDCIM/openDCIM-23.01/configuration.php(68): OneLogin\\Saml2\\IdPMetadataParser::parseRemoteXML()\n#1 {main}\n  thrown in /srv/openDCIM/openDCIM-23.01/vendor/onelogin/php-saml/src/Saml2/IdPMetadataParser.php on line 45, referer: https://myserver.com/configuration.php

[wilpig]

You're missing the php curl extension.

https://www.php.net/manual/en/function.curl-init.php

[LFrank2021]

Thank you.
php.ini was edited quickly but I also needed php8-curl package.

[LFrank2021]

I have another question.
What would be the expected redirection when accessing openDCIM on the base URL https://opendcim.myserver.com/?
Currently it seems I get redirected to https://opendcim.myserver.com/index.php?.
Which is not working with my IdP configuration.
https://opendcim.myserver.com/saml/login.php is currently working.
Do I need to grant index.php? at IdP level or change something at the vhost configuration?

[samilliken]

Sounds like an IdP configuration issue. They may have been too restrictive in setting the redirect URL allow list.

[LFrank2021]

I was graciously granted a few screenshots of the IdP configuration but there are no attributes like 'allow list'.
Is this the same as 'assertion consumer service url (redirect)' or are these different things?
acs url currently is only set to .../saml/acs.php

[samilliken]

Do you know what software is being used for your IdP? AzureAD/PingFed/Okta/etc

[LFrank2021]

Yes, I know, but I would like to not discuss it publicly.
Any way to shift this to a more private communication?

[LFrank2021]

Our IdP does not allow the ? at the redirect URL.
At least not as the final character.
And I am not understanding, why it is added there.
Isn't it only necessary if any Query string is submitted?

This is working for me:

if( AUTHENTICATION=="Saml" && !isset($_SESSION['userid']) && php_sapi_name()!="cli" && !isset($loginPage))
{
        error_log("Query String: " . sanitize($_SERVER['QUERY_STRING']));
        if(sanitize($_SERVER['QUERY_STRING']) != "")
                $savedurl = $_SERVER['SCRIPT_NAME'] . "?" . sanitize($_SERVER['QUERY_STRING']);
        else
                $savedurl = $_SERVER['SCRIPT_NAME'];

        setcookie( 'targeturl', $savedurl, time()+60 );
        header("Location: ".redirect('saml/login.php'));
        exit;
}

The error_log is included just for debug needs.

Which result in a working instance and this error_log output:

[Wed Aug 09 15:10:33.467258 2023] [php:notice] [pid 127488] [client ] Logged out, redirecting back to home page., referer: https://mydcim.mydomain.me/
[Wed Aug 09 15:10:33.475241 2023] [php:notice] [pid 127488] [client ] Query String: , referer: https://mydcim.mydomain.me/
[Wed Aug 09 15:10:38.336651 2023] [php:notice] [pid 127488] [client ] Query String: cabinetid=16

Could this be a general fix?

[LFrank2021]

So, now I have a working setup (see #1366 (reply in thread)) but strangely I have a colleague that can login though they do not have any of the needed memberOf attributes.
With the missing site access privilege I would have expected an error of some kind.

I assume it is still a faulty httpd config:

        <Directory />
                Options Indexes FollowSymLinks ExecCGI Includes
                AllowOverride All
                AllowOverrideList All
        </Directory>

        <Directory /srv/openDCIM/opendcim>
                Options Indexes FollowSymLinks ExecCGI Includes
                AllowOverride All
                AllowOverrideList All
                Require all granted

                DirectoryIndex index.php
        </Directory>

[samilliken]

Are you saying that your IdP doesn’t like a ? with nothing trailing? That appears to be the only real difference between yours and the codebase, other than we recently added the SameSite=>Strict cookie for security purposes. Scott From: LFrank2021 Sent: Wednesday, August 09, 2023 9:22 AM To: opendcim/openDCIM ***@***.***> Cc: Scott Milliken ***@***.***>; Mention ***@***.***> Subject: Re: [opendcim/openDCIM] AD/LDAP Integration (Discussion #1366) Our IdP does not allow the ? at the redirect URL. At least not as the final character. And I am not understanding, why it is added there. Isn't it only necessary if any Query string is submitted? This is working for me: if( AUTHENTICATION=="Saml" && !isset($_SESSION['userid']) && php_sapi_name()!="cli" && !isset($loginPage)) { error_log("Query String: " . sanitize($_SERVER['QUERY_STRING'])); if(sanitize($_SERVER['QUERY_STRING']) != "") $savedurl = $_SERVER['SCRIPT_NAME'] . "?" . sanitize($_SERVER['QUERY_STRING']); else $savedurl = $_SERVER['SCRIPT_NAME']; setcookie( 'targeturl', $savedurl, time()+60 ); header("Location: ".redirect('saml/login.php')); exit; } The error_log is included just for debug needs. Which result in a working instance and this error_log output: [Wed Aug 09 15:10:33.467258 2023] [php:notice] [pid 127488] [client ] Logged out, redirecting back to home page., referer: https://mydcim.mydomain.me/ [Wed Aug 09 15:10:33.475241 2023] [php:notice] [pid 127488] [client ] Query String: , referer: https://mydcim.mydomain.me/ [Wed Aug 09 15:10:38.336651 2023] [php:notice] [pid 127488] [client ] Query String: cabinetid=16 Could this be a general fix? — Reply to this email directly, view it on GitHub <#1366 (reply in thread)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAMTY6ZDLHCD35VYMZJKVQDXUOFJJANCNFSM6AAAAAAYW2LQXM> . You are receiving this because you were mentioned. <https://github.com/notifications/beacon/AAMTY6ZL6VGVWJVHHU57MTLXUOFJJA5CNFSM6AAAAAAYW2LQXOWGG33NNVSW45C7OR4XAZNRIRUXGY3VONZWS33OINXW23LFNZ2KUY3PNVWWK3TUL5UWJTQAMXXSM.gif> Message ID: ***@***.*** ***@***.***> >

[LFrank2021]

Yes, that is exactly the problem.
The IdP configuration UI does not accept the ? in general. (Information from the IdP administrator.)
Without it or with more data (dc_stats.php?dc=2) it seems to work.
That's why I added the 'crude' workaround.

[samilliken]

Yeah, we can integrate a check to never add a dangling question mark. From: LFrank2021 Sent: Wednesday, August 09, 2023 12:37 PM To: opendcim/openDCIM ***@***.***> Cc: Scott Milliken ***@***.***>; Mention ***@***.***> Subject: Re: [opendcim/openDCIM] AD/LDAP Integration (Discussion #1366) Yes, that is exactly the problem. The IdP configuration UI does not accept the ? in general. (Information from the IdP administrator.) Without it or with more data (dc_stats.php?dc=2) it seems to work. That's why I added the 'crude' workaround. — Reply to this email directly, view it on GitHub <#1366 (reply in thread)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAMTY6YOJ2V2GY67CKG67PDXUO4CNANCNFSM6AAAAAAYW2LQXM> . You are receiving this because you were mentioned. <https://github.com/notifications/beacon/AAMTY67Q7ROUWQXHWQWBTA3XUO4CNA5CNFSM6AAAAAAYW2LQXOWGG33NNVSW45C7OR4XAZNRIRUXGY3VONZWS33OINXW23LFNZ2KUY3PNVWWK3TUL5UWJTQAMX33C.gif> Message ID: ***@***.*** ***@***.***> >