Unable to login after 8.4.2 upgrade

maverickws · 22 January 2024 12:55

Hi Jack,

Thank you for your reply and follow up and sorry for my delay.
Been out these last weeks so haven’t been able to follow up on all the situations, but I’ll address this as soon as possible.

I always update using the method you referenced, but I have a question regarding the LDAP config:
you’re showing a rather simple and minimalist version of the LDAP config.

My configuration though has three parts:

LDAP CONFIG at the .env file;
LDAP AUTO CREATE CONFIG at the .env file;
an ldap.yaml file at extensions/my-package/config/services/ldap/ldap.yaml as per the documentation.

This is a current working configuration. I wonder if all sections are still supported and/or if this is going to be simplified in the future.

I’ll let you know how it went as soon as I run the upgrade.

maverickws · 23 January 2024 15:44

After new upgrade to 8.5.0 the problem persists.

This is the error:

[2024-01-23 15:38:11] request.CRITICAL: Uncaught PHP Exception Symfony\Component\Ldap\Exception\LdapException: "Could not complete search with dn "", query "" and filters "*". LDAP error was [2] Protocol error." at /var/www/html/suitecrm/vendor/symfony/ldap/Adapter/ExtLdap/Query.php line 133 {"exception":"[object] (Symfony\\Component\\Ldap\\Exception\\LdapException(code: 0): Could not complete search with dn \"\", query \"\" and filters \"*\". LDAP error was [2] Protocol error. at /var/www/html/suitecrm/vendor/symfony/ldap/Adapter/ExtLdap/Query.php:133)"} []

The config at .env.local:

###> LDAP CONFIG ###
LDAP_HOST='idserver.domain.tld'
LDAP_PORT=389
LDAP_ENCRYPTION=tls
LDAP_PROTOCOL_VERSION=3
LDAP_REFERRALS=false
LDAP_DN_STRING='dc=domain,dc=tld'
LDAP_QUERY_STRING='uid={username}'
LDAP_SEARCH_DN='uid=bind-user,cn=sysaccounts,cn=etc,dc=domain,dc=tld'
LDAP_SEARCH_PASSWORD='bind-password'
###< LDAP CONFIG ###
###> LDAP AUTO CREATE CONFIG ###
LDAP_AUTO_CREATE=enabled
LDAP_PROVIDER_BASE_DN='cn=accounts,dc=domain,dc=tld'
LDAP_PROVIDER_SEARCH_DN='uid=bind-user,cn=sysaccounts,cn=etc,dc=domain,dc=tld'
LDAP_PROVIDER_SEARCH_PASSWORD='bind-password'
LDAP_PROVIDER_DEFAULT_ROLES=ROLE_USER
LDAP_PROVIDER_UID_KEY='(uid={username})'
LDAP_PROVIDER_FILTER='(memberOf=cn=sales,cn=groups,cn=accounts,dc=domain,dc=tld)'
###< LDAP AUTO CREATE CONFIG ###

maverickws · 23 January 2024 16:55

I’ve redacted the empty LDAP CONFIG at .env which I assume was conflicting with the one in .env.local

Now when I attempt to login I get wrong login details, and zero errors on the logs.

@Jack_Anderson

Error message:

Login credentials incorrect, please try again.

P.S. - they are not.

chris001 · 23 January 2024 21:20

Here’s that line 133 of the symfony LDAP version 5.2:

github.com

symfony/ldap/blob/7d947f93b1c6d59902c8e2db49ff9a1ea68c0fdf/Adapter/ExtLdap/Query.php#L133


      
          
          if (false === $search) {
              $ldapError = '';
              if ($errno = ldap_errno($con)) {
                  $ldapError = sprintf(' LDAP error was [%d] %s', $errno, ldap_error($con));
              }
              if ($pageControl) {
                  $this->resetPagination();
              }
          
              throw new LdapException(sprintf('Could not complete search with dn "%s", query "%s" and filters "%s".%s.', $this->dn, $this->query, implode(',', $this->options['filter']), $ldapError));
          }
          
          $this->results[] = $search;
          $itemsLeft -= min($itemsLeft, $pageSize);
          
          if (0 !== $maxItems && 0 === $itemsLeft) {
              break;
          }
          if ($pageControl) {
              $cookie = $this->controlPagedResultResponse($con, $search, $cookie);

The log message says it’s Error 2, because it’s getting an empty dn, empty Query String, and no search Filters.

What is “LDAP error [2] Protocol Error” ?

https://www.openldap.org/doc/admin24/appendix-ldap-result-codes.html

H.5. protocolError (2)

Indicates the server received data that is not well-formed.

For Bind operation only, this code is also used to indicate that the server does not support the requested protocol version.

For Extended operations only, this code is also used to indicate that the server does not support (by design or configuration) the Extended operation associated with the requestName.

For request operations specifying multiple controls, this may be used to indicate that the server cannot ignore the order of the controls as specified, or that the combination of the specified controls is invalid or unspecified.

Whcih version of OpenLDAP server are you running, 2.6.3? 2.6.6?

maverickws · 23 January 2024 21:51

Dear Chris,

Thank you for your time and your reply.
As I mentioned, reading the error it came to me that the issue was being provoked by an overlap between .env and .env.local.

While my LDAP CONFIG is at .env.local, I realised there was an empty and uncommented section of LDAP CONFIG at the .env file.
Naturally, it had no configuration. Hence the error. (although this didn’t happen in version 8.4.1)

Now, why the .env section is uncommented, and if should it be considered when there’s an override at .env.local, that’s a different story.

Also, I mentioned how I have commented those lines in the .env file. Since, that error stopped, and it’s now ingesting the .env.local configuration.

Still I am unable to login, as I get

Login credentials incorrect, please try again.

and absolutely no output in the logs.

I am not using OpenLDAP, I’m using Red Hat IDM, version 4.9.12. (LDAP based on 389 Directory Server)