Fixes #9063 Added sanity check to determine if a bind user account is set.

[raelldottin]

Description

This bug was introduced in this commit: #7919

The adlap2 module binds to the AD/LDAP server using $username and $password because the third parameter in $this->ldap->auth()->attempt($username, $password, true) is set to true. When the third parameter is set to false, it allows the adldap2 module to bind to the AD/LDAP server using AD/LDAP Bind Username and Password from app/Services/LdapAdConfiguration.php. Then, It will authenticate the $username and $password against the AD/LDAP server. This change fixes issue #9063.

The original rewrite of this code accounted for this by omitting the third parameter.
#6352

Reference: Adldap2 setup documentation -- https://github.com/Adldap2/Adldap2/blob/master/docs/setup.md

Fixes #9063

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

• I've tested this against my JumpCloud LDAP as a service, and it allows for login for the correct passwords and disallows login for the incorrect ones.
• I disabled LDAP Password Sync during testing to prevent the passwords from being synchronized
• Also, I deleted the user accounts and resync LDAP to ensure the LDAP password wasn't synchronized and user accounts are authenticated against the LDAP server.

Test Configuration:

• PHP version: PHP 7.3.19-1
• MySQL version: Ver 15.1 Distrib 10.5.8-MariaDB
• Webserver version: Apache/2.4.38 (Debian)
• OS version: Debian GNU/Linux 10 (buster)

Checklist:

• I have read the Contributing documentation available here: https://snipe-it.readme.io/docs/contributing-overview
• I have formatted this PR according to the project guidelines: https://snipe-it.readme.io/docs/contributing-overview#pull-request-guidelines
• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[raelldottin]

@snipe @uberbrady I create a new PR targeted to the develop branch. Here is a reference to the previous PR, which I will close. Thank you.

[uberbrady]

Perfection! Thank you so much.

[welcome]

Congrats on merging your first pull request! 🎉🎉🎉

[rajkhowaabhijit]

Hello,

Not sure if this is still relevant but I've been trying to sort this out since last few days. Hosting snipe-it on prem. The ldap synchronises flawlessly. However, user authentication is not successful. Not sure why is it trying to bind Admin user. If anyone can help it will be a great saviour.

[raelldottin]

@rajkhowaabhijit
I completely forgot about this fix. However, I quickly checked issue #9063 and figured it out.

Simply set your Bind username and password in the LDAP settings:

You're experiencing the same problem described in #9063.

[rajkhowaabhijit]

Hello @raelldottin ,

I am currently running Version v6.2.3 and we do not have the option for Append Domain Name. Also please could you elaborate on 'Simply set your Bind username and password in the LDAP settings:'

Somehow my laravel.log is not getting generated and I am not able to understand why so. The only lead I have is with APP_DEBUG=true and checking the

LOG.debug: Status of binding Admin user: uid=username,dc=ourdomain,dc=XX to directory instead: FAILURE

[raelldottin]

I’m not a developer on this project, but I’d recommend creating a new issue to seek assistance. That way, the right folks can jump in to help you out. It’s generally best to keep closed pull requests as they are for clarity. Thanks for reaching out! In LDAP (Lightweight Directory Access Protocol) terminology, an "Admin Bind User" is an account that has the necessary privileges to perform administrative operations within the LDAP directory. Here’s a breakdown of the components and their roles: 1. **LDAP**: This is a protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. It's commonly used for organizing user and group information, such as for login authentication and authorization. 2. **Bind**: This is the process by which an LDAP client authenticates to the LDAP server. It's equivalent to "logging in" to the directory. 3. **User**: In this context, it refers to the account that the client is using to authenticate (or bind) to the LDAP server. 4. **Admin**: This suggests that the user has administrative privileges. So, an Admin Bind User is essentially a user account that logs into the LDAP server with sufficient rights to perform tasks such as adding or removing users, modifying user attributes, managing group memberships, and more. These tasks are beyond what a regular user can do, which might be limited to reading their own user information or searching the directory. The credentials of an Admin Bind User are critical and should be protected because they can potentially alter the entire directory's structure and content. They are often used by applications or services that need to interact with the LDAP directory in a way that requires elevated privileges.

…

On Wed, Nov 8, 2023 at 4:18 AM rajkhowaabhijit ***@***.***> wrote: Hello @raelldottin <https://github.com/raelldottin> , I am currently running Version v6.2.3 and we do not have the option for Append Domain Name. Also please could you elaborate on 'Simply set your Bind username and password in the LDAP settings:' Somehow my laravel.log is not getting generated and I am not able to understand why so. The only lead I have is with APP_DEBUG=true and checking the LOG.debug: Status of binding Admin user: uid=username,dc=ourdomain,dc=XX to directory instead: FAILURE — Reply to this email directly, view it on GitHub <#9340 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACNMV7RBTSCLDHECQRAISTYDNE7HAVCNFSM4ZYBK5WKU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOBQGEZTQOBYGYZQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>