10.0.6 - Sync existing users error LDAP import when change the ldap user password in configuration

[Tols78]

Code of Conduct

• I agree to follow this project's Code of Conduct

Is there an existing issue for this?

• I have searched the existing issues

Version

10.0.6

Bug description

Hello,

Since i change user DN for connect to LDAP

Synchronization of existing users via search filter: KO
Synchronization In console mode via glpi:ldap:synchronize_users KO
Test connection ldap : OK

In graphical mode the LDAP filter is transformed

(& (samaccountname=*) (&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))))

Becomes
(& (samaccountname=*) (&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))))``

Relevant log output

php-errors.log

[2023-02-13 18:10:02] glpiphplog.CRITICAL:   *** Uncaught Exception TypeError: ldap_parse_result(): Argument #2 ($result) must be of type LDAP\Result, bool given in C:\glpi\src\AuthLDAP.php at line 1868
	Ligne 1799:   front\ldap.import.php:69                           AuthLDAP::searchUser()
	Ligne 1801: [2023-02-13 18:10:02] glpiphplog.CRITICAL:   *** Uncaught Exception RuntimeException: Something went wrong searching in LDAP directory in C:\glpi\src\AuthLDAP.php at line 3395

Page URL

Just go to the In graphical mode LDAP filter

Steps To reproduce

Just go to the In graphical mode LDAP filter

Your GLPI setup information

GLPI 10.0.6 ( => C:\glpi)
Installation mode: TARBALL
Current language:fr_FR

Operating system: Windows NT
PHP 8.1.10
Setup: max_execution_time="300" memory_limit="512M" post_max_size="8M" safe_mode="" session.save_handler="files"
upload_max_filesize="200M"
Software: Microsoft-IIS
Server Software: mariadb.org binary distribution
Anything else?

Anything else?

No response

[Tols78]

I am not an expert in PHP coding, I try we never know, it really blocks us in the implementation of our GLPI instance which worked well in 10.0.0.5 THKS

@cconard96 Do you know if is it related to the changes made to bug #12794 or #11497 ?

[Tols78]

We add to the AuthLDAP.php

if ($sr === false) { trigger_error( sprintf('LDAP search failed with error (%s) %s', ldap_errno($ds), ldap_error($ds)), E_USER_WARNING ); return false;

We no longer have the error but another error

`[2023-02-14 13:13:06] glpiphplog.WARNING: Test logger
[2023-02-14 13:13:08] glpiphplog.WARNING: *** PHP Warning (2): ldap_search(): Search: Operations error in E:\glpi\src\AuthLDAP.php at line 1867
Backtrace :
src\AuthLDAP.php:1867 ldap_search()
src\AuthLDAP.php:2049 AuthLDAP::searchForUsers()
src\Console\Ldap\SynchronizeUsersCommand.php:297 AuthLDAP::getAllUsers()
vendor\symfony\console\Command\Command.php:298 Glpi\Console\Ldap\SynchronizeUsersCommand->execute()
vendor\symfony\console\Application.php:1040 Symfony\Component\Console\Command\Command->run()
src\Console\Application.php:272 Symfony\Component\Console\Application->doRunCommand()
vendor\symfony\console\Application.php:301 Glpi\Console\Application->doRunCommand()
vendor\symfony\console\Application.php:171 Symfony\Component\Console\Application->doRun()
bin\console:122 Symfony\Component\Console\Application->run()

[2023-02-14 13:13:08] glpiphplog.WARNING: *** PHP User Warning (512): LDAP search failed with error (1) Operations error in E:\glpi\src\AuthLDAP.php at line 1871
Backtrace :
src\AuthLDAP.php:1871 trigger_error()
src\AuthLDAP.php:2049 AuthLDAP::searchForUsers()
src\Console\Ldap\SynchronizeUsersCommand.php:297 AuthLDAP::getAllUsers()
vendor\symfony\console\Command\Command.php:298 Glpi\Console\Ldap\SynchronizeUsersCommand->execute()
vendor\symfony\console\Application.php:1040 Symfony\Component\Console\Command\Command->run()
src\Console\Application.php:272 Symfony\Component\Console\Application->doRunCommand()
vendor\symfony\console\Application.php:301 Glpi\Console\Application->doRunCommand()
vendor\symfony\console\Application.php:171 Symfony\Component\Console\Application->doRun()
bin\console:122 Symfony\Component\Console\Application->run()

[2023-02-14 13:13:08] glpiphplog.WARNING: *** PHP Warning (2): ldap_search(): Search: Operations error in E:\glpi\src\AuthLDAP.php at line 1867
Backtrace :
src\AuthLDAP.php:1867 ldap_search()
src\AuthLDAP.php:2049 AuthLDAP::searchForUsers()
src\Console\Ldap\SynchronizeUsersCommand.php:297 AuthLDAP::getAllUsers()
vendor\symfony\console\Command\Command.php:298 Glpi\Console\Ldap\SynchronizeUsersCommand->execute()
vendor\symfony\console\Application.php:1040 Symfony\Component\Console\Command\Command->run()
src\Console\Application.php:272 Symfony\Component\Console\Application->doRunCommand()
vendor\symfony\console\Application.php:301 Glpi\Console\Application->doRunCommand()
vendor\symfony\console\Application.php:171 Symfony\Component\Console\Application->doRun()
bin\console:122 Symfony\Component\Console\Application->run()

[2023-02-14 13:13:08] glpiphplog.WARNING: *** PHP User Warning (512): LDAP search failed with error (1) Operations error in E:\glpi\src\AuthLDAP.php at line 1871
Backtrace :
src\AuthLDAP.php:1871 trigger_error()
src\AuthLDAP.php:2049 AuthLDAP::searchForUsers()
src\Console\Ldap\SynchronizeUsersCommand.php:297 AuthLDAP::getAllUsers()
vendor\symfony\console\Command\Command.php:298 Glpi\Console\Ldap\SynchronizeUsersCommand->execute()
vendor\symfony\console\Application.php:1040 Symfony\Component\Console\Command\Command->run()
src\Console\Application.php:272 Symfony\Component\Console\Application->doRunCommand()
vendor\symfony\console\Application.php:301 Glpi\Console\Application->doRunCommand()
vendor\symfony\console\Application.php:171 Symfony\Component\Console\Application->doRun()
bin\console:122 Symfony\Component\Console\Application->run()`

[hugo-daclon]

see #14049

[Tols78]

@Nol-go Thks but ko ?...

[Tols78]

To test only installation of a new 10.0.6 instance and a new blank database : the problem persists.
Can the problem come from sodium and the fact that we do not use TLS ? In base the TLS file entry and TLS key are checked despite having the TSL parameter on No ?

In case we have regenerated a new GLPI Key (bin/console glpi:security:change_key) but : the problem persists.
Messages are of type ldap_search(): Search: Operations error or unable to reach ldap directory....

We restored the virtual machine (Still in 10.0.6) the sync works BUT as soon as the LDAP login account is changed or its password it no longer works

[Tols78]

@cedric-anne @cconard96 Hello gentlemen, I'm sorry to bother you, but after checking all the configurations the LDAP synchronization no longer works, do you think of a bug that a future fix could fix?

[trasher]

@Tols78 if you want a very quick response, please consider taking a subscription. Otherwise, wait for a response, community support is on a best effort basis.

[hugo-daclon]

The problem has just been fixed, at the beginning he used the samaccountname attribute for the rootDN and his distinguishedName had spaces. We think the Cache made it magicaly work until today, since it stopped working, the moment it was cleared. Sorry for the disturbance.

[cedric-anne]

@Tols78

We fixed some issues recently related to encoding issues on LDAP operations. Could you try to install GLPI nightly build on a test server and see if problem persist?

[vampyre666]

Ive installed GLPI 10.07-dev (10.0‑bcd40ee.tar.gz | 2023‑04‑01) nightly and still experiencing the LDAP sync/search issue.

[cedric-anne]

Hi,

Could you try to reproduce the issue on GLPI 10.0.7? If problem persist, could you review your LDAP configuration to ensure it has not been altered by any migration?

[vampyre666]

Cedric-anne I have tried the following:
updated from 10.0.5 (known working VM) to new nightly 10.0.8 0.0 | 10.0-ed99305.tar.gz | 2023-04-06 00:29:55 UTC | 56575936
Ubuntu 20.04 LTS fully updated

LDAP connection filter: (&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Test scenario on 10.0.8 right after update:
Setup/LDAP/Test connection [Result: success] (no changes to LDAP setup)
Administration/Users/Ldap/import new [Result: working and displays new LDAP users]

Test2:
Setup/LDAP/ ==> Re-entered password in the "Password (for non-anonymous binds)" and tick "Clear" , save then Test Connection [Result: success]
Administration/Users/Ldap/import new [Result: Error below]
PHP Warning (2): ldap_search(): Search: Operations error in /var/www/html/glpi/src/AuthLDAP.php at line 1922

The error only seems to appear after changing the password+clear and then saving LDAP settings.

The password is 100% correct, I've tested using a 3rd partly LDAP query tool with the LDAP filter above and its succeeds

If there are any other test cases you would like to perform please let me know

[cedric-anne]

@vampyre666

Re-entered password in the "Password (for non-anonymous binds)" and tick "Clear"

If you check the Clear checkbox, it means that you want the password to be cleared (i.e. removed). So you have to either reenter the password (if you want to use one), either to use clear it, but not both at the same time.

[vampyre666]

Hi @cedric-anne
Just to be clear,
After upgrade:
LDAP -> Test --> Success

The proceed to
Step1: clear + save.
Step2: Confirmed correct password (NO Clear ticked)+ save.
Step3 Test result: Sucess.
Step4: Administration/Users/Ldap/import new [Result: Error below]
PHP Warning (2): ldap_search(): Search: Operations error in /var/www/html/glpi/src/AuthLDAP.php at line 1922

LDAP seems to test fine, but the search is an issue when trying to import new users.
Search Query: '(&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'

[cedric-anne]

Hi,

Can you try #14563?

[vampyre666]

I've tried and still getting the same error.

Also tried the latest nightly 10.0-ea41dca still no luck :-(

[cedric-anne]

#14561 mays help to prevent errors when LDAP objects are not found (due to applied filters for instance), and may help to identify other errors. It is a huge patch, but could you try it, and give the exact log that is produced during import?

[vampyre666]

Hi Cedric-Anne,
Silly question how to I apply a patch to existing install ?

[cedric-anne]

@vampyre666

You can find a build containing this fix here: https://github.com/cedric-anne/glpi/actions/runs/4827869219

This build correspond to the current nightly build + the #14561 patch.

[trasher]

No feedback from a while, closing.