View Issue Details

IDProjectCategoryView StatusLast Update
0027866mantisbtldappublic2021-01-31 05:47
ReporterFedericoCoppola Assigned Todregad  
PrioritynormalSeverityblockReproducibilityalways
Status closedResolutionno change required 
PlatformGNU/LinuxOSUbuntu OS Version20.04 LTS
Product Version2.24.4 
Summary0027866: LDAP Auth Fails. Mantis continue to use "administration" during lookup
Description

Hi,
I followed different thread about LDAP using Mantis, but I continue to get issue with Mantis 2.24.4 (least release).

This is my configuration:

$g_login_method = LDAP;
$g_ldap_server = 'ldap://dc.company.local:389';
$g_ldap_root_dn = 'dc=company,dc=local';
$g_ldap_organization = '';
$g_ldap_realname_field = 'cn';
$g_ldap_uid_field = 'sAMAccountName';
$g_ldap_bind_dn = 'cn=activedirectory_user,cn=Users,dc=pe,dc=local';
$g_ldap_bind_passwd = 'XXXXXX';
$g_ldap_protocol_version = 3;
$g_use_ldap_email = OFF;
$g_use_ldap_realname = ON;
$g_log_level = LOG_LDAP;
$g_log_destination = 'file:/var/log/mantis.log';

My issue is that Mantis connect properly to Domain Controller using "$g_ldap_bind_dn" and "$g_ldap_bind_passwd", but after that Mantis try again using "administrator" account and it fails. I never specify LDAP Administrator account inside mantis.

2021-01-14 11:01 CET LDAP ldap_api.php:67 ldap_connect_bind() Attempting connection to LDAP server/URI 'ldap://dc.company.local:389'.
2021-01-14 11:01 CET LDAP ldap_api.php:76 ldap_connect_bind() Connection accepted by LDAP server
2021-01-14 11:01 CET LDAP ldap_api.php:89 ldap_connect_bind() Setting LDAP protocol version to 3
2021-01-14 11:01 CET LDAP ldap_api.php:111 ldap_connect_bind() Attempting bind to ldap server as 'activedirectory_user'
2021-01-14 11:01 CET LDAP ldap_api.php:124 ldap_connect_bind() Bind to ldap server successful
2021-01-14 11:01 CET LDAP ldap_api.php:346 ldap_authenticate_by_username() Searching for (&(sAMAccountName=administrator))
2021-01-14 11:01 CET LDAP ldap_api.php:50 ldap_log_error() ERROR 0000001: Operations error
2021-01-14 11:01 CET LDAP ldap_api.php:351 ldap_authenticate_by_username() Search '(&(sAMAccountName=administrator))' failed

Is it a bug?

Steps To Reproduce

I can reproduce always

Additional Information

I can not login to Mantis from Web Page due to I can only see this error message:

APPLICATION ERROR 0001400

LDAP Authentication Failed.
Please use the "Back" button in your web browser to return to the previous page.
There you can correct whatever problems were identified in this error or select another action. You can also click an option from the menu bar to go directly to a new section.

Authentication Failed is not true in my opinion, due to my accounts works fine reading logs.

TagsNo tags attached.

Activities

dregad

dregad

2021-01-14 16:05

developer   ~0064978

The installer creates a default administrator account. As a security measure, the login page checks that, if this user exists, its password is not default (see https://github.com/mantisbt/mantisbt/blob/release-2.24.4/login_page.php#L147), which can explain what you see in the log. Try to disable or delete the administrator user.

FedericoCoppola

FedericoCoppola

2021-01-14 17:17

reporter   ~0064981

Hello,
Yes there is administrator account (local administrator MantisBT account).
In this moment administrator account has got default password.
I will try to remove it and try again.

FedericoCoppola

FedericoCoppola

2021-01-16 12:41

reporter   ~0064996

Last edited: 2021-01-16 12:47

Hi,
I done different steps and now it seem to work fine.

1) Disabled "administrator" default Mantis account using SQL (you must set "enabled" as 0) as @dregad suggested me:

select username, password, enabled from mantis_user_table; --> to check "administrator" ID tabled
update mantis_user_table set enabled=0 where id=1; --> in my case "administrator" account has got ID=1

2) LDAP Configuration

$g_login_method = LDAP;
$g_ldap_protocol_version = 3;
$g_ldap_server = 'ldap://dc.company.local/';
$g_ldap_port = '389';
$g_ldap_root_dn = 'DC=company,DC=local';
$g_ldap_organization = '(objectClass=*)';
$g_ldap_uid_field= 'sAMAccountName';
$g_ldap_bind_dn = 'CN=YOUR_ADUSER,CN=Users,DC=pe,DC=local';
$g_ldap_bind_passwd = 'YOUR_PASSWORD';
$g_allow_signup= ON;
$g_log_level = LOG_LDAP;
$g_log_destination = 'file:/var/log/mantis.log';
$g_use_ldap_email = ON;
$g_ldap_follow_referrals = OFF;
$g_default_bug_view_status = VS_PRIVATE;

3) Enabled ldap module, I do not know if it is necessary

a2enmod ldap (using root user)

4) Restart apache2 and mysql

service mysql restart
service apache2 restart

After that I tryed again and now I can access using my Active Directory account with success.
Now I can not use administrator account, I see that LDAP user are "reporter" account.
How can I set some LDAP user as "Administrator" account?

Thanks so much for your help
Federico

FedericoCoppola

FedericoCoppola

2021-01-16 12:51

reporter   ~0064997

I have solved using MySQL user table.
I updated record of my Active Directory user in "mantis_user_table" of MantisDB:
"update manits_user_table set access_level=90 where id=XXX;" where access_level 90 means "Administrator".

Is there another way to do it?

Thanks
Federico

dregad

dregad

2021-01-17 05:16

developer   ~0065001

Glad to hear you fixed your problem.

Is there another way to do it?

Using SQL works, but is not supported - do it at your own risk.

In an normal usage scenario, I would recommend the following approach

  1. set $g_login_method to MD5 (i.e. disable LDAP)
  2. login with the default admin account
  3. in manage_user_page.php, set access level of your user account to administrator
  4. set $g_login_method to LDAP
  5. login with your account
  6. disable default Administrator account