Cannot log in using LDAP Active Directory


#1

We have installed the Ubuntu Dreamfactory 2.0 VM and succesfully connected it to an MSSQL Server. We then created a simple login page (index.html) that does an API call to log in a user that exists on our Dreamfactory instance. This login returns a session ID to be used in subsequent API calls. Next, we want to rather authenticate users using an LDAP connection to Active Directory.

We created a new service called “AD_service” and added the LDAP server and Base DN values. Then on the API DOCS page in Dreamfactory, in the POST /user/session we add in the body the following json string:

{
"username":"AD_Username",
"password":"AD_Password",
"service":"AD_Service"
}

When we execute it, it returns “invalid user name and password provided” (code 401). The same happens when we try to execute it from PHP using curl as follows:

$data = array("username" => "AD_Username", "password" => "AD_Password");
$data_string = json_encode($data); 

$ch = curl_init('http://xxx.xxx.xxx.xxx:port/api/v2/user/session?service=AD_Service');                                                                      
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");                                                                     
curl_setopt($ch, CURLOPT_POSTFIELDS, $data_string);                                                                  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);                                                                      
curl_setopt($ch, CURLOPT_HTTPHEADER, array(                                                                          
  'X-DreamFactory-Api-Key: web_app_api_key'
)); 
$result = curl_exec($ch);

We have, however, been able to make a curl connection to Active Directory in Ubuntu and Mac’s terminal using the credentials as above. Also, the LDAP server and Base DN values were verified using JXplorer.

We also installed the php5-ldap package (ldap.so) and added it to the php.ini file, but alas, still getting the “invalid user name and password provided” message.

Any ideas what could be the cause?


#2

Have you tried a https connection rather than a standard http?


#3

Yes, when using https in the PHP connection, it returns a blank page. I tested the connection using Mac’s terminal as follows:

curl -v -4 -H "Content-Type: application/json" -X POST -d '{"username":"AD_Username","password":"AD_Password"}' https://xxx.xxx.xxx.xxx:port/api/v2/user/session?service=AD_Service

and it returned:

Connected to xxx.xxx.xxx.xxx port
* WARNING: using IP address, SNI is being disabled by the OS.
* Unknown SSL protocol error in connection to xxx.xxx.xxx.xxx:-9847
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to xxx.xxx.xxx.xxx:-9847

I’m guessing it has something to do with the SSL connection then?


#4

@quintinvh I am curious, you mentioned you used JXplorer to verify. Is Java installed on either machine e.g. the LDAP server or API requester? If so, could you verify the Java version?


#5

@mattschaer Thanks for the suggestion. Java is not installed on the DF Ubuntu VM by default. I installed JRE 1.7, but it didn’t make a difference.

Running curl_error($ch) gives the following information:
error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
In the Apache Error Log there was this message:
localhost:443 does NOT include an ID which matches the server name

This all points to an SSL certificate issue according to various posts on the internet. We created a self-signed certificate, but still get the same error messages.


#6

@quintinvh

Which SSL version is running on the host/client?

Sometimes different SSL versions throw the error.

On the host in the ‘hosts’ file usually ‘etc/hosts’ is the IP address you are making the cURL request above resolved to a hostname?

Can you try making the API call using the hostname instead of the IP address?


#7

Hi @drewpearce - could you please help take a look at this? I’m sitting here with @quintinvh and we can’t figure this out! Thanks man!

Regards
Martin


#8

Did you guys try connecting using the hostname rather than the IP address?
This really looks like an SSL configuration issue.


#9

Hi @mattschaer, @drewpearce, @Martin_Jansen, @Pierredp,

Sorry for the delay. I added a hostname with name “dfhost” and mapped the IP address to it in the hosts file as you suggested. Doing the API call with http returns “invalid username and password” (double checked that username and password values are correct). Doing the API call with https complains that port 80 can’t be used. I changed it to port 443 and now get the following:

* Trying xxx.xxx.xxx.xxx...
* Connected to dfhost (xxx.xxx.xxx.xxx port 443 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /opt/bitnami/common/openssl/certs/curl-ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: self signed certificate
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (60) SSL certificate problem: self signed certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Any ideas?


#10

This may be related to the same issue I had with S3 See this post.

Or you may have to get a real signed cert and include the CA Bundle. If you’re using a Bitnami package you can follow Bitnami SSL Install.

Hope that helps.