LDAP adaption to retrieve DN instead of current method

[Glorou]

Snipe-IT Version

5.4.3

Operating System

Debian

Web Server

Apache

PHP Version

7.4.29

Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Ldap does not work if you have multiple ou's instead of only one, for example, two different departments.

Describe the solution you'd like A clear and concise description of what you want to happen.

Something akin to this where the username is resolved to a DN by binding to the admin account and pulling the account that way.

public function ldapLogin(string $username, string $password): User
    {
        if ($this->ldapSettings['ad_append_domain']) { //if you're using 'userprincipalname', don't check the ad_append_domain checkbox
            $connection = Ldap::connectToLdap();
            Ldap::bindAdminToLdap($connection);
            $search =  ldap_search($connection, $this->ldapConfig['base_dn'], "(". Setting::getSettings()->ldap_username_field. "=$username)");
            $user = ldap_get_entries($connection, $search);
            if($user["count"] == 1){
                $login_username =  $user[0]["dn"];
            }
            if(ldap_bind($connection, $login_username, $password)){
                throw new Exception('other shit is broken!');
            }
            
            //$login_username = $username . '@' . $this->ldapSettings['ad_domain']; // I feel like could can be solved with the 'suffix' feature? Then this would be easier.
        } else {
            $login_username = $username;
        }

        if ($this->ldapConfig['username'] && $this->ldapConfig['password']) {
            $bind_as_user = false;
        } else {
            $bind_as_user = true;
        }

        if (($this->ldap) && ($this->ldap->auth()->attempt($login_username, $password, $bind_as_user) === false)) {
            throw new Exception('Unable to validate user credentials!');
        }

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

No response

Additional context Add any other context or screenshots about the feature request here.

No response

[welcome]

👋 Thanks for opening your first issue here! If you're reporting a 🐞 bug, please make sure you include steps to reproduce it. We get a lot of issues on this repo, so please be patient and we will get back to you as soon as we can.

[kokel]

+1

We need this feature, also. The current LDAP implementation of SnipeIT (we use OpenLDAP) is not really usable for us, probably not usable for the most OpenLDAP users out there.

All LDAP implementation I know of in other softwares behaves like this (oversimplified, subtotal):

• Binds to LDAP with configurable bind user
• Perfoms a ldap search with configurable search filter to get the user object with all or a set of (configurable) LDAP attributes, especially to get users DN, the username attribute should be configurable.
• Checks the user password with User DN and provided password from user input

[uberbrady]

I think this: #17832 might actually fix it? Would you be able to give that one a try and let us know if it fixes the problem for you?

[snipe]

Hi there - We haven't heard back in a bit, so I'm going to close this ticket for now, but will re-open it if you're still having issues.