Support » Plugin: Next Active Directory Integration » Fatal error after login and suffix question

  • Hi,

    try / catch clause missing in NextADInt_Adi_Authentication_LoginService::authenticate()

    [15-Sep-2016 09:09:20 UTC] PHP Fatal error:  Uncaught Exception: sAMAccountName must not be empty in next-active-directory-integration\classes\Core\Assert.php:70
    Stack trace:
    #0 next-active-directory-integration\classes\Adi\User\Manager.php(101): NextADInt_Core_Assert::notEmpty('', 'sAMAccountName ...')
    #1 next-active-directory-integration\classes\Adi\User\Manager.php(161): NextADInt_Adi_User_Manager->findByActiveDirectoryUsername('', 'john.wayne...')
    #2 next-active-directory-integration\classes\Adi\Authentication\LoginService.php(479): NextADInt_Adi_User_Manager->createAdiUser(Object(NextADInt_Adi_Authentication_Credentials), Object(NextADInt_Ldap_Attributes))
    #3 next-active-directory-integration\classes\Adi\Authentication\LoginService.php(448): NextADInt_Adi_Authentication_LoginService->createOrUpdateUser(Object(NextADInt_Adi_Auth in 
    next-active-directory-integration\classes\Core\Assert.php on line 70

    This was revealed with my SSO login problem:
    – Usernames people use to log in to their workstations don’t (necessarily) have suffixes, (eg. EX\jwayne), so I can’t set account suffixes to ADI profile otherwise SSO won’t work.
    – Now the user gets their data from AD and authenticate procedure at NextADInt_Adi_Authentication_LoginService::authenticate() calls NextADInt_Adi_Authentication_LoginService::tryAuthenticatableSuffixes() which with the users credentials that now got a suffix (UPN) from AD.

    So a guestion emberges: How can I add two ADI profiles to the system? Both with same settings but other with suffixes and the other without? Reading the source this seems possible but one cannot add multiple profiles from dashboard?

    OR, could it be possible to add “empty suffix” to a ADI profile along with actual suffixes?

    Thanks

Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Author tobi823

    (@tobi823)

    Hi tmuikku,

    I think that I understand your problem. You want to use the “User logon name (pre-Windows 2000)” like TEST\klammer instead of klammer@test.ad. The plugin could not find any suffix in the username TEST\klammer and the configuration option “Account suffix”. Thats why the parameter $suffixes inside classes/Adi/Authentication/LoginServer.php::158 is empty. Due to the empty $suffixes the foreach loop with the AD authentication will never be executed.

    This problem can be solved by adding an empty suffix on default ($suffixes[] = ”;) before the foreach loop on line 165/166 (foreach ($suffixes as $suffix) {).

    But I have to check for side effect before I update the plugin. I will do it as soon as possible.

    To your second question:
    You can have only one Nxt ADI configuration for each “normal” WordPress instance or for each site in a WordPress MultiSite installation.

    Yes, thats pretty much the problemo 🙂 Just somehow allow the REMOTE_USER parameter used in SSO authentication process to be without suffix and still have suffixes set up for the actual login.

    Plugin Author tobi823

    (@tobi823)

    I will add support for the Down-Level Logon Name (like TEST\klammer). I dont recommend this option (which is disabled by default and can be enabled) because the Down-Level Logon Name is not unique and can cause problems. The Next ADI administrator have to make sure, that nobody has an already used Down-Level Logon Name/pre-Windows 2000 user logon name.

    I will update the plugin as soon as possible.

    • This reply was modified 4 years, 1 month ago by tobi823.
    Plugin Author tobi823

    (@tobi823)

    Hi tmuikku,

    I add the “Allow Down-Level Logon Name for login” feature to version 2.0.5. Can you enable it and check if your problem is now solved?

    I am also having this same issue. I have tried ticking the Allow Down-Level Logon Name for login but am still getting the fatal error on logging in

    Plugin Author tobi823

    (@tobi823)

    Hi wardy277,

    I have found a bug which might cause this error message.

    When the apache returns your username like “TEST\klammer”, wordpress escapes it (https://github.com/WordPress/WordPress/blob/master/wp-includes/load.php#L653). Next ADI gets the username “TEST\\klammer” and is not able to find the user “TEST\klammer”.

    I have already fixed is bug. Hopefully I can upload the fixed version tomorrow.

    wardy277

    (@wardy277)

    Hi,

    I have given it a while to see if this issue still occurs. I have just tried this with version 2.0.9 but the issue still occurs. On login I get the sAMAccountName must not be empty error message. IS this another issue?

    Chris

    tmuikku

    (@tmuikku)

    Hi, you have to check a checkbox from the plugin settings to allow low level authentication.
    We still had error with the suffix setting though.

    We still couldn’t login since the SSO authentication procedure didn’t find the Next ADI profile.
    They’ve fixed the code to allow authentication but missed to allow find Settings profile with the low level log on enabled in SSO Service class.
    This can be fixed with additional condition check in SSO Service class where it tries to recognize profile by empty suffix.

    I’ll post more details after a week, I’m having a holiday now 🙂

    Alright, with SSO there is two stages when NextADI want’s to get the plugin settings profile.
    Both of which check against the user suffix.

    Now, the suffix is not present if logging in with down level login like TEST\klammer.
    This was fixed by the last patch, user could authenticate.

    But, still the plugin failed the login because post login processing in the NextADInt_Adi_Authentication_SingleSignOn_Service couldn’t find user data from AD because the user now had a suffix from the authentication.

    This can be fixed by adding
    NextADInt_Adi_Authentication_SingleSignOn_Service::getProfilesWithoutSuffixSet() method filter closure a check to the option $profile[NextADInt_Adi_Configuration_Options::ALLOW_DOWN_LEVEL_LOGON_NAME]

    
    /**
         * Get all profiles that have no account suffix specified.
         *
         * @param $profiles
         *
         * @return array
         */
        protected function getProfilesWithoutSuffixSet($profiles) {
            return NextADInt_Core_Util_ArrayUtil::filter(function($profile) {
    
                return $profile[NextADInt_Adi_Configuration_Options::ALLOW_DOWN_LEVEL_LOGON_NAME] || NextADInt_Core_Util_StringUtil::isEmptyOrWhitespace($profile[NextADInt_Adi_Configuration_Options::ACCOUNT_SUFFIX]);
            }, $profiles);
        }
    

    Also, need to add NextADInt_Adi_Configuration_Options::ALLOW_DOWN_LEVEL_LOGON_NAME into the argument array in NextADInt_Adi_Authentication_SingleSignOn_Service::findSsoEnabledProfiles() ;

    
    /**
    	 * Find all profiles with the necessary roles.
    	 *
    	 * @return array
    	 */
    	protected function findSsoEnabledProfiles()
    	{
    		// find all profiles with the given options and add them to our $profiles array
    		$profiles = $this->getConfiguration()->findAllProfiles(array(
    			NextADInt_Adi_Configuration_Options::ACCOUNT_SUFFIX,
    			NextADInt_Adi_Configuration_Options::SSO_ENABLED,
    			NextADInt_Adi_Configuration_Options::SSO_USER,
    			NextADInt_Adi_Configuration_Options::SSO_PASSWORD,
    			NextADInt_Adi_Configuration_Options::DOMAIN_CONTROLLERS,
    			NextADInt_Adi_Configuration_Options::PORT,
    			NextADInt_Adi_Configuration_Options::ENCRYPTION,
    			NextADInt_Adi_Configuration_Options::NETWORK_TIMEOUT,
    			NextADInt_Adi_Configuration_Options::BASE_DN,
    			NextADInt_Adi_Configuration_Options::SSO_USER,
    			NextADInt_Adi_Configuration_Options::SSO_PASSWORD,
    
    			NextADInt_Adi_Configuration_Options::ALLOW_DOWN_LEVEL_LOGON_NAME
    		));
    ......
    

    Hope this helps 😀

    • This reply was modified 3 years, 11 months ago by tmuikku.
Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Fatal error after login and suffix question’ is closed to new replies.