Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
+6 votes
2.7k views
in Q2A Core by
I recently installed the qa-ldap-plugin to my question2answer instance, and I went to test it out, and after logging in, I got a redirect loop on my browser. I did some diagnostics to check that my LDAP configuration was working correctly, and did not find that to be an issue. Has anyone faced a similar issue?
Q2A version: 1.6.3

3 Answers

+4 votes
by
 
Best answer

I found an answer in this thread that explains the issue I was having. 

If you are trying to log in with an LDAP account that has an email that already exists in the Q&A MySQL database, this redirect occurs. In my case, I had created an account on Q&A when I first installed it to test it out, and I used my email address. Then when I used my company's LDAP for authentication using the qa-ldap-plugin, my account had the same email address as Q&A's database, which caused this.

In the quest to get this solved, you have to delete the cookies in your browser (or just use a different browser), because the redirect will keep happening as long as Q&A thinks that you are logged in. As in, you have to "log out" first so that you can log back in as a super administrator to fix the problem.

The solution is to delete the existing user as a super admin, which you can do per these instructions, and then log out of your super admin account and log back in with your LDAP credentials. A new account is created and no redirect occurs.

This applies to version v0.4 of the qa-ldap-plugin.

by
thanks man, it worked for me
by
Thanks for this Root cause details
+3 votes
by

I don't have a solution to the problem, but we had the same issue and came up with a workaround that did not delete the users. We observed the rows created in the qa_userlogins table when a new user attempted to login via LDAP. With that, we re-created an entry in that table for users already in the qa_users table.

The SQL statement was simple:

mysql> INSERT INTO qa_userlogins (userid, source, identifier, identifiermd5)  SELECT userid, "ldap", email, unhex(md5(email)) FROM qa_users;

We also used a "SELECT" statement to trim the user list coming out of the qa_users table. (e.g. ... WHERE email LIKE "%@example.com"). So far this has worked for existing and new users to the Q2A site.

by
You are the best, that solved the problem for me.
by
This solution helped me
+1 vote
by

The other answer didn't work for me.  my problem was apparently different.
My company stores its LDAP dn as:

CN=Last\, First,OU=Users,OU=Boston,DC=mycompany,DC=com

I want people to login with their unix login accounts, but that won't work because the unix login does not appear in the LDAP search string (where USERNAME would be replaced)

However you don't need the dn to bind.  You can ldap_bind with "mylogin@mycompany.com"  However in order to ldap_search, you need the real dn.

So here's my solution:

  1. Select Generic LDAP server
  2. Set the Generic LDAP search string to "USERNAME@mycompany.com" which will get us past the ldap_bind
  3. add some code to the bindToLDAP function in qa-plugin/qa-ldap-login/GenericLDAPServer.php that will find the dn from the samaccoutnname whic is needed for the ldap_search
  public function bindToLDAP($user,$pass) {
    $ldap_search_strings = explode('/', qa_opt('ldap_login_generic_search'));

    foreach ($ldap_search_strings as &$search_post) {
      // check whether the search string contains USERNAME
      if ( strpos($search_post, 'USERNAME') !== false ) {
        $this->dn = str_replace("USERNAME", $user, $search_post);
        // Check if it authenticates
        error_reporting(E_ALL^ E_WARNING);
        $bind = ldap_bind($this->con,$this->dn, $pass);
        error_reporting(E_ALL);

        //we have to preserve the username entered if auth was succesfull
        if($bind) {
          // get the real dn
          $filter = "(samaccountname=$user)";
          $dn = 'DC=mycompany,DC=com';
          $res = ldap_search($this->con, $dn, $filter, array());
          $first = ldap_first_entry($this->con, $res);
          $this->dn = ldap_get_dn($this->con, $first);
          // end get real dn
          $this->authenticatedUser = $user;
          return $bind;
        }
      }
    }
    return false;
  }
...