Back to limesurvey.org

Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

Search Results (Searched for: ldap)

27 Apr 2025 01:46 - 02 May 2025 11:48
AuthLDAP with Active Directory not working was created by stefanosts
Hi,

I am using self hosted installations. I have Version 2.62.0+170124 which was then upgraded via comfort update to Version 3.28.77+231213 which was then subsequently upgraded to Version 6.10.0+250106I have then installed a clean 6.10.0+250106 as well in order to avoid any bugs or database schema miscarried from version upgrades (if any) and also a 6.13.0 all of them running on Rocky Linux 9.I have tried using AuthLDAP with all these version with settings known to work with other platforms like moodle and even a custom PHP LDAP script I wrote running on the same server as limesurvey just to confirm that the settings actually work properly with AD through ldap.

I failed miserably in ALL my tries no matter what combinations I tried and going through all info I could find online. The custom test script worked fine by the way as ldapsearch on Linux.I am not really getting a proper error except from a wrong username and/or password when ever trying to login via LDAP (even when the user with the exact same username from AD it was locally created in Limesurvey).

The settings I have used are:
Code:
LDAP server: ldap://IP_of_AD_server (I have tried ldaps:// as well)
Port number: 389 (tried 636 with ldaps://)
LDAP version LDAPv3Select true if referrals must be followed (use false for ActiveDirectory): Off
Enable Start-TLS: Off
Select how to perform authentication: Search and bind
Attribute to compare to the given login cab uid, cn, mail,: sAMAccountNameBase
DN for the user search operation. Multiple bases may be separated by a semicolon (: ou=name of,dc=domain,dc=ac,dc=cy (of course using correct OU name and Domain)
Optional extra LDAP filter to be ANDed to the basic (searchuserattribute=username) filter: (&objectClass=user)(sAMAccountName={username}))
Optional DN of the LDAP account used to search for the end-user's DN. An anonymous bind is performed if empty: CN=properuseraccount,OU=User Account,DC=domain,DC=ac,DC=cy (using a proper account and domain)
LDAP attribute of email address: mail
LDAP attribute of full name: displayName (I have used cn as well)
Check to make default authentication method: unticked (I have tried both tick and unticked)
Automatically create user if it exists in LDAP server: unticked (I have tried both tick and unticked)
Grant survey creation permission to automatically created users: unticked
Optional base DN for group restriction: empty
Optional filter for group restriction: empty
Allow initial user to login via LDAP: unticked (I have tried both tick and unticked)

Regarding logs, I have tried to enable full debug mode but I do not see anything related to LDAP in it.

It’s like the call is not even made on the login screen.I have no idea though which other log would have to be enabled to log any more information on why it fails to authenticate.

I appreciate any information anyone has on the matter. At this point I am wondering if AuthLDAP does indeed work at all.

Thanks,
11 Apr 2025 16:24
Replied by DenisChenu on topic New create user - default permission
Plugin source ?

For example AuthWebserver use auth_webserver_autocreate_permissions array in config

For AuthLDAP : it's fixed github.com/LimeSurvey/LimeSurvey/blob/fc...AP/AuthLDAP.php#L572

On AuthOAuth2 : it can be set on config GUI
github.com/SondagesPro/limesurvey-oauth2.../AuthOAuth2.php#L270
01 Apr 2025 13:46
Replied by SESSOU on topic Informations incorrectes renvoyées par l'API 'list_users' (permissions)
Bonjour Denis,

Je m'aperçois que mon premier message a été tronqué.

L'API renvoie actuellement cela (j'ai supprimé quelque lignes pour raisons de clarté) :
[permissions] => Array
(
[0] => Array
(
[entity] => global
[permission] => auth_db
[read_p] => 1
...
)

En fonction du rôle attaché à l'utilisateur, elle devrait plutôt envoyer cela :
[permissions] => Array
(
[0] => Array
(
[entity] => global
[permission] => auth_ldap
[create_p] => 0
[read_p] => 1
...
)
[1] => Array
(
[id] => 52822
[entity] => global
[permission] => surveys
[read_p] => 1
...
)

En fait, j'ai l'impression que l'API ne tient pas compte des permissions associées au(x) rôle(s) plaqués sur l'usage alors que c'est le cas au niveau de l'interface web d'administration (voir capture d'écran attachée au post).

O.L.
01 Apr 2025 11:51
Informations incorrectes renvoyées par l'API 'list_users' (permissions) was created by SESSOU
Bonjour,

En utilisant l'API JSON-RPC, je me suis aperçu que la fonction list_users renvoyait de mauvaises informations au niveau des permissions, dans la mesure où nous utilisons des rôles (lesquels rôles font préemption vis à vis des permissions par défaut).

Environnement : Limesurvey 6.12.3+250331 (Debian 12, Postgresql 15.12, PHP 8.2.28)

Protocole suivi :
  • Création d'un rôle 'Usager limité', dont Les 2 seules permissions activées sont l'authentification LDAP (auth_ldap) et la permission de lecture sur tous les questionnaires (surveys)
  • Création d'un compte utilisateur dont l'identifiant est 'test'. Au moment du choix des permissions initiales, on presse le bouton annuler (la seule permission activée par défaut dans la base de données est de ce fait auth_db).
  • Association du rôle 'Usager limité' à l'utilisateur 'test'
  • Contrôle des permissions alors associées à l'utilisateur, via l'interface web d'administration (voir capture d'écran)
  • Exécution de l'API list_users depuis php : $response=$lsJSONRPCClient->list_users($sessionKey,null,'test');
  • Voir ci-dessous l'extrait des informations envoyées (sous la forme d'un tableau associatif sous PHP) :
Array
(
    [0] => Array
        (
            [uid] => xxx
            [users_name] => test
            [full_name] => test test
            [parent_id] => xxx
           
05 Mar 2025 03:58
Replied by Winterwolf on topic [[plugin] OAuth2 plugin for Admin Authentication
Thanks! I spent the day with the F5 guys. We enabled the possible options in F5.
- SSL offloading
- Add header X-Forwarded-Proto
- Sticky sessions

However, the error persists. With your debug code, it returns the message:
400: Bad request - cURL error 7: (see curl.haxx.se/libcurl/c/libcurl-errors.html ) for login.microsoftonline.com/tenantid/oauth2/v2.0/token
The request cannot be interpreted by the server due to malformed syntax. Please do not repeat the request without modification. If you think this is a server error, please contact Administrator.

I have no more ideas. Will have to go back to LDAP. :(
13 Feb 2025 17:30 - 13 Feb 2025 17:31
Replied by DenisChenu on topic desactiver la possibilité aux utilisateurs de modifier leur adresse mail
>  1) est il possible de désactiver la modification du mail des utilisateurs par les utilisateurs eux meme dans leur profil?

Non, pas inclus. Possible de créer des plugin pour cela.

>  2) mes utilisateurs se connectent via l'authentification CAS (module auth_cas). Je voudrais que le champs mail (récupéré sur le ldap) soit mis à jour à chaque connection de l'utilisateur et pas seulement lors de la création de son compte. Est ce possible?

Faire la demande sur le plugin : github.com/univlorraine/limesurvey-cas/issues , c'est pas inclus actuellement.
11 Feb 2025 16:34
desactiver la possibilité aux utilisateurs de modifier leur adresse mail was created by cparment
Aidez-nous à vous aider et remplissez les cases appropriées :
Votre version de LimeSurvey : Version de votre LimeSurvey : 5.6.68
Votre propre serveur ou LimeSurvey Cloud : propre
Thème :
==================
Bonjour, j'ai des questions sur limesurvey 5.6 et j'espère que vous pourrez m'aiguiller.
1) est il possible de désactiver la modification du mail des utilisateurs par les utilisateurs eux meme dans leur profil?
2) mes utilisateurs se connectent via l'authentification CAS (module auth_cas). Je voudrais que le champs mail (récupéré sur le ldap) soit mis à jour à chaque connection de l'utilisateur et pas seulement lors de la création de son compte. Est ce possible?
Merci pour votre aide
11 Feb 2025 16:30
disable User Email Change was created by cparment
Please help us help you and fill where relevant:
Your LimeSurvey version: 5.6.68
Own server or LimeSurvey hosting: own server 
Survey theme/template:
==================
Hello, I have some questions about limesurvey 5.6 and I hope you can help me.
1) is it possible to deactivate the modification of users' emails by the users themselves in their profile?
2) my users connect via CAS authentication (auth_cas module). I would like the email field (retrieved from the ldap) to be updated each time the user logs in and not just when creating their account. Is this possible?
Thank you for your help
13 Jan 2025 12:41
Replied by DenisChenu on topic AuthLDAP : Error 500 - false given
No idea :(
10 Jan 2025 09:59
Replied by maes_lime on topic AuthLDAP : Error 500 - false given
Hi again,

Nothing change when I setup : LDAP attribute of email address and LDAP attribute of full name

Thanks for your help
10 Jan 2025 09:13
Replied by DenisChenu on topic AuthLDAP : Error 500 - false given
Goit it : github.com/LimeSurvey/LimeSurvey/blob/aa...AP/AuthLDAP.php#L267

Your ldap_search return false, connection is OK .
Maybe need to fill  LDAP attribute of full name and  LDAP attribute of email address : if yes : we must set as mandatory on Plugin.
10 Jan 2025 09:06
Replied by maes_lime on topic AuthLDAP : Error 500 - false given
Hi,

Thank's for your answer, here the result in debug mode:

PHP warning
ldap_search(): Search: No such object

/var/www/html/application/core/plugins/AuthLDAP/AuthLDAP.php(524)

512                 ldap_close($ldapconn); // all done? close connection
513                 return;
514             }
515             // Now prepare the search fitler
516             if ($extrauserfilter != "") {
517                 $usersearchfilter = "(&$searchuserattribute=$username)$extrauserfilter)";
518             } else {
519                 $usersearchfilter = "($searchuserattribute=$username)";
520             }
521             // Search for the user
522             $userentry = false;
523             foreach (explode(";", $usersearchbase) as $usb) {
524                 $dnsearchres = ldap_search($ldapconn, $usb, $usersearchfilter, array($searchuserattribute));
525                 $rescount = ldap_count_entries($ldapconn, $dnsearchres);
526                 if ($rescount == 1) {
527                     $userentry = ldap_get_entries($ldapconn, $dnsearchres);
528                     $userdn = $userentry[0]["dn"];
529                 }
530             }
531             if (!$userentry) {
532                 // if no entry or more than one entry returned
533                 // then deny authentication
534                 $this->setAuthFailure(self::ERROR_USERNAME_INVALID);
535                 ldap_close($ldapconn); // all done? close connection
536                 return;
Stack Trace
#0    
–  /var/www/html/application/core/plugins/AuthLDAP/AuthLDAP.php(524): ldap_search(LDAP\Connection, "CN=LIMESURVEY,CN=APPLICATIONS,CN=GROUPES,CN=SUBLOCAL,DC=DOMAINE,DC=fr", "(sAMAccountName=formation01)", array("sAMAccountName"))
519                 $usersearchfilter = "($searchuserattribute=$username)";
520             }
521             // Search for the user
522             $userentry = false;
523             foreach (explode(";", $usersearchbase) as $usb) {
524                 $dnsearchres = ldap_search($ldapconn, $usb, $usersearchfilter, array($searchuserattribute));
525                 $rescount = ldap_count_entries($ldapconn, $dnsearchres);
526                 if ($rescount == 1) {
527                     $userentry = ldap_get_entries($ldapconn, $dnsearchres);
528                     $userdn = $userentry[0]["dn"];
529                 }
#1    
 unknown(0): AuthLDAP->newUserSession()
#2    
–  /var/www/html/application/libraries/PluginManager/PluginManager.php(269): call_user_func(array(AuthLDAP, "newUserSession"))
264                 if (
265                     !$event->isStopped()
266                     && (empty($target) || in_array(get_class($subscription[0]), $target))
267                 ) {
268                     $subscription[0]->setEvent($event);
269                     call_user_func($subscription);
270                 }
271             }
272         }
273
274         return $event;
#3    
–  /var/www/html/application/core/LSUserIdentity.php(72): LimeSurvey\PluginManager\PluginManager->dispatchEvent(LimeSurvey\PluginManager\PluginEvent)
67                 $result->setError(self::ERROR_UNKNOWN_HANDLER);
68             } else {
69                 // Delegate actual authentication to plugin
70                 $authEvent = new PluginEvent('newUserSession', $this); // TODO: rename the plugin function authenticate()
71                 $authEvent->set('identity', $this);
72                 App()->getPluginManager()->dispatchEvent($authEvent);
73                 $pluginResult = $authEvent->get('result');
74                 if ($pluginResult instanceof LSAuthResult) {
75                     $result = $pluginResult;
76                 } else {
77                     $result->setError(self::ERROR_UNKNOWN_IDENTITY);

I check php ldap module is enbable on the docker.
09 Jan 2025 10:37
Replied by DenisChenu on topic AuthLDAP : Error 500 - false given
PS : you can report an issue about error not managed : community.limesurvey.org/bug-tracker/

If connection are not done: we must try to show error and don't go to ldap_count_entries
09 Jan 2025 10:35
Replied by DenisChenu on topic AuthLDAP : Error 500 - false given
> 500 : Internal server error - ldap count_entries(): Argument #2 ($result) must be of type LDAP\Result, false given

Then connection are not done … but you don't have error

Can you activate debug mode manual.limesurvey.org/Debug_mode
09 Jan 2025 10:24
AuthLDAP : Error 500 - false given was created by maes_lime
Hi every one,

I'm trying to setup AuthLDAP module, but every time login look to success I have this error :
500 : Internal server error - ldap count_entries(): Argument #2 ($result) must be of type LDAP\Result, false given

My installation is a docker one (acspri/limesurvey) on the last limesurvey version.
My AuthLDAP setup is :

LDAP server: 
ldap://ad.local
Port number: 
389
LDAP version: 
LDAPv3
Enable Start-TLS: 
False
Select how to perform authentication.: 
Bind
Attribute to compare to the given login can be uid, cn, mail, ..: 
mail
Base DN for the user search operation. Multiple bases may be separated by a semicolon (;)
CN=LIMESURVEY,CN=APPLICATIONS,CN=GROUPES,CN=SUBLOCAL,DC=DOMAINE,DC=fr
Optional extra LDAP filter to be ANDed to the basic (searchuserattribute=username) filter. Don't forget the outmost enclosing parentheses: 
None
LDAP attribute of email address
None
LDAP attribute of full name
None
Check to make default authentication method: 
Yes
Automatically create user if it exists in LDAP server: 
Yes
Grant survey creation permission to automatically created users: 
Yes
Optional base DN for group restriction: 
None
Optional filter for group restriction: 
None
Allow initial user to login via LDAP: 
Yes

Our ActiveDirectory server is a Samba4 one LDAP Auth works on other web apps.
Any idear ?

Regards
Displaying 16 - 30 out of 34 results.

Lime-years ahead

Online-surveys for every purse and purpose

Pricing & Plans
Get started

Legal

About Us

Open Source