Kimai in Container: LDAP Connection fails #437

raywitzel · 2022-12-06T16:26:37Z

raywitzel
Dec 6, 2022

I have installed a kimai container and want to connect them with LDAP (LDAP within an Univention Server),
but it doesn't work.

With ldapsearch via Commadline, I can connect the LDAP Server without any problems. Regardless of whether with or without SSL
Without ssl:
ldapsearch -x -H ldap://ucs.mydomain.org:7389 -b "dc=mydomain,dc=org" -D "uid=ldapuser,cn=users,dc=mydomain,dc=org" -w "myPassword"

With ssl:
ldapsearch -x -H ldaps://ucs.mydomain.org:7636 -b "dc=mydomain,dc=org" -D "uid=ldapuser,cn=users,dc=mydomain,dc=org" -w "myPassword"

At first I start my local.yaml using ssl:

kimai:
    ldap:
        activate: true
        connection:
            host: "ldaps://ucs.omicloud.org"
            port: 7636
            useSsl: true

In the following I get the answer in dev.log:
app.ERROR: Laminas\Ldap\Exception\LdapException: 0x51 (Can't contact LDAP server; (unknown error code)): ldaps://ucs.omicloud.org

Second I try it without ssl:

kimai:
    ldap:
        activate: true
        connection:
            host: "ldap://ucs.omicloud.org"
            port: 7389
            useSsl: false

And dev.log spits out:

app.DEBUG: Laminas\Ldap\Exception\LdapException: 0x8 (Strong(er) authentication required; BindSimple: Transport encryption required

Question: What can I do, to solve this problem?

Additional comments:

I can login with admin (without LDAP)
"Password reset" is disabled
Permissions for password_own_profile and password_other_profile is disabled for all users
in php.ini => memory_limit = 248M

To complement this issue I add my docker-compose.yml, the complete local.yaml and the dev.logs.
Docker compose file

version: "3.5"

services:
  app:
    container_name: kimai
    image: kimai/kimai2:apache
    restart: always
    ports:
      - 40801:8001
    volumes:
       - ./html/kimai:/opt/kimai/public
#      Daten und config Dateien:
       - ./kimai-apache2:/etc/apache2
       - ./kimai-config:/opt/kimai/config
       - ./kimai-log:/opt/kimai/var/log
#       - ./php::/usr/local/etc/php
    depends_on:
        - db
    environment:
      - DATABASE_URL=mysql://kimai:${DATABASE_PASSWORD}@db:3306/kimai
      - TRUSTED_HOSTS=localhost,10.50.24.11,127.0.0.1,app.mydomain.org,myIP
      - APP_ENV=dev

  db:
    image: mysql:8
    container_name: db_kimai
    restart: always
    volumes:
      - ./kimai-mysql:/var/lib/mysql
    environment:
      - MYSQL_DATABASE=kimai
      - MYSQL_USER=kimai
      - MYSQL_PASSWORD=${DATABASE_PASSWORD}
      - MYSQL_RANDOM_ROOT_PASSWORD=1

volumes:
  mysql-data:
    driver: local

the local.yaml

kimai:
    ldap:
        activate: true
        connection:
            host: "ldaps://ucs.mydomain.org"
            # host: "ldap://ucs.mydomain.org"
            port: 7636
            # port: 7389

            useSsl: true
            # useSsl: false

            username: uid=ldapuser
            password: myPassword

            accountFilterFormat: (&(objectClass=posixAccount))(&(usernameAttribute=%s))
            bindRequiresDn: true
            accountDomainName: mydomain.org
            accountDomainNameShort: mydomain

        user:
            baseDn: dc=mydomain, dc=org
            usernameAttribute: uid

            filter: (&(objectClass=inetOrgPerson))
            attributes:
                - { ldap_attr: "usernameAttribute", user_method: setUsername }
                - { ldap_attr: "usernameAttribute", user_method: setEmail }
                - { ldap_attr: cn, user_method: setAlias }

        role:
            baseDn: ou=groups, dc=mydomain, dc=org

            filter: (&(objectClass=posixGroup)(memberUID=%{user}))
            usernameAttribute: uid
            nameAttribute: cn

      groups:
                - { ldap_value: kmUser, role: ROLE_USER }
                - { ldap_value: kmTeamleiter, role: ROLE_TEAMLEAD }
                - { ldap_value: kmAdministrator, role: ROLE_ADMIN }
                - { ldap_value: kmSystemAdmin, role: ROLE_SUPER_ADMIN }

dev.log (local.yaml with ssl)

[2022-12-06 14:16:42] php.INFO: Deprecated: Return type of App\Configuration\ThemeConfiguration::offsetGet($offset) should either be compatible with ArrayAccess::offsetGet(mixed $offset): mixed, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice {"exception":"[object] (ErrorException(code: 0): Deprecated: Return type of App\\Configuration\\ThemeConfiguration::offsetGet($offset) should either be compatible with ArrayAccess::offsetGet(mixed $offset): mixed, or the #[\\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice at /opt/kimai/src/Configuration/ThemeConfiguration.php:32)"} []
[2022-12-06 14:16:42] request.INFO: Matched route "fos_user_security_check". {"route":"fos_user_security_check","route_parameters":{"_route":"fos_user_security_check","_controller":"App\\Controller\\Security\\SecurityController::checkAction","_locale":"de"},"request_uri":"http://app.omicloud.org/kimai/de/login_check","method":"POST"} []
[2022-12-06 14:16:42] security.DEBUG: Checking for guard authentication credentials. {"firewall_key":"secured_area","authenticators":1} []
[2022-12-06 14:16:42] security.DEBUG: Checking support on guard authenticator. {"firewall_key":"secured_area","authenticator":"App\\Security\\TokenAuthenticator"} []
[2022-12-06 14:16:42] security.DEBUG: Guard authenticator does not support the request. {"firewall_key":"secured_area","authenticator":"App\\Security\\TokenAuthenticator"} []
[2022-12-06 14:16:42] doctrine.DEBUG: SELECT t0.id AS id_1, t0.name AS name_2, t0.value AS value_3 FROM kimai2_configuration t0 [] []
[2022-12-06 14:16:42] doctrine.DEBUG: SELECT k0_.id AS id_0, k0_.alias AS alias_1, k0_.registration_date AS registration_date_2, k0_.title AS title_3, k0_.avatar AS avatar_4, k0_.api_token AS api_token_5, k0_.auth AS auth_6, k0_.username AS username_7, k0_.email AS email_8, k0_.account AS account_9, k0_.enabled AS enabled_10, k0_.password AS password_11, k0_.last_login AS last_login_12, k0_.confirmation_token AS confirmation_token_13, k0_.password_requested_at AS password_requested_at_14, k0_.roles AS roles_15, k0_.color AS color_16 FROM kimai2_users k0_ WHERE k0_.username = ? OR k0_.email = ? ["alfred","alfred"] []
[2022-12-06 14:16:42] app.DEBUG: ldap_search(dc=omicloud, dc=org, (&(&(objectClass=inetOrgPerson))(uid=alfred)), array["+","*"]) {"action":"ldap_search","base_dn":"dc=omicloud, dc=org","filter":"(&(&(objectClass=inetOrgPerson))(uid=alfred))","attributes":["+","*"]} []
[2022-12-06 14:16:42] app.ERROR: Laminas\Ldap\Exception\LdapException: 0x51 (Can't contact LDAP server; (unknown error code)): ldaps://ucs.omicloud.org in /opt/kimai/vendor/laminas/laminas-ldap/src/Ldap.php:1008 Stack trace: #0 /opt/kimai/src/Ldap/LdapDriver.php(94): Laminas\Ldap\Ldap->bind() #1 /opt/kimai/src/Ldap/LdapManager.php(57): App\Ldap\LdapDriver->search() #2 /opt/kimai/src/Ldap/LdapManager.php(45): App\Ldap\LdapManager->findUserBy() #3 /opt/kimai/src/Ldap/LdapUserProvider.php(39): App\Ldap\LdapManager->findUserByUsername() #4 /opt/kimai/vendor/symfony/security-core/User/ChainUserProvider.php(59): App\Ldap\LdapUserProvider->loadUserByUsername() #5 /opt/kimai/src/Security/KimaiUserProvider.php(65): Symfony\Component\Security\Core\User\ChainUserProvider->loadUserByUsername() #6 /opt/kimai/src/Ldap/LdapAuthenticationProvider.php(62): App\Security\KimaiUserProvider->loadUserByUsername() #7 /opt/kimai/vendor/symfony/security-core/Authentication/Provider/UserAuthenticationProvider.php(66): App\Ldap\LdapAuthenticationProvider->retrieveUser() #8 /opt/kimai/vendor/symfony/security-core/Authentication/AuthenticationProviderManager.php(85): Symfony\Component\Security\Core\Authentication\Provider\UserAuthenticationProvider->authenticate() #9 /opt/kimai/vendor/symfony/security-http/Firewall/UsernamePasswordFormAuthenticationListener.php(100): Symfony\Component\Security\Core\Authentication\AuthenticationProviderManager->authenticate() #10 /opt/kimai/vendor/symfony/security-http/Firewall/AbstractAuthenticationListener.php(141): Symfony\Component\Security\Http\Firewall\UsernamePasswordFormAuthenticationListener->attemptAuthentication() #11 /opt/kimai/vendor/symfony/security-bundle/Debug/WrappedLazyListener.php(49): Symfony\Component\Security\Http\Firewall\AbstractAuthenticationListener->authenticate() #12 /opt/kimai/vendor/symfony/security-http/Firewall/AbstractListener.php(27): Symfony\Bundle\SecurityBundle\Debug\WrappedLazyListener->authenticate() #13 /opt/kimai/vendor/symfony/security-bundle/Debug/TraceableFirewallListener.php(62): Symfony\Component\Security\Http\Firewall\AbstractListener->__invoke() #14 /opt/kimai/vendor/symfony/security-http/Firewall.php(98): Symfony\Bundle\SecurityBundle\Debug\TraceableFirewallListener->callListeners() #15 /opt/kimai/vendor/symfony/event-dispatcher/Debug/WrappedListener.php(126): Symfony\Component\Security\Http\Firewall->onKernelRequest() #16 /opt/kimai/vendor/symfony/event-dispatcher/EventDispatcher.php(264): Symfony\Component\EventDispatcher\Debug\WrappedListener->__invoke() #17 /opt/kimai/vendor/symfony/event-dispatcher/EventDispatcher.php(239): Symfony\Component\EventDispatcher\EventDispatcher->doDispatch() #18 /opt/kimai/vendor/symfony/event-dispatcher/EventDispatcher.php(73): Symfony\Component\EventDispatcher\EventDispatcher->callListeners() #19 /opt/kimai/vendor/symfony/event-dispatcher/Debug/TraceableEventDispatcher.php(168): Symfony\Component\EventDispatcher\EventDispatcher->dispatch() #20 /opt/kimai/vendor/symfony/http-kernel/HttpKernel.php(134): Symfony\Component\EventDispatcher\Debug\TraceableEventDispatcher->dispatch() #21 /opt/kimai/vendor/symfony/http-kernel/HttpKernel.php(80): Symfony\Component\HttpKernel\HttpKernel->handleRaw() #22 /opt/kimai/vendor/symfony/http-kernel/Kernel.php(201): Symfony\Component\HttpKernel\HttpKernel->handle() #23 /opt/kimai/public/index.php(32): Symfony\Component\HttpKernel\Kernel->handle() #24 {main} {"exception":"[object] (Laminas\\Ldap\\Exception\\LdapException(code: 81): 0x51 (Can't contact LDAP server; (unknown error code)): ldaps://ucs.omicloud.org at /opt/kimai/vendor/laminas/laminas-ldap/src/Ldap.php:1008)"} []
[2022-12-06 14:16:42] doctrine.DEBUG: SELECT k0_.id AS id_0, k0_.alias AS alias_1, k0_.registration_date AS registration_date_2, k0_.title AS title_3, k0_.avatar AS avatar_4, k0_.api_token AS api_token_5, k0_.auth AS auth_6, k0_.username AS username_7, k0_.email AS email_8, k0_.account AS account_9, k0_.enabled AS enabled_10, k0_.password AS password_11, k0_.last_login AS last_login_12, k0_.confirmation_token AS confirmation_token_13, k0_.password_requested_at AS password_requested_at_14, k0_.roles AS roles_15, k0_.color AS color_16 FROM kimai2_users k0_ WHERE k0_.username = ? OR k0_.email = ? ["alfred","alfred"] []
[2022-12-06 14:16:42] app.DEBUG: ldap_search(dc=omicloud, dc=org, (&(&(objectClass=inetOrgPerson))(uid=alfred)), array["+","*"]) {"action":"ldap_search","base_dn":"dc=omicloud, dc=org","filter":"(&(&(objectClass=inetOrgPerson))(uid=alfred))","attributes":["+","*"]} []
[2022-12-06 14:16:42] app.ERROR: Laminas\Ldap\Exception\LdapException: 0x51 (Can't contact LDAP server; (unknown error code)): ldaps://ucs.omicloud.org in /opt/kimai/vendor/laminas/laminas-ldap/src/Ldap.php:1008 Stack trace: #0 /opt/kimai/src/Ldap/LdapDriver.php(94): Laminas\Ldap\Ldap->bind() #1 /opt/kimai/src/Ldap/LdapManager.php(57): App\Ldap\LdapDriver->search() #2 /opt/kimai/src/Ldap/LdapManager.php(45): App\Ldap\LdapManager->findUserBy() #3 /opt/kimai/src/Ldap/LdapUserProvider.php(39): App\Ldap\LdapManager->findUserByUsername() #4 /opt/kimai/vendor/symfony/security-core/User/ChainUserProvider.php(59): App\Ldap\LdapUserProvider->loadUserByUsername() #5 /opt/kimai/src/Security/KimaiUserProvider.php(65): Symfony\Component\Security\Core\User\ChainUserProvider->loadUserByUsername() #6 /opt/kimai/vendor/symfony/security-core/Authentication/Provider/DaoAuthenticationProvider.php(85): App\Security\KimaiUserProvider->loadUserByUsername() #7 /opt/kimai/vendor/symfony/security-core/Authentication/Provider/UserAuthenticationProvider.php(66): Symfony\Component\Security\Core\Authentication\Provider\DaoAuthenticationProvider->retrieveUser() #8 /opt/kimai/vendor/symfony/security-core/Authentication/AuthenticationProviderManager.php(85): Symfony\Component\Security\Core\Authentication\Provider\UserAuthenticationProvider->authenticate() #9 /opt/kimai/vendor/symfony/security-http/Firewall/UsernamePasswordFormAuthenticationListener.php(100): Symfony\Component\Security\Core\Authentication\AuthenticationProviderManager->authenticate() #10 /opt/kimai/vendor/symfony/security-http/Firewall/AbstractAuthenticationListener.php(141): Symfony\Component\Security\Http\Firewall\UsernamePasswordFormAuthenticationListener->attemptAuthentication() #11 /opt/kimai/vendor/symfony/security-bundle/Debug/WrappedLazyListener.php(49): Symfony\Component\Security\Http\Firewall\AbstractAuthenticationListener->authenticate() #12 /opt/kimai/vendor/symfony/security-http/Firewall/AbstractListener.php(27): Symfony\Bundle\SecurityBundle\Debug\WrappedLazyListener->authenticate() #13 /opt/kimai/vendor/symfony/security-bundle/Debug/TraceableFirewallListener.php(62): Symfony\Component\Security\Http\Firewall\AbstractListener->__invoke() #14 /opt/kimai/vendor/symfony/security-http/Firewall.php(98): Symfony\Bundle\SecurityBundle\Debug\TraceableFirewallListener->callListeners() #15 /opt/kimai/vendor/symfony/event-dispatcher/Debug/WrappedListener.php(126): Symfony\Component\Security\Http\Firewall->onKernelRequest() #16 /opt/kimai/vendor/symfony/event-dispatcher/EventDispatcher.php(264): Symfony\Component\EventDispatcher\Debug\WrappedListener->__invoke() #17 /opt/kimai/vendor/symfony/event-dispatcher/EventDispatcher.php(239): Symfony\Component\EventDispatcher\EventDispatcher->doDispatch() #18 /opt/kimai/vendor/symfony/event-dispatcher/EventDispatcher.php(73): Symfony\Component\EventDispatcher\EventDispatcher->callListeners() #19 /opt/kimai/vendor/symfony/event-dispatcher/Debug/TraceableEventDispatcher.php(168): Symfony\Component\EventDispatcher\EventDispatcher->dispatch() #20 /opt/kimai/vendor/symfony/http-kernel/HttpKernel.php(134): Symfony\Component\EventDispatcher\Debug\TraceableEventDispatcher->dispatch() #21 /opt/kimai/vendor/symfony/http-kernel/HttpKernel.php(80): Symfony\Component\HttpKernel\HttpKernel->handleRaw() #22 /opt/kimai/vendor/symfony/http-kernel/Kernel.php(201): Symfony\Component\HttpKernel\HttpKernel->handle() #23 /opt/kimai/public/index.php(32): Symfony\Component\HttpKernel\Kernel->handle() #24 {main} {"exception":"[object] (Laminas\\Ldap\\Exception\\LdapException(code: 81): 0x51 (Can't contact LDAP server; (unknown error code)): ldaps://ucs.omicloud.org at /opt/kimai/vendor/laminas/laminas-ldap/src/Ldap.php:1008)"} []
[2022-12-06 14:16:42] security.INFO: Authentication request failed. {"exception":"[object] (Symfony\\Component\\Security\\Core\\Exception\\AuthenticationServiceException(code: 0): An error occurred with the search operation. at /opt/kimai/vendor/symfony/security-core/Authentication/Provider/DaoAuthenticationProvider.php:96, App\\Ldap\\LdapDriverException(code: 0): An error occurred with the search operation. at /opt/kimai/src/Ldap/LdapDriver.php:102)"} []
[2022-12-06 14:16:42] security.DEBUG: Authentication failure, redirect triggered. {"failure_path":"fos_user_security_login"} []
[2022-12-06 14:16:42] doctrine.DEBUG: SELECT k0_.name AS name_0, k1_.permission AS permission_1, k1_.allowed AS allowed_2 FROM kimai2_roles_permissions k1_ LEFT JOIN kimai2_roles k0_ ON k1_.role_id = k0_.id [] []
[2022-12-06 14:16:42] php.INFO: Deprecated: Return type of App\Configuration\ThemeConfiguration::offsetGet($offset) should either be compatible with ArrayAccess::offsetGet(mixed $offset): mixed, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice {"exception":"[object] (ErrorException(code: 0): Deprecated: Return type of App\\Configuration\\ThemeConfiguration::offsetGet($offset) should either be compatible with ArrayAccess::offsetGet(mixed $offset): mixed, or the #[\\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice at /opt/kimai/src/Configuration/ThemeConfiguration.php:32)"} []
[2022-12-06 14:16:42] request.INFO: Matched route "fos_user_security_login". {"route":"fos_user_security_login","route_parameters":{"_route":"fos_user_security_login","_controller":"App\\Controller\\Security\\SecurityController::loginAction","_locale":"de"},"request_uri":"http://app.omicloud.org/kimai/de/login","method":"GET"} []
[2022-12-06 14:16:42] security.DEBUG: Checking for guard authentication credentials. {"firewall_key":"secured_area","authenticators":1} []
[2022-12-06 14:16:42] security.DEBUG: Checking support on guard authenticator. {"firewall_key":"secured_area","authenticator":"App\\Security\\TokenAuthenticator"} []
[2022-12-06 14:16:42] security.DEBUG: Guard authenticator does not support the request. {"firewall_key":"secured_area","authenticator":"App\\Security\\TokenAuthenticator"} []
[2022-12-06 14:16:42] doctrine.DEBUG: SELECT t0.id AS id_1, t0.name AS name_2, t0.value AS value_3 FROM kimai2_configuration t0 [] []
[2022-12-06 14:16:42] security.INFO: Populated the TokenStorage with an anonymous Token. [] []
[2022-12-06 14:16:42] doctrine.DEBUG: SELECT k0_.name AS name_0, k1_.permission AS permission_1, k1_.allowed AS allowed_2 FROM kimai2_roles_permissions k1_ LEFT JOIN kimai2_roles k0_ ON k1_.role_id = k0_.id [] []
root@app:/var/lib/univention-appcenter/apps/kimai/kimai-log#

dev.log (local.yaml without ssl)

[2022-12-06 14:35:07] php.INFO: Deprecated: Return type of App\Configuration\ThemeConfiguration::offsetGet($offset) should either be compatible with ArrayAccess::offsetGet(mixed $offset): mixed, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice {"exception":"[object] (ErrorException(code: 0): Deprecated: Return type of App\\Configuration\\ThemeConfiguration::offsetGet($offset) should either be compatible with ArrayAccess::offsetGet(mixed $offset): mixed, or the #[\\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice at /opt/kimai/src/Configuration/ThemeConfiguration.php:32)"} []
[2022-12-06 14:35:07] request.INFO: Matched route "fos_user_security_check". {"route":"fos_user_security_check","route_parameters":{"_route":"fos_user_security_check","_controller":"App\\Controller\\Security\\SecurityController::checkAction","_locale":"de"},"request_uri":"http://app.omicloud.org/kimai/de/login_check","method":"POST"} []
[2022-12-06 14:35:07] security.DEBUG: Checking for guard authentication credentials. {"firewall_key":"secured_area","authenticators":1} []
[2022-12-06 14:35:07] security.DEBUG: Checking support on guard authenticator. {"firewall_key":"secured_area","authenticator":"App\\Security\\TokenAuthenticator"} []
[2022-12-06 14:35:07] security.DEBUG: Guard authenticator does not support the request. {"firewall_key":"secured_area","authenticator":"App\\Security\\TokenAuthenticator"} []
[2022-12-06 14:35:07] doctrine.DEBUG: SELECT t0.id AS id_1, t0.name AS name_2, t0.value AS value_3 FROM kimai2_configuration t0 [] []
[2022-12-06 14:35:07] doctrine.DEBUG: SELECT k0_.id AS id_0, k0_.alias AS alias_1, k0_.registration_date AS registration_date_2, k0_.title AS title_3, k0_.avatar AS avatar_4, k0_.api_token AS api_token_5, k0_.auth AS auth_6, k0_.username AS username_7, k0_.email AS email_8, k0_.account AS account_9, k0_.enabled AS enabled_10, k0_.password AS password_11, k0_.last_login AS last_login_12, k0_.confirmation_token AS confirmation_token_13, k0_.password_requested_at AS password_requested_at_14, k0_.roles AS roles_15, k0_.color AS color_16 FROM kimai2_users k0_ WHERE k0_.username = ? OR k0_.email = ? ["alfred","alfred"] []
[2022-12-06 14:35:07] app.DEBUG: ldap_search(dc=omicloud, dc=org, (&(&(objectClass=inetOrgPerson))(uid=alfred)), array["+","*"]) {"action":"ldap_search","base_dn":"dc=omicloud, dc=org","filter":"(&(&(objectClass=inetOrgPerson))(uid=alfred))","attributes":["+","*"]} []
[2022-12-06 14:35:07] app.DEBUG: Laminas\Ldap\Exception\LdapException: 0x8 (Strong(er) authentication required; BindSimple: Transport encryption required.): uid=ldapuser in /opt/kimai/vendor/laminas/laminas-ldap/src/Ldap.php:1008 Stack trace: #0 /opt/kimai/src/Ldap/LdapDriver.php(94): Laminas\Ldap\Ldap->bind() #1 /opt/kimai/src/Ldap/LdapManager.php(57): App\Ldap\LdapDriver->search() #2 /opt/kimai/src/Ldap/LdapManager.php(45): App\Ldap\LdapManager->findUserBy() #3 /opt/kimai/src/Ldap/LdapUserProvider.php(39): App\Ldap\LdapManager->findUserByUsername() #4 /opt/kimai/vendor/symfony/security-core/User/ChainUserProvider.php(59): App\Ldap\LdapUserProvider->loadUserByUsername() #5 /opt/kimai/src/Security/KimaiUserProvider.php(65): Symfony\Component\Security\Core\User\ChainUserProvider->loadUserByUsername() #6 /opt/kimai/src/Ldap/LdapAuthenticationProvider.php(62): App\Security\KimaiUserProvider->loadUserByUsername() #7 /opt/kimai/vendor/symfony/security-core/Authentication/Provider/UserAuthenticationProvider.php(66): App\Ldap\LdapAuthenticationProvider->retrieveUser() #8 /opt/kimai/vendor/symfony/security-core/Authentication/AuthenticationProviderManager.php(85): Symfony\Component\Security\Core\Authentication\Provider\UserAuthenticationProvider->authenticate() #9 /opt/kimai/vendor/symfony/security-http/Firewall/UsernamePasswordFormAuthenticationListener.php(100): Symfony\Component\Security\Core\Authentication\AuthenticationProviderManager->authenticate() #10 /opt/kimai/vendor/symfony/security-http/Firewall/AbstractAuthenticationListener.php(141): Symfony\Component\Security\Http\Firewall\UsernamePasswordFormAuthenticationListener->attemptAuthentication() #11 /opt/kimai/vendor/symfony/security-bundle/Debug/WrappedLazyListener.php(49): Symfony\Component\Security\Http\Firewall\AbstractAuthenticationListener->authenticate() #12 /opt/kimai/vendor/symfony/security-http/Firewall/AbstractListener.php(27): Symfony\Bundle\SecurityBundle\Debug\WrappedLazyListener->authenticate() #13 /opt/kimai/vendor/symfony/security-bundle/Debug/TraceableFirewallListener.php(62): Symfony\Component\Security\Http\Firewall\AbstractListener->__invoke() #14 /opt/kimai/vendor/symfony/security-http/Firewall.php(98): Symfony\Bundle\SecurityBundle\Debug\TraceableFirewallListener->callListeners() #15 /opt/kimai/vendor/symfony/event-dispatcher/Debug/WrappedListener.php(126): Symfony\Component\Security\Http\Firewall->onKernelRequest() #16 /opt/kimai/vendor/symfony/event-dispatcher/EventDispatcher.php(264): Symfony\Component\EventDispatcher\Debug\WrappedListener->__invoke() #17 /opt/kimai/vendor/symfony/event-dispatcher/EventDispatcher.php(239): Symfony\Component\EventDispatcher\EventDispatcher->doDispatch() #18 /opt/kimai/vendor/symfony/event-dispatcher/EventDispatcher.php(73): Symfony\Component\EventDispatcher\EventDispatcher->callListeners() #19 /opt/kimai/vendor/symfony/event-dispatcher/Debug/TraceableEventDispatcher.php(168): Symfony\Component\EventDispatcher\EventDispatcher->dispatch() #20 /opt/kimai/vendor/symfony/http-kernel/HttpKernel.php(134): Symfony\Component\EventDispatcher\Debug\TraceableEventDispatcher->dispatch() #21 /opt/kimai/vendor/symfony/http-kernel/HttpKernel.php(80): Symfony\Component\HttpKernel\HttpKernel->handleRaw() #22 /opt/kimai/vendor/symfony/http-kernel/Kernel.php(201): Symfony\Component\HttpKernel\HttpKernel->handle() #23 /opt/kimai/public/index.php(32): Symfony\Component\HttpKernel\Kernel->handle() #24 {main} {"exception":"[object] (Laminas\\Ldap\\Exception\\LdapException(code: 8): 0x8 (Strong(er) authentication required; BindSimple: Transport encryption required.): uid=ldapuser at /opt/kimai/vendor/laminas/laminas-ldap/src/Ldap.php:1008)"} []
[2022-12-06 14:35:07] doctrine.DEBUG: SELECT k0_.id AS id_0, k0_.alias AS alias_1, k0_.registration_date AS registration_date_2, k0_.title AS title_3, k0_.avatar AS avatar_4, k0_.api_token AS api_token_5, k0_.auth AS auth_6, k0_.username AS username_7, k0_.email AS email_8, k0_.account AS account_9, k0_.enabled AS enabled_10, k0_.password AS password_11, k0_.last_login AS last_login_12, k0_.confirmation_token AS confirmation_token_13, k0_.password_requested_at AS password_requested_at_14, k0_.roles AS roles_15, k0_.color AS color_16 FROM kimai2_users k0_ WHERE k0_.username = ? OR k0_.email = ? ["alfred","alfred"] []
[2022-12-06 14:35:07] app.DEBUG: ldap_search(dc=omicloud, dc=org, (&(&(objectClass=inetOrgPerson))(uid=alfred)), array["+","*"]) {"action":"ldap_search","base_dn":"dc=omicloud, dc=org","filter":"(&(&(objectClass=inetOrgPerson))(uid=alfred))","attributes":["+","*"]} []
[2022-12-06 14:35:07] app.DEBUG: Laminas\Ldap\Exception\LdapException: 0x8 (Strong(er) authentication required; BindSimple: Transport encryption required.): uid=ldapuser in /opt/kimai/vendor/laminas/laminas-ldap/src/Ldap.php:1008 Stack trace: #0 /opt/kimai/src/Ldap/LdapDriver.php(94): Laminas\Ldap\Ldap->bind() #1 /opt/kimai/src/Ldap/LdapManager.php(57): App\Ldap\LdapDriver->search() #2 /opt/kimai/src/Ldap/LdapManager.php(45): App\Ldap\LdapManager->findUserBy() #3 /opt/kimai/src/Ldap/LdapUserProvider.php(39): App\Ldap\LdapManager->findUserByUsername() #4 /opt/kimai/vendor/symfony/security-core/User/ChainUserProvider.php(59): App\Ldap\LdapUserProvider->loadUserByUsername() #5 /opt/kimai/src/Security/KimaiUserProvider.php(65): Symfony\Component\Security\Core\User\ChainUserProvider->loadUserByUsername() #6 /opt/kimai/vendor/symfony/security-core/Authentication/Provider/DaoAuthenticationProvider.php(85): App\Security\KimaiUserProvider->loadUserByUsername() #7 /opt/kimai/vendor/symfony/security-core/Authentication/Provider/UserAuthenticationProvider.php(66): Symfony\Component\Security\Core\Authentication\Provider\DaoAuthenticationProvider->retrieveUser() #8 /opt/kimai/vendor/symfony/security-core/Authentication/AuthenticationProviderManager.php(85): Symfony\Component\Security\Core\Authentication\Provider\UserAuthenticationProvider->authenticate() #9 /opt/kimai/vendor/symfony/security-http/Firewall/UsernamePasswordFormAuthenticationListener.php(100): Symfony\Component\Security\Core\Authentication\AuthenticationProviderManager->authenticate() #10 /opt/kimai/vendor/symfony/security-http/Firewall/AbstractAuthenticationListener.php(141): Symfony\Component\Security\Http\Firewall\UsernamePasswordFormAuthenticationListener->attemptAuthentication() #11 /opt/kimai/vendor/symfony/security-bundle/Debug/WrappedLazyListener.php(49): Symfony\Component\Security\Http\Firewall\AbstractAuthenticationListener->authenticate() #12 /opt/kimai/vendor/symfony/security-http/Firewall/AbstractListener.php(27): Symfony\Bundle\SecurityBundle\Debug\WrappedLazyListener->authenticate() #13 /opt/kimai/vendor/symfony/security-bundle/Debug/TraceableFirewallListener.php(62): Symfony\Component\Security\Http\Firewall\AbstractListener->__invoke() #14 /opt/kimai/vendor/symfony/security-http/Firewall.php(98): Symfony\Bundle\SecurityBundle\Debug\TraceableFirewallListener->callListeners() #15 /opt/kimai/vendor/symfony/event-dispatcher/Debug/WrappedListener.php(126): Symfony\Component\Security\Http\Firewall->onKernelRequest() #16 /opt/kimai/vendor/symfony/event-dispatcher/EventDispatcher.php(264): Symfony\Component\EventDispatcher\Debug\WrappedListener->__invoke() #17 /opt/kimai/vendor/symfony/event-dispatcher/EventDispatcher.php(239): Symfony\Component\EventDispatcher\EventDispatcher->doDispatch() #18 /opt/kimai/vendor/symfony/event-dispatcher/EventDispatcher.php(73): Symfony\Component\EventDispatcher\EventDispatcher->callListeners() #19 /opt/kimai/vendor/symfony/event-dispatcher/Debug/TraceableEventDispatcher.php(168): Symfony\Component\EventDispatcher\EventDispatcher->dispatch() #20 /opt/kimai/vendor/symfony/http-kernel/HttpKernel.php(134): Symfony\Component\EventDispatcher\Debug\TraceableEventDispatcher->dispatch() #21 /opt/kimai/vendor/symfony/http-kernel/HttpKernel.php(80): Symfony\Component\HttpKernel\HttpKernel->handleRaw() #22 /opt/kimai/vendor/symfony/http-kernel/Kernel.php(201): Symfony\Component\HttpKernel\HttpKernel->handle() #23 /opt/kimai/public/index.php(32): Symfony\Component\HttpKernel\Kernel->handle() #24 {main} {"exception":"[object] (Laminas\\Ldap\\Exception\\LdapException(code: 8): 0x8 (Strong(er) authentication required; BindSimple: Transport encryption required.): uid=ldapuser at /opt/kimai/vendor/laminas/laminas-ldap/src/Ldap.php:1008)"} []
[2022-12-06 14:35:07] security.INFO: Authentication request failed. {"exception":"[object] (Symfony\\Component\\Security\\Core\\Exception\\AuthenticationServiceException(code: 0): An error occurred with the search operation. at /opt/kimai/vendor/symfony/security-core/Authentication/Provider/DaoAuthenticationProvider.php:96, App\\Ldap\\LdapDriverException(code: 0): An error occurred with the search operation. at /opt/kimai/src/Ldap/LdapDriver.php:102)"} []
[2022-12-06 14:35:07] security.DEBUG: Authentication failure, redirect triggered. {"failure_path":"fos_user_security_login"} []
[2022-12-06 14:35:07] doctrine.DEBUG: SELECT k0_.name AS name_0, k1_.permission AS permission_1, k1_.allowed AS allowed_2 FROM kimai2_roles_permissions k1_ LEFT JOIN kimai2_roles k0_ ON k1_.role_id = k0_.id [] []
[2022-12-06 14:35:07] php.INFO: Deprecated: Return type of App\Configuration\ThemeConfiguration::offsetGet($offset) should either be compatible with ArrayAccess::offsetGet(mixed $offset): mixed, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice {"exception":"[object] (ErrorException(code: 0): Deprecated: Return type of App\\Configuration\\ThemeConfiguration::offsetGet($offset) should either be compatible with ArrayAccess::offsetGet(mixed $offset): mixed, or the #[\\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice at /opt/kimai/src/Configuration/ThemeConfiguration.php:32)"} []
[2022-12-06 14:35:07] request.INFO: Matched route "fos_user_security_login". {"route":"fos_user_security_login","route_parameters":{"_route":"fos_user_security_login","_controller":"App\\Controller\\Security\\SecurityController::loginAction","_locale":"de"},"request_uri":"http://app.omicloud.org/kimai/de/login","method":"GET"} []
[2022-12-06 14:35:07] security.DEBUG: Checking for guard authentication credentials. {"firewall_key":"secured_area","authenticators":1} []
[2022-12-06 14:35:07] security.DEBUG: Checking support on guard authenticator. {"firewall_key":"secured_area","authenticator":"App\\Security\\TokenAuthenticator"} []
[2022-12-06 14:35:07] security.DEBUG: Guard authenticator does not support the request. {"firewall_key":"secured_area","authenticator":"App\\Security\\TokenAuthenticator"} []
[2022-12-06 14:35:07] doctrine.DEBUG: SELECT t0.id AS id_1, t0.name AS name_2, t0.value AS value_3 FROM kimai2_configuration t0 [] []
[2022-12-06 14:35:07] security.INFO: Populated the TokenStorage with an anonymous Token. [] []
[2022-12-06 14:35:07] doctrine.DEBUG: SELECT k0_.name AS name_0, k1_.permission AS permission_1, k1_.allowed AS allowed_2 FROM kimai2_roles_permissions k1_ LEFT JOIN kimai2_roles k0_ ON k1_.role_id = k0_.id [] []
root@app:/var/lib/univention-appcenter/apps/kimai/kimai-log#

Thanks in advance for any help!

tobybatch · 2022-12-07T11:04:57Z

tobybatch
Dec 7, 2022
Maintainer

When you say "can connect from the the cli" is that from within the running container? or on your host cli?

Can you resolve the host name "ucs.mydomain.org" from within the container.

0 replies

raywitzel · 2022-12-07T13:23:46Z

raywitzel
Dec 7, 2022
Author

"ldapsearch via Commadline" means outside of the container and inside the Univention host (an UCS Server).

And I checked: ping ucs.mydomain.org from within the container is possible.

0 replies

raywitzel · 2022-12-07T13:44:20Z

raywitzel
Dec 7, 2022
Author

I have made an attempt: I have install OpenLDAP inside the kimai container:

root@395599c9c1ad:/var/www/html# apt -y update
root@395599c9c1ad:/var/www/html# apt -y upgrade
root@395599c9c1ad:/var/www/html# apt -y install slapd ldap-utils

After that I could connect the LDAP Server with the following command (inside the container):

root@395599c9c1ad:/var/www/html# ldapsearch -x -H ldap://ucs.mydomain.org:7389  -b "dc=mydomain,dc=org" -D "uid=ldapuser,cn=users,dc=mydomain,dc=org" -w "myPassword"

1 reply

kevinpapst Dec 7, 2022
Collaborator

The log clearly says that the connection could be established using ldap (non ssl), but was rejected:

Laminas\Ldap\Exception\LdapException: 0x8 (Strong(er) authentication required; BindSimple: Transport encryption required.):

There are several config combinations possible.

ldap:// with ssl
ldaps:// with ssl
ldaps:// without ssl
ldap:// with startls
...

You have to play with the settings, that is nothing someone can do for you.
It depends on your LDAP server.
Isn't univention a paid service environment? Why not asking them?

raywitzel · 2023-01-24T10:59:00Z

raywitzel
Jan 24, 2023
Author

I have found the solution for my problem.

Our the situation:
on our UCS-Server a Samba-Service works using the ports 386 and 636 (with ssl).
From there LDAP got the ports 7386 and 7636.

Thus I build my local.yaml in the following way:

# the origin UCS-Server; config Nr.1
kimai:
    ldap:
        activate: true
        connection:
            host: "ldap://ucs.mydomain.org"
            port: 7389

But this configuration do not works. In the Result I got the error (see also above):

Laminas\Ldap\Exception\LdapException: 0x8 (Strong(er) authentication required; BindSimple: Transport encryption required.):

In parallel I testet Kimai on a UCS-Test-Server; there LDAP uses the ports 386 and 636.

# the UCS-Testserver
kimai:
    ldap:
        activate: true
        connection:
            host: "ldap://anotherdomain.org"
            port: 389

On UCS-Test-Server Kimai works fine, the Users could login via LDAP.

Then I try the following configuration:

# the origin UCS-Server; config Nr.2
kimai:
    ldap:
        activate: true
        connection:
            host: "ldap://ucs.mydomain.org:7389"
            port:

And suddenly kimai works on our UCS-Server.

I assume that with config Nr.1 Kimai cut the digit 7 from the portnumber and then try to use port 389.
In config Nr.2 the port entry is not used, because the portnumber is already added in the url.
It seems that kimai does not works properly with four digits portnumbers.
But I'm not sure if I'm in right.

Anyway, I'm happy with my solution. And thank for all your help.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Kimai in Container: LDAP Connection fails #437

{{title}}

Replies: 4 comments 1 reply

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

Select a reply

Kimai in Container: LDAP Connection fails #437

raywitzel Dec 6, 2022

Replies: 4 comments · 1 reply

tobybatch Dec 7, 2022 Maintainer

raywitzel Dec 7, 2022 Author

raywitzel Dec 7, 2022 Author

kevinpapst Dec 7, 2022 Collaborator

raywitzel Jan 24, 2023 Author

raywitzel
Dec 6, 2022

Replies: 4 comments 1 reply

tobybatch
Dec 7, 2022
Maintainer

raywitzel
Dec 7, 2022
Author

raywitzel
Dec 7, 2022
Author

kevinpapst Dec 7, 2022
Collaborator

raywitzel
Jan 24, 2023
Author