Hello,

I have installed Typo3 v11.5.36. I had installed v12 before but as it doesn’t have LDAP extension support from community extension so I had to switch to older version.

I want to have LDAP authentication for our user. I install TYPO3 Extension ‘LDAP / SSO Authentication’ (ig_ldap_sso_auth) with composer but when I go to my front end, select LDAP/SSO from left menu panel, I got this error:

503

Oops, an error occurred!

An exception occurred while executing ‘SELECT * FROM “tx_igldapssoauth_config” WHERE (“uid” = ?) AND ((“tx_igldapssoauth_config”.“deleted” = 0) AND (“tx_igldapssoauth_config”.“hidden” = 0))’ with params [0]: SQLSTATE[42P01]: Undefined table: 7 ERROR: relation “tx_igldapssoauth_config” does not exist LINE 1: SELECT * FROM “tx_igldapssoauth_config” WHERE (“uid” = $1) A… ^

Any assistance would be appreciated. If there is any guideline to install this extension, please share too.

Thanks
Saiful

Hi Saiful!

Maybe the extension author, @xperseguers, can help?

— Mathias

Hi Mathias,

Thanks for your comment. How do I reach him?

Thanks
Saiful

Hi Saiful!

I think you’ve done the right thing. I see you’ve opened an issue.

— Mathias

1. ext:ig_ldap_sso_auth for TYPO3 12 exists. but only in the repository and you need to get the dev version. (for us it works stable)
2. the error-message says there is no table / record to get a configuration from. are you sure you installed the extension correctly (including generation of the table)? have you added a configuration (AD-server, ad-server-login, selection for login)?

Thanks @piphi for your comment.

I downgrade TYPO3 version to 11.5 and use PHP7.4. Now it’s working. I mean I can import backend user from ldap.

I would like to know does the plugin allow to import LDAP groups including user memberships? And Is it possible to use a group for the editor permissions (this means the group forms the related role) instead of giving sole permissions to users. I only want to import user who are in typo3 groups from ldap.

The extension is able to handle different cases.
The extension differs between front end users (fe_users, fe_groups) and back end users (be_users, be_groups)
You can import all users/groups from LDAP at once: eg. you import the user data for a phone book (you can configure a mapping for the fields from the LDAP to the fields in the database).
Also the extension can import users (FE and/or BE) just in case of a login: the entered data from the login form is checked against LAP and then a mapping can import fields from LDAP to the local tables. in this case you can configure which groups should be imported and assigned to the user. That could be more than one group. In this way you can manage BE-rights (roles) in TYPO3 with assigning different LDAP-groups to the users: If you import the groups before hand you can assign special rights to these groups and configure roles.
These configuration needs some knowledge about ldap-filtering and usage of wildcards in LDAP. It can be easier if you have a good naming for these Groups (e.g. TYPO3_instance-name_role-name)

Thank you @piphi for your insight.

I am having different issue now. From typo3 web I could see, ldap status is ok, I could import all user in BE user and I could import BE groups from LDAP specific group with filter (&(ou=typo3)(objectClass=groupOfOrg)).

But I can’t login with LDAP user.

It throws me this error but I can’t figure out why:

SQLSTATE[22P02]: Invalid text representation: 7 ERROR: invalid input syntax for type bytea - {“mode”:“WEB”,“application_mode”:“BE”,“exception_class”:“Doctrine\DBAL\Exception\DriverException”,“exception_code”:0,“file”:“/var/www/typo3/prod/vendor/doctrine/dbal/lib/Doctrine/DBAL/Driver/AbstractPostgreSQLDriver.php”,“line”:102,“message”:“An exception occurred while executing ‘UPDATE "be_users" SET "uid" = ?, "pid" = ?, "tstamp" = ?, "crdate" = ?, "cruser_id" = ?, "deleted" = ?, "disable" = ?, "starttime" = ?, "endtime" = ?, "description" = ?, "username" = ?, "avatar" = ?, "password" = ?, "admin" = ?, "usergroup" = ?, "lang" = ?, "email" = ?, "db_mountpoints" = ?, "options" = ?, "realName" = ?, "userMods" = ?, "allowed_languages" = ?, "uc" = ?, "file_mountpoints" = ?, "file_permissions" = ?, "workspace_perms" = ?, "TSconfig" = ?, "lastlogin" = ?, "workspace_id" = ?, "mfa" = ?, "category_perms" = ?, "password_reset_token" = ?, "tx_igldapssoauth_dn" = ?, "tx_igldapssoauth_id" = ? WHERE "uid" = ?’ with params [3, 0, 1716459725, 1716372359, 0, 0, "0", 0, 0, null, "saiful", 0, "f005de67c76cacec646e04d82c455f29", 1, "1,2", "default", "saiful@hostname.domain.com", "", 3, "saiful", null, "", "a:12:{s:14:\"interfaceSetup\";s:7:\"backend\";s:10:\"moduleData\";a:4:{s:28:\"dashboard\/current_dashboard\/\";s:40:\"d5f23c8496bc9f1e074022398c64ecc0296a441b\";s:8:\"web_list\";a:3:{s:8:\"function\";N;s:8:\"language\";N;s:19:\"constant_editor_cat\";N;}s:10:\"web_layout\";a:3:{s:8:\"function\";s:1:\"1\";s:8:\"language\";s:1:\"0\";s:19:\"constant_editor_cat\";N;}s:8:\"web_info\";a:3:{s:8:\"function\";s:48:\"TYPO3\\CMS\\Belog\\Module\\BackendLogModuleBootstrap\";s:8:\"language\";N;s:19:\"constant_editor_cat\";N;}}s:14:\"emailMeAtLogin\";i:0;s:8:\"titleLen\";i:50;s:8:\"edit_RTE\";s:1:\"1\";s:20:\"edit_docModuleUpload\";s:1:\"1\";s:25:\"resizeTextareas_MaxHeight\";i:500;s:4:\"lang\";s:7:\"default\";s:19:\"firstLoginTimeStamp\";i:1716372359;s:15:\"moduleSessionID\";a:4:{s:28:\"dashboard\/current_dashboard\/\";s:40:\"9296e0b8d4cd3ec49f2315662e5616dcc2d225a9\";s:8:\"web_list\";s:40:\"480db1c994d3a34c5e5955f837232ec210129fc6\";s:10:\"web_layout\";s:40:\"480db1c994d3a34c5e5955f837232ec210129fc6\";s:8:\"web_info\";s:40:\"480db1c994d3a34c5e5955f837232ec210129fc6\";}s:10:\"modulemenu\";s:2:\"{}\";s:17:\"BackendComponents\";a:1:{s:6:\"States\";a:1:{s:17:\"typo3-module-menu\";a:1:{s:9:\"collapsed\";s:5:\"false\";}}}}", null, "readFolder,writeFolder,addFolder,renameFolder,moveFolder,deleteFolder,readFile,writeFile,addFile,renameFile,replaceFile,moveFile,copyFile,deleteFile", 1, null, 1716375044, 0, null, "0", "", "uid=saiful,ou=people,dc=domain,dc=com", "1", 3]:\n\nSQLSTATE[22P02]: Invalid text representation: 7 ERROR: invalid input syntax for type bytea”,“request_url”:“https://hostname.domain.com/typo3/login?loginProvider=1433416747","exception”:null}

I would be grateful for any assistance.

Thanks
Saiful

Aside from a working connection to the AD you need to configure the extension to hook into the login process.
You need to enable the login in the extension setup
→ in the “Admin Tool”-module “Settings”
→ “Extension Configuration”
→ ig_ldap_sso_auth
→ tab ‘Frontend’
→ Enable features
Frontend LDAP authentication
frontend.enableFELDAPAuthentication (boolean)

Enable LDAP authentication for the frontend.

Hi @piphi

Yes, I did enable LDAP authentication for the frontend. This error persists.

I am still not clear about this frontend and backend user. I removed the configuration from backend user and configured front end user. I could see I can import front end user from LDAP/SSO menu.

But this time the log says:

Fri, 24 May 2024 08:33:36 +0000 [ERROR] request=“01358f3d4ff94” component=“Causal.IgLdapSsoAuth.Service.AuthenticationService”: Authentication failed - {“username”:“saiful”,“remote”:“10.10.1.4 ()”,“diagnostic”:“”,“configUid”:1}

Sincerely,
Saiful

I’m not used to fe-login with AD. So some technics I use may differ.
(Maybe you can use the same configuration also for BE-login and test it there.)

With “import LDAP users (*end)” I see AD-user-records which I can import/ update.
With “import LDAP groups (*end)” I see AD-group-records which I can import/ update.

If I could see the users and groups normally the login and automatic import works.
Also make sure groups are imported too (or assign a local group statically)

The correct settings are required (validate in “Status” view):
“LDAP authentication” “enabled”
“Extract groups from membership attribute” “enabled”
“User must exist already” “disabled”
“User group must exist already” “disabled”

also be aware: a login in TYPO3 can only work if the user belongs to a valid group!
either assign a group statically or import the group automatically.

Hi @piphi

I am trying to use BE-login. With “import LDAP users (*end)” I see LDAP-user-records which I can import/ update also with “import LDAP groups (*end)” I see LDAP-group-records which I can import/ update.

But my login is not working. Still getting the error " Invalid text representation: 7 ERROR: invalid input syntax for type bytea".

About the settings you mentioned, I didn’t find “Extract groups from membership attribute”. Where I can find this option?

Also, the login I am trying is actually belongs to a valid LDAP group.

When I check from DB server (postgresql) log, it shows this error when I try to login:

ERROR: invalid input syntax for type bytea
STATEMENT: UPDATE “be_users” SET “uid” = $1, “pid” = $2, “tstamp” = $3, “crdate” = $4, “cruser_id” = $5, “deleted” = $6, “disable” = $7, “starttime” = $8, “endtime” = $9, “description” = $10, “username” = $11, “avatar” = $12, “password” = $13, “admin” = $14, “usergroup” = $15, “lang” = $16, “email” = $17, “db_mountpoints” = $18, “options” = $19, “realName” = $20, “userMods” = $21, “allowed_languages” = $22, “uc” = $23, “file_mountpoints” = $24, “file_permissions” = $25, “workspace_perms” = $26, “TSconfig” = $27, “lastlogin” = $28, “workspace_id” = $29, “mfa” = $30, “category_perms” = $31, “password_reset_token” = $32, “tx_igldapssoauth_dn” = $33, “tx_igldapssoauth_id” = $34 WHERE “uid” = $35

I’d appreciate if you could share any idea why this error occurs.

Sincerely,
Saiful

some configuration of us:
extension configuration (in settings.php)

ig_ldap_sso_auth' => [
            'BEfailsafe' => '1',
            'TYPO3BEGroupExist' => '0',
            'TYPO3BEGroupsNotSynchronize' => '0',
            'TYPO3BEUserExist' => '0',
            'TYPO3FEDeleteUserIfNoLDAPGroups' => '0',
            'TYPO3FEDeleteUserIfNoTYPO3Groups' => '0',
            'TYPO3FEGroupExist' => '0',
            'TYPO3FEGroupsNotSynchronize' => '0',
            'TYPO3FEUserExist' => '0',
            'enableBELDAPAuthentication' => '1',
            'enableBESSO' => '0',
            'enableFELDAPAuthentication' => '0',
            'enableFESSO' => '0',
            'forceLowerCaseUsername' => '0',
            'keepBEGroups' => '0',
            'keepBESSODomainName' => '0',
            'keepFEGroups' => '0',
            'keepFESSODomainName' => '0',
            'throwExceptionAtLogin' => '1',
            'useExtConfConfiguration' => '0',
        ],

a typical record from tx_igldapssoauth_config:

		<tablerow index="tx_igldapssoauth_config:2" type="array">
			<fieldlist index="data" type="array">
				<field index="uid" type="integer">2</field>
				<field index="pid" type="integer">0</field>
				<field index="tstamp" type="integer">1682592450</field>
				<field index="crdate" type="integer">1535097421</field>
				<field index="cruser_id" type="integer">4</field>
				<field index="deleted" type="integer">0</field>
				<field index="hidden" type="integer">0</field>
				<field index="name">typo3 admins</field>
				<field index="domains"></field>
				<field index="ldap_server" type="integer">1</field>
				<field index="ldap_charset">utf-8</field>
				<field index="ldap_host">ldap_server.local</field>
				<field index="ldap_port" type="integer">636</field>
				<field index="ldap_tls" type="integer">0</field>
				<field index="ldap_ssl" type="integer">1</field>
				<field index="ldap_binddn">CN=ldaprequest,OU=Dienstkonten,OU=Zentral,DC=company,DC=local</field>
				<field index="ldap_password">password</field>
				<field index="group_membership" type="integer">1</field>
				<field index="be_users_basedn">OU=User,OU=Company,OU=ZV,DC=company,DC=local</field>
				<field index="be_users_filter">(&amp;(sAMAccountName={USERNAME})(|(memberOf=CN=TYPO3Administration,OU=Groups,OU=Company,OU=ZV,DC=company,DC=local)))</field>
				<field index="be_users_mapping">realName = &lt;displayName&gt;
email = &lt;mail&gt;
lang = de
disable = 0</field>
				<field index="be_groups_basedn">OU=Groups,OU=Company,OU=ZV,DC=company,DC=local</field>
				<field index="be_groups_filter">(&amp;(cn=TYPO3Administration)(member={USERDN}))</field>
				<field index="be_groups_mapping">title = &lt;cn&gt;</field>
				<field index="be_groups_required"></field>
				<field index="be_groups_assigned">3</field>
				<field index="be_groups_admin">1,2</field>
				<field index="fe_users_basedn"></field>
				<field index="fe_users_filter"></field>
				<field index="fe_users_mapping"></field>
				<field index="fe_groups_basedn"></field>
				<field index="fe_groups_filter"></field>
				<field index="fe_groups_mapping"></field>
				<field index="fe_groups_required"></field>
				<field index="fe_groups_assigned"></field>
				<field index="sorting" type="integer">17920</field>
				<field index="sites"></field>
				<field index="ldap_tls_reqcert" type="integer">0</field>
			</fieldlist>
			<related index="rels" type="array">
				<field index="be_groups_assigned" type="array">
					<type>db</type>
					<relations index="itemArray" type="array">
						<element index="0" type="array">
							<id>3</id>
							<table>be_groups</table>
						</element>
					</relations>
				</field>
				<field index="be_groups_admin" type="array">
					<type>db</type>
					<relations index="itemArray" type="array">
						<element index="0" type="array">
							<id>1</id>
							<table>be_groups</table>
						</element>
						<element index="1" type="array">
							<id>2</id>
							<table>be_groups</table>
						</element>
						<element index="2" type="array">
							<id>82</id>
							<table>be_groups</table>
						</element>
					</relations>
				</field>
			</related>
		</tablerow>

for a record of tx_igldapssoauth_config:
general config is in tab ‘LDAP’:
your LDAP server and your credentials to access the server
and in that tab you have the option “Relation between groups and users”: [group_membership] with the option “Group contains the list of its members [1]”

Then you need to configure in the tabs “BE_USERS” and “BE_GROUPS”
Base DN, Filter and Mapping to import be_users and be_groups
for mappings make sure to include: “disable = 0” otherwise all imported users are disabled by default