I still don't know why it doesn't work using zimbraId, but I can confirm that using uid for auth 1 and 2, it works as expected.

Thank you for your time, Manuel, and keep up the good work!

Kind regards,

Manuel

I didn't find anything odd in the file however one of your previous comments raises questions

If I use the same password in both places, then the log shows the second message twice, but with uid=(login) instead of zimbraId=(login)

Given the configuration you attached zimbraId should not be used in queries to match login as it's uid that holds this information. zimbraId is there as a unique identifier for a user (a kind of foreign key between tuleap RDBMS and ldap so to say).

It seems that the authentication phase does work (the logs are saying that) but something is in place after the auth the prevent users to get a login. When you search as site admin a user that get a failure, what you you see in his profile (the site admin profile, not the public one) ? Do you see the zimbraId as it's supposed to be ?

Did you spot anything odd in my ldap.inc file? I've been doing tests, changing all of the available params to try to spot any difference in behaviour, but to no avail. I would really like to move our dev services from redmine to tuleap but this is a blocking issue for us.

This might be the sign of a wrong configuration, could you share your ldap.inc (be careful & edit your passwords if you set one)

I've done a couple more tests, but I'm simply more puzzled now.

I've created one of the users in the LDAP, directly in Tuleap web (using the same email, login and real name in both places) and associated it with the LDAP user via the "LDAP Identifier" in account details. If I use a different password in both places, the log shows:
2018-03-06T22:49:32+00:00 [2335] [debug] Bound to LDAP server: ldap://(url):389
2018-03-06T22:49:32+00:00 [2335] [debug] LDAP search success ou=people,dc=(example),dc=net zimbraId=(login) *** SCOPE: 1 *** ATTRIBUTES: mail, cn, uid, zimbraId, dn

If I use the same password in both places, then the log shows the second message twice, but with uid=(login) instead of zimbraId=(login)

2018-03-06T23:50:33+01:00 [2337] [debug] Bound to LDAP server: ldap://(url):389
2018-03-06T23:50:33+01:00 [2337] [debug] LDAP search success ou=people,dc=(example),dc=net uid=(login) *** SCOPE: 1 *** ATTRIBUTES: mail, cn, uid, zimbraId, dn
2018-03-06T23:50:33+01:00 [2337] [debug] LDAP search success ou=people,dc=(example),dc=net uid=(login) *** SCOPE: 1 *** ATTRIBUTES: mail, cn, uid, zimbraId, dn

Wrong credentials:
2018-03-05T12:58:22+01:00 [9760] [debug] Bound to LDAP server: ldap://(url):389
2018-03-05T12:58:22+01:00 [9760] [debug] LDAP search success ou=people,dc=(example),dc=net uid=(wrong user) *** SCOPE: 1 *** ATTRIBUTES: mail, cn, uid, zimbraId, dn
2018-03-05T12:58:22+01:00 [9760] [info] [LDAP] User (wrong user) failed to authenticate

Correct credentials:
2018-03-05T12:58:30+01:00 [2334] [debug] Bound to LDAP server: ldap://(url):389
2018-03-05T12:58:30+01:00 [2334] [debug] LDAP search success ou=people,dc=(example),dc=net uid=(correct user) *** SCOPE: 1 *** ATTRIBUTES: mail, cn, uid, zimbraId, dn
2018-03-05T12:58:30+01:00 [2334] [debug] LDAP search success ou=people,dc=(example),dc=net uid=(correct user) *** SCOPE: 1 *** ATTRIBUTES: mail, cn, uid, zimbraId, dn

Could you try again after having set sys_logger_level to 'debug' in local.inc ?

The exact version are Tuleap 9.17.99.221 and LDAP plugin 3.175

The exact error messages are:
on web:
* both cases:
Invalid Password Or User Name

on log:
* with correct credentials:
no error at all.
* with wrong credentials:
[error] Unable to bind to LDAP server: (ldap URL) ***ERROR:Invalid credentials ***ERROR no:49
[info] [LDAP] User (user) failed to authenticate

Which exact version of tuleap are you using, what are the exact error messages you are getting in both cases?