You are not logged in.

Announcement

 Téléchargez la dernière version stable de GLPI      -     Et vous, que pouvez vous faire pour le projet GLPI ? :  Contribuer
 Download last stable version of GLPI                      -     What can you do for GLPI ? :  Contribute

Pages: 1

#1 2018-11-02 12:58:41

Chr0nicles
Member
Registered: 2009-09-17
Posts: 3

Upgrading to new system LDAP Authentication doesn't work anymore.

Hi,

I'm upgrading from 0.91 to 9.3.1 and php7 and ldap auth doesn't work anymore.
something weird is going on but i can't seem to find the culprit.

I'm using selfsigned certificates.

the error i keep seeing in apache log is:

TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).

Which relates to a certificate not being correct or unable to validate because of CA not found.
however i can't find where or how because normal ldap operations work

ldapsearch and php interactive php works

<code>
ldapsearch -w removedpass -x -ZZ -h localldap.changed.com -b "dc=base,dc=nl" -D "cn=client,ou=ldap,dc=base,dc=nl" "(objectClass=*)"
</code>

php interactive mode works too.


ldap.conf is using:
# tls
SSL START_TLS
TLS_CHECKPEER demand


Anyone got some idea's? thx.


<code>
php -a
Interactive mode enabled
php > ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
php> $conn = ldap_connect("localldap.changed.com");
php > ldap_start_tls($conn);
..
attempting to connect:
connect success
ldap_open_defconn: successful
res_errno: 0, res_error: <>, res_matched: <>


apache error log:
<code>
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/ldap/ldap.conf
ldap_init: HOME env is NULL
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
ldap_create
ldap_url_parse_ext(ldap://ldapserver.changed.com:389)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldapserver.changed.com:389
ldap_new_socket: 15
ldap_prepare_socket: 15
ldap_connect_to_host: Trying 10.0.10.138:389
ldap_pvt_connect: fd: 15 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x5608d83d6420 msgid 1
wait4msg ld 0x5608d83d6420 msgid 1 (infinite timeout)
wait4msg continue ld 0x5608d83d6420 msgid 1 all 1
** ld 0x5608d83d6420 Connections:
* host: ldapserver.changed.com  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Fri Nov  2 11:39:49 2018


** ld 0x5608d83d6420 Outstanding Requests:
* msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x5608d83d6420 request count 1 (abandoned 0)
** ld 0x5608d83d6420 Response Queue:
   Empty
  ld 0x5608d83d6420 response count 0
ldap_chkResponseList ld 0x5608d83d6420 msgid 1 all 1
ldap_chkResponseList returns ld 0x5608d83d6420 NULL
ldap_int_select
read1msg: ld 0x5608d83d6420 msgid 1 all 1
read1msg: ld 0x5608d83d6420 msgid 1 message type extended-result
read1msg: ld 0x5608d83d6420 0 new referrals
read1msg:  mark request completed, ld 0x5608d83d6420 msgid 1
request done: ld 0x5608d83d6420 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ldap_parse_result
ldap_msgfree
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
ldap_create
ldap_url_parse_ext(ldap://ldapserver.changed.com:389)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldapserver.changed.com:389
ldap_new_socket: 15
ldap_prepare_socket: 15
ldap_connect_to_host: Trying 10.0.10.138:389
ldap_pvt_connect: fd: 15 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x5608d83d6420 msgid 1
wait4msg ld 0x5608d83d6420 msgid 1 (infinite timeout)
wait4msg continue ld 0x5608d83d6420 msgid 1 all 1
** ld 0x5608d83d6420 Connections:
* host: ldapserver.changed.com  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Fri Nov  2 11:39:49 2018


** ld 0x5608d83d6420 Outstanding Requests:
* msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x5608d83d6420 request count 1 (abandoned 0)
** ld 0x5608d83d6420 Response Queue:
   Empty
  ld 0x5608d83d6420 response count 0
ldap_chkResponseList ld 0x5608d83d6420 msgid 1 all 1
ldap_chkResponseList returns ld 0x5608d83d6420 NULL
ldap_int_select
read1msg: ld 0x5608d83d6420 msgid 1 all 1
read1msg: ld 0x5608d83d6420 msgid 1 message type extended-result
read1msg: ld 0x5608d83d6420 0 new referrals
read1msg:  mark request completed, ld 0x5608d83d6420 msgid 1
request done: ld 0x5608d83d6420 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ldap_parse_result
ldap_msgfree
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
</code>

Offline

#2 2018-11-08 14:23:14

Chr0nicles
Member
Registered: 2009-09-17
Posts: 3

Re: Upgrading to new system LDAP Authentication doesn't work anymore.

update:

All local ldap queries are working, also php-cli.
It fails only when launched through php-fpm7.0

Offline

#3 2018-11-08 14:54:17

Chr0nicles
Member
Registered: 2009-09-17
Posts: 3

Re: Upgrading to new system LDAP Authentication doesn't work anymore.

Chr0nicles wrote:

update:

All local ldap queries are working, also php-cli.
It fails only when launched through php-fpm7.0

Solution:

add cafile/capath info to fpm pool configuration.

/etc/php/7.0/fpm/pool.d/www.conf:php_admin_value[openssl.cafile] = /etc/ssl/certs/ca-certificates.crt
/etc/php/7.0/fpm/pool.d/www.conf:php_admin_value[openssl.capath] = /etc/ssl/certs

Cheers

Offline

Pages: 1

Board footer

Powered by FluxBB