LDAPS issue, Unable to bind to LDAP server

s0p4L1n3 · 2024-03-25 18:33:26

Hello,

I'm trying to configure GLPI LDAPS binding over my Microsoft Active Directory but I'm stuck at this moment.

I got this error which is known but the 'workaround' is to set Bind to No.

==> /var/www/html/glpi/files/_log/php-errors.log <==
PHP User Warning (512): Unable to bind to LDAP server `srvad.enterprise.it.paris.lan` with RDN `ro_glpi@enterprise.it.paris.lan`
error: Can't contact LDAP server (-1) in /var/www/html/glpi/src/AuthLDAP.php at line 3194
  Backtrace:
  src/AuthLDAP.php:3194                             trigger_error()
  src_AuthLDAP.php:1666                             AuthLDAP::connectToServer()
  front/authldap.form.php:84                        AuthLDAP::testLDAPConnection()
  public/index.php:82                               require()

I have correctly deploy the DC Certificate on server side to Personnal and NTDS/Personnal stores.
I have deployed the SUB/ROOT CAs to Docker container / Linux trust stores and `ca-certificate-updates`
I have LDAPS with Bind user/password for other solutions (Netbox, gitlab) working.

The enterprise policy does not allow Anonymous Binding/Logon.

From GLPI server I did some command to test the LDAPS binding:

ldapsearch which result in success:

ldapsearch -LLL -x -v -H ldaps://srvad.enterprise.it.paris.lan -b 'dc=enterprise,dc=it,dc=paris,dc=lan' -D 'ENTERPRISE\ro_glpi' -W '(sAMAccountName=ro_glpi)'

I also tested a basic php function

<?php

// using ldap bind
$ldaprdn  = 'ro_glpi';     // ldap rdn or dn
$ldappass = 'password';  // associated password

// connect to ldap server
$ldapconn = ldap_connect("ldaps://srvad.enterprise.it.paris.lan")
    or die("Could not connect to LDAP server.");

if ($ldapconn) {

    // binding to ldap server
    $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);

    // verify binding
    if ($ldapbind) {
        echo "LDAP bind successful...";
    } else {
        echo "LDAP bind failed...";
    }

}

?>

Resulting with:

php test.php
LDAP Bind successful

I have tested LDAP with StartTLS, it is working. It is not a certificate issue then.

Enterprise policy does not allow Anonymous Logon so chosing 'No' to Use Bind is not working in my case.

GLPI LDAP conf webUI

[LDAP directory]
name: srvad
default server: yes
active: yes
Port: 636
Connection filter: template one for windows AD
BaseDN=dc=enterprise,dc=it,dc=paris,dc=lan
Use binding: yes
DN Account: ro_glpi@dc=enterprise,dc=it,dc=paris,dc=lan
login field: samaccountname
synchronize field: objectguid

[advanced informations]
TLS no
GMT +1

GLPI conf files

- ldap.conf

TLS_CACERT path_to_certca.pem
TLS_REQCERT never

- php.ini

[curl]
curl.cainfo=path_to_certca.pem
[openssl]
openssl.cafile=path_to_certca.pem

I was wondering if the issue is not in the code ?
What could prevent LDAPS with Binding user/password ?
Especially if I can do it with a basic php script on the same server ?

s0p4L1n3 · 2024-03-28 16:55:52

SOLVED. I found my own issue ! Well I would assume it not my fault, but as I did not read the documentation (because I was pretty aware and stubborn on how to configure LDAPS on any solution)

# LDAPS NOT WORKING

# LDAPS WORKING

As you can see, we need to add ldaps:// in the server field as prefix to the server name or IP address.

GLPI can connect to an LDAP directory through an LDAPS connection. To enable this, prefix your server field with ldaps:// and change the port to the LDAPS one of your LDAP directory (default 636).

Don't ask me why they did it this way, especially I'm pretty sure it did mislead many people, even if reading the doc was the solution.
On many other solution it is either you have an LDAP/LDAPS button, or either you set ldaps:// but you don't have to specify the port, or either you set the port but you don't have to specify the protocol because it is already hardcoded based on the port choice. Not on GLPI.

Last edited by s0p4L1n3 (2024-03-28 17:07:38)

victorjah50 · 2024-04-25 05:54:24

In Addition to solucion posted before, let me tell you what happened to me:

In my case the solution was not enough because we had an issue with the setup of Active Directory haven't a valid (CA signed certificate), we had to install the CA Role into windows server DC and configure a new CA root certificate, after that request a new certificate for "Domain Controller" purpose, all this on mmc.exe windows utility (Local Machine Certificates) > Personal (sub folder store).

I followed the next guide located searching on google "how-connect-active-directory-ssl-under-linux-aurélien-husson".

After that the server had a valid certificate issued by CA local, i exported to file and put this on /etc/ssl/certs/ directory and run update-ca-certificate -f and configure /etc/ldap/ldap.conf adding these lines in the end of file:

TLS_REQCERT never
TLS_CACERT /etc/ssl/certs/<filename certificate exported from DC server>
TLS_CACERTDIR /etc/ssl/certs

Now the ldapsearch working fine and queries are correct answered.

I hope this be util.

cconard96 · 2024-04-25 15:35:35

s0p4L1n3 wrote:

Don't ask me why they did it this way, especially I'm pretty sure it did mislead many people, even if reading the doc was the solution.

Depending on the LDAP solution, the port numbers can be changed. There is no reason why the protocol should be assumed based on the port number alone.

Forum GLPI-Project

Announcement

#1 2024-03-25 18:33:26