Hi,

We've been using LDAP successfully with osTicket and works fine for agents & users.

I'm now trying to configure osTicket to use LDAPS but get an error:
TLS could not be started: Connect error: Unable to bind to server <servername>

I've started from the baseline of a working connection with LDAP and tried the following combinations:
All the below with with the TLS option both ticked & unticked.
ldaps://dcname.domainname
dcname.domainname:636

A slightly different error message appears if I do:
ldaps://dcname.domainname:636

The server name has // prepended such as: Unable to bind to server //dcname.domainname when the above is done.

I have verified the domain controllers are accessible via LDAPS on port 636 from the webserver & two other applications formerly using LDAP were successfully migrated to LDAPs with a change of config on the application side.

Any help or pointers in the right direction greatly appreciated.

Edit: osTicket info below:

    Lister

    Judging by the error it seems you are having trouble with TLS TLS could not be started. @ntozier any thoughts?

    Cheers.

      Can you actually post a screen shot of your ldap plugin config screen?
      (feel free to sanitize the data first, and dont hit save)

      Are you trying to connect to an LDAP server? Or a Active Directory server?

        ntozier

        Trying to connect to active directory. I've attached a copy of the settings as they are with regular LDAP working.

        Below is one example of the attempt to swap to LDAPS with TLS box ticket.

        Thanks

          Try either populating the DNS field

          • with a DNS server that dc01.* will resolve on and see what happens please.
          • or changing the ldaps:\dc01 to simply its IP address.

            ntozier

            I've just changed both servers to their IP addresses & tried with these variations:
            ldap://IPAddress
            ldaps://IPAddress
            IPAddress:636

            I've also tried setting the DNS server by IP & retested with FQDNs, same message for both IP & Hostname:
            TLS could not be started: Can't contact LDAP server: Unable to bind to server

                KevinTheJedi

                Hi Kevin, yep second test I mentioned had a local DNS server populated by IP in the "DNS Servers" box.

                    Lister

                    As you can see from here:

                    The error is thrown when ldap_start_tls() returns false. ldap_start_tls() is a built-in PHP method so maybe do some research on this method to see in what cases it will return false. Maybe you have a self-signed certificate it doesn't like or something.

                    Cheers.

                        KevinTheJedi

                        I think this is something myself and a colleague had to wrap our heads around when we were first looking at Microsofts intention to encourage the use of secure ldap connections.

                        From what I've read there are two ways of securing an LDAP connection LDAPS and LDAP over TLS, the second uses the start_tls.
                        Looking at the php manual the difference between LDAP and LDAPS in php is in the connection string changing ldap:// to ldaps://. Our intention currently is to use LDAPS currently but I think either would work.

                        I'm going to have a play with some testing after reading this article: https://www.php.net/manual/en/function.ldap-connect.php.

                        Just to help with my test, am I correct in thinking if I put ldaps:// at the beginning of the sever entry without ticking the TLS box, start tls should not be involved in any way? Would OSTicket also default the connection to port 636 if I put ldaps:// at the start?

                        Thanks

                            Lister

                            Yes, I think it should use ldaps if you prefix it appropriately. I think you still need the port number just to be certain as if not provided I believe we default to 389 (or whatever it is).

                            Cheers.

                                KevinTheJedi

                                Hi Kevin,

                                That may be an easier issue to resolve as I think it may just be a formatting issue! I did see a comment in another thread that said the same resolution you suggested fixed it. last post of the below thread:
                                https://forum.osticket.com/d/96963-error-trying-to-use-ldap-authentication-using-tls-port-636

                                However when I first tested prior to posting my original message the same layout of ldaps://dc01.domain....:636 seams to format the address incorrectly. I've attached a screenshot displaying the issue.

                                The ldaps: seams to get cut off and it doesn't mention the port number.

                                Thanks

                                    Lister

                                    Okay, it could be REGEX issues now that you shared that information. Do you possibly know how to make changes to plugins? If so try changing the auth-ldap/config.php file and changing:

                                                        if (preg_match('/([^:]+):(\d{1,4})/', $host, $matches))
                        $servers[] = array('host' => $matches[1], 'port' => (int) $matches[2]);

                                    to

                                                        if (preg_match('/((ldaps:\/\/)?[^:]+):(\d{1,4})/', $host, $matches))
                        $servers[] = array('host' => $matches[1], 'port' => (int) $matches[3]);

                                    Once you do that save and retest.

                                    If you don't know how:

                                    • You can un-phar the plugin with: php -r '$phar = new Phar("/path/to/include/plugins/auth-ldap.phar"); $phar->extractTo("/path/to/include/plugins/auth-ldap");'
                                    • Login to the database
                                    • Open the ost_plugin table
                                    • Change isphar to 0 for the auth-ldap plugin
                                    • Change the install_path from auth-ldap.phar to auth-ldap (basically, just remove the .phar part)
                                    • Now you can manually make changes to the plugin files

                                    Cheers.

                                        KevinTheJedi

                                        I did not know how to before your instructions. I will follow those, hope for the best & let you know how it goes

                                            Lister

                                            Okay, the main changes in the above are the full regex statement within the preg_match() and the port $matches changed from 2 to 3.

                                            Cheers.

                                                KevinTheJedi

                                                With those changes the error message does change to as below:

                                                Would you expect the port number to be missing from that error message?

                                                Thanks

                                                    Lister

                                                    Depends on what the URL looks like and what the error kicks back. Can you inspect the network requests, etc. to see why it's failing to bind?

                                                    Cheers.

                                                        KevinTheJedi

                                                        I've just wiresharked the connection between the DC & the webserver, When clicking the save changes button with the same entry as above I'm getting an error Alert (Level: Fatal, Description: Unknown CA).

                                                        I can see in a section of the config.php for auth-ldap that there is a do not require cert option when ticking the "TLS" option, but this workaround is not done for LDAPS it appears.

                                                        I copied line 174 putenv('LDAPTLS_REQCERT=never'); from config.php and put it right below line 170 as below but get the same error.

                                                            Lister

                                                            To preface, I am not by any means an LDAP expert (I’m only somewhat familiar with LDAP) but everything I’m reading online says you must have a valid certificate to use LDAPS. Maybe they are wrong but as far as I see it requires one. You may be able to research further online to see how to bypass this.

                                                            Cheers.

                                                              Write a Reply...