Unable to configure LDAPS with Active Directory

Lister

Hi,

We've been using LDAP successfully with osTicket and works fine for agents & users.

I'm now trying to configure osTicket to use LDAPS but get an error:
TLS could not be started: Connect error: Unable to bind to server <servername>

I've started from the baseline of a working connection with LDAP and tried the following combinations:
All the below with with the TLS option both ticked & unticked.
ldaps://dcname.domainname
dcname.domainname:636

A slightly different error message appears if I do:
ldaps://dcname.domainname:636

The server name has // prepended such as: Unable to bind to server //dcname.domainname when the above is done.

I have verified the domain controllers are accessible via LDAPS on port 636 from the webserver & two other applications formerly using LDAP were successfully migrated to LDAPs with a change of config on the application side.

Any help or pointers in the right direction greatly appreciated.

Edit: osTicket info below:

KevinTheJedi

Lister

Judging by the error it seems you are having trouble with TLS TLS could not be started. @ntozier any thoughts?

Cheers.

ntozier

Can you actually post a screen shot of your ldap plugin config screen?
(feel free to sanitize the data first, and dont hit save)

Are you trying to connect to an LDAP server? Or a Active Directory server?

Lister

ntozier

Trying to connect to active directory. I've attached a copy of the settings as they are with regular LDAP working.

Below is one example of the attempt to swap to LDAPS with TLS box ticket.

Thanks

ntozier

Try either populating the DNS field

with a DNS server that dc01.* will resolve on and see what happens please.
or changing the ldaps:\dc01 to simply its IP address.

Lister

ntozier

I've just changed both servers to their IP addresses & tried with these variations:
ldap://IPAddress
ldaps://IPAddress
IPAddress:636

I've also tried setting the DNS server by IP & retested with FQDNs, same message for both IP & Hostname:
TLS could not be started: Can't contact LDAP server: Unable to bind to server

KevinTheJedi

Lister

Did you update the DNS like he mentioned?

Cheers.

Lister

KevinTheJedi

Hi Kevin, yep second test I mentioned had a local DNS server populated by IP in the "DNS Servers" box.

KevinTheJedi

Lister

As you can see from here:

https://github.com/osTicket/osTicket-plugins/blob/fc089b9339c2a89e293b99be878252f03276cdc7/lib/pear-pear.php.net/net_ldap2/Net/LDAP2.php#L647

The error is thrown when ldap_start_tls() returns false. ldap_start_tls() is a built-in PHP method so maybe do some research on this method to see in what cases it will return false. Maybe you have a self-signed certificate it doesn't like or something.

Cheers.

Lister

KevinTheJedi

I think this is something myself and a colleague had to wrap our heads around when we were first looking at Microsofts intention to encourage the use of secure ldap connections.

From what I've read there are two ways of securing an LDAP connection LDAPS and LDAP over TLS, the second uses the start_tls.
Looking at the php manual the difference between LDAP and LDAPS in php is in the connection string changing ldap:// to ldaps://. Our intention currently is to use LDAPS currently but I think either would work.

I'm going to have a play with some testing after reading this article: https://www.php.net/manual/en/function.ldap-connect.php.

Just to help with my test, am I correct in thinking if I put ldaps:// at the beginning of the sever entry without ticking the TLS box, start tls should not be involved in any way? Would OSTicket also default the connection to port 636 if I put ldaps:// at the start?

Thanks

KevinTheJedi

Lister

Yes, I think it should use ldaps if you prefix it appropriately. I think you still need the port number just to be certain as if not provided I believe we default to 389 (or whatever it is).

Cheers.

Lister

KevinTheJedi

Hi Kevin,

That may be an easier issue to resolve as I think it may just be a formatting issue! I did see a comment in another thread that said the same resolution you suggested fixed it. last post of the below thread:
https://forum.osticket.com/d/96963-error-trying-to-use-ldap-authentication-using-tls-port-636

However when I first tested prior to posting my original message the same layout of ldaps://dc01.domain....:636 seams to format the address incorrectly. I've attached a screenshot displaying the issue.

The ldaps: seams to get cut off and it doesn't mention the port number.

Thanks

KevinTheJedi

Lister

Okay, it could be REGEX issues now that you shared that information. Do you possibly know how to make changes to plugins? If so try changing the auth-ldap/config.php file and changing:

                    if (preg_match('/([^:]+):(\d{1,4})/', $host, $matches))
                        $servers[] = array('host' => $matches[1], 'port' => (int) $matches[2]);

                    if (preg_match('/((ldaps:\/\/)?[^:]+):(\d{1,4})/', $host, $matches))
                        $servers[] = array('host' => $matches[1], 'port' => (int) $matches[3]);

Once you do that save and retest.

If you don't know how:

You can un-phar the plugin with: php -r '$phar = new Phar("/path/to/include/plugins/auth-ldap.phar"); $phar->extractTo("/path/to/include/plugins/auth-ldap");'
Login to the database
Open the ost_plugin table
Change isphar to 0 for the auth-ldap plugin
Change the install_path from auth-ldap.phar to auth-ldap (basically, just remove the .phar part)
Now you can manually make changes to the plugin files

Cheers.

Lister

KevinTheJedi

I did not know how to before your instructions. I will follow those, hope for the best & let you know how it goes

KevinTheJedi

Lister

Okay, the main changes in the above are the full regex statement within the preg_match() and the port $matches changed from 2 to 3.

Cheers.

Lister

KevinTheJedi

With those changes the error message does change to as below:

Would you expect the port number to be missing from that error message?

Thanks

KevinTheJedi

Lister

Depends on what the URL looks like and what the error kicks back. Can you inspect the network requests, etc. to see why it's failing to bind?

Cheers.

Lister

KevinTheJedi

I've just wiresharked the connection between the DC & the webserver, When clicking the save changes button with the same entry as above I'm getting an error Alert (Level: Fatal, Description: Unknown CA).

I can see in a section of the config.php for auth-ldap that there is a do not require cert option when ticking the "TLS" option, but this workaround is not done for LDAPS it appears.

I copied line 174 putenv('LDAPTLS_REQCERT=never'); from config.php and put it right below line 170 as below but get the same error.

KevinTheJedi

Lister

To preface, I am not by any means an LDAP expert (I’m only somewhat familiar with LDAP) but everything I’m reading online says you must have a valid certificate to use LDAPS. Maybe they are wrong but as far as I see it requires one. You may be able to research further online to see how to bypass this.

Cheers.