Unable to configure LDAPS with Active Directory
Try either populating the DNS field
- with a DNS server that dc01.* will resolve on and see what happens please.
- or changing the ldaps:\dc01 to simply its IP address.
I've just changed both servers to their IP addresses & tried with these variations:
ldap://IPAddress
ldaps://IPAddress
IPAddress:636
I've also tried setting the DNS server by IP & retested with FQDNs, same message for both IP & Hostname:
TLS could not be started: Can't contact LDAP server: Unable to bind to server
- Edited
Hi Kevin, yep second test I mentioned had a local DNS server populated by IP in the "DNS Servers" box.
As you can see from here:
The error is thrown when ldap_start_tls() returns false. ldap_start_tls() is a built-in PHP method so maybe do some research on this method to see in what cases it will return false. Maybe you have a self-signed certificate it doesn't like or something.
Cheers.
- Edited
I think this is something myself and a colleague had to wrap our heads around when we were first looking at Microsofts intention to encourage the use of secure ldap connections.
From what I've read there are two ways of securing an LDAP connection LDAPS and LDAP over TLS, the second uses the start_tls.
Looking at the php manual the difference between LDAP and LDAPS in php is in the connection string changing ldap:// to ldaps://. Our intention currently is to use LDAPS currently but I think either would work.
I'm going to have a play with some testing after reading this article: https://www.php.net/manual/en/function.ldap-connect.php.
Just to help with my test, am I correct in thinking if I put ldaps:// at the beginning of the sever entry without ticking the TLS box, start tls should not be involved in any way? Would OSTicket also default the connection to port 636 if I put ldaps:// at the start?
Thanks
Yes, I think it should use ldaps if you prefix it appropriately. I think you still need the port number just to be certain as if not provided I believe we default to 389 (or whatever it is).
Cheers.
- Edited
Hi Kevin,
That may be an easier issue to resolve as I think it may just be a formatting issue! I did see a comment in another thread that said the same resolution you suggested fixed it. last post of the below thread:
https://forum.osticket.com/d/96963-error-trying-to-use-ldap-authentication-using-tls-port-636
However when I first tested prior to posting my original message the same layout of ldaps://dc01.domain....:636 seams to format the address incorrectly. I've attached a screenshot displaying the issue.
The ldaps: seams to get cut off and it doesn't mention the port number.
Thanks
Okay, it could be REGEX issues now that you shared that information. Do you possibly know how to make changes to plugins? If so try changing the auth-ldap/config.php file and changing:
if (preg_match('/([^:]+):(\d{1,4})/', $host, $matches))
$servers[] = array('host' => $matches[1], 'port' => (int) $matches[2]);to
if (preg_match('/((ldaps:\/\/)?[^:]+):(\d{1,4})/', $host, $matches))
$servers[] = array('host' => $matches[1], 'port' => (int) $matches[3]);Once you do that save and retest.
If you don't know how:
- You can un-phar the plugin with:
php -r '$phar = new Phar("/path/to/include/plugins/auth-ldap.phar"); $phar->extractTo("/path/to/include/plugins/auth-ldap");' - Login to the database
- Open the
ost_plugintable - Change
ispharto0for the auth-ldap plugin - Change the
install_pathfromauth-ldap.phartoauth-ldap(basically, just remove the.pharpart) - Now you can manually make changes to the plugin files
Cheers.
I did not know how to before your instructions. I will follow those, hope for the best & let you know how it goes
Okay, the main changes in the above are the full regex statement within the preg_match() and the port $matches changed from 2 to 3.
Cheers.
With those changes the error message does change to as below:
Would you expect the port number to be missing from that error message?
Thanks
Depends on what the URL looks like and what the error kicks back. Can you inspect the network requests, etc. to see why it's failing to bind?
Cheers.
- Edited
I've just wiresharked the connection between the DC & the webserver, When clicking the save changes button with the same entry as above I'm getting an error Alert (Level: Fatal, Description: Unknown CA).
I can see in a section of the config.php for auth-ldap that there is a do not require cert option when ticking the "TLS" option, but this workaround is not done for LDAPS it appears.
I copied line 174 putenv('LDAPTLS_REQCERT=never'); from config.php and put it right below line 170 as below but get the same error.
To preface, I am not by any means an LDAP expert (I’m only somewhat familiar with LDAP) but everything I’m reading online says you must have a valid certificate to use LDAPS. Maybe they are wrong but as far as I see it requires one. You may be able to research further online to see how to bypass this.
Cheers.