LDAP Authentication & Lookup Not Working with TLS to AD

rblake · Aug 8, 2023

We have an on-premise Active Directory setup and have been using LDAPS for quite some time. During an internal audit, we were made aware that osTicket was still using insecure LDAP to port 389. Would it be possible to configure the plugin to have a box for "TLS" under the Microsoft Active Directory heading that enables LDAPS and uses port 636 instead of 389?

Edit: I should also include that I tried using LDAPS by specifying the servers and ports then checking the use TLS option, but that doesn't work, either. It's not able to bind to the server.

This is the error message I see when I try that method:
AH01071: Got error 'PHP message: PHP Fatal error: Uncaught TypeError: ldap_close(): Argument #1 ($ldap) must be of type LDAP\\Connection, bool given in phar:///var/www/html/include/plugins/auth-ldap.phar/include/Net/LDAP2.php:701\nStack trace:\n#0 phar:///var/www/html/include/plugins/auth-ldap.phar/include/Net/LDAP2.php(701): ldap_close()\n#1 /var/www/html/include/pear/PEAR.php(755): Net_LDAP2->_Net_LDAP2()\n#2 [internal function]: _PEAR_call_destructors()\n#3 {main}\n thrown in phar:///var/www/html/include/plugins/auth-ldap.phar/include/Net/LDAP2.php on line 701', referer:

Using the latest plugin 0.6.2.

KevinTheJedi · Aug 8, 2023

rblake

Try to use ldaps://hostname:636 instead.

Cheers.

rblake · Aug 9, 2023

KevinTheJedi So I have Default Domain entered with our AD domain, DNS server is our PDC, and I entered in ldaps://HostnameOfDC.fqdn:636 along with the search user, password, search base, and LDAP schema is set to Active Directory.

Error message:
TLS could not be started: Can't contact LDAP server: Unable to bind to server //HostnameOfDC.fqdn:636

Edit: Forgot to include the log details from the server:
AH01071: Got error 'PHP message: PHP Fatal error: Uncaught TypeError: ldap_close(): Argument #1 ($ldap) must be of type LDAP\\Connection, bool given in phar:///var/www/html/include/plugins/auth-ldap.phar/include/Net/LDAP2.php:701\nStack trace:\n#0 phar:///var/www/html/include/plugins/auth-ldap.phar/include/Net/LDAP2.php(701): ldap_close()\n#1 /var/www/html/include/pear/PEAR.php(755): Net_LDAP2->_Net_LDAP2()\n#2 [internal function]: _PEAR_call_destructors()\n#3 {main}\n thrown in phar:///var/www/html/include/plugins/auth-ldap.phar/include/Net/LDAP2.php on line 701', referer:

KevinTheJedi · Aug 9, 2023

rblake

Yea it can't connect to your AD for some reason. Maybe an issue with LDAPS specifically but we don't have time to test this at all; nor do i have an AD instance where LDAPS is enabled. So if you find anything please let us know!

Cheers.

rblake · Aug 10, 2023

Hi @KevinTheJedi,

I did a packet capture and I see that it's requesting to elevate to TLS over port 389 instead of using port 636. So it's technically secure, just mis-reported as not by our internal auditors.

Configuration should look like this:

Default Domain: Enter AD Domain (e.g. yourdomain.com)
DNS Server: Enter in DNS server for AD (e.g. 10.1.1.1)
LDAP Servers: Enter in Domain Controllers as FQDN with no ports or anything else (e.g. YourDC.yourdomain.tld)
Check "Use TLS"
Search User: Use distinguishedName (e.g. CN=Something,OU=Something...,DC=yourdomain,DC=tld)
Password: The password of the search user
Search Base: The OU with all the users (e.g. OU=OurUsers,DC=yourdomain,DC=tld)
LDAP Schema: Select Microsoft Active Directory
Authentication Modes: Pick what you'd like, I checked for both

Hope this helps someone else who may run into the same problem with their auditors.