Problems with using TLS in LDAP-PlugIn

andreas

Hello,

I’m trying

to use TLS in die LDAP Authentication and Lookup PlugIn. This would not work

and I got error TLS

could not be started: Connect error: Unknown Net_LDAP2 Error (-11) If TLS is

unchecked the LDAP connection is working fine. Interesting is the error that is

logged on the LDAP Server (MS AD on W2K12R2): Error, Source: Schannel, EventID:

36887, TLS-Protokoll generates a Warning code 48. For my research this means

that a certificate was submitted and the CA is unknown or untrusted. https://blogs.msdn.microsoft.com/kaushal/2012/10/05/ssltls-alert-protocol-the-alert-codes/

What is going on here? I’m really no specialist in

encryption but this seems to me that the LDAP bind is submitting a certificate

to the AD-LDAP that is not trusted by the AD-LDAP server. IMO this is not necessary

to establish the TLS-Secured LDAP connection. A certificate is only needed on

the LDAP-Server and of course there is one and that should be trusted by

LDAP-Server and Webserver. Even on the Webserver (IIS 8.5) I use a not

selfsigned and trusted certificate for SSL encryption of the osTicket portal.

Maybe the php is using another certificate from installation? (Sorry I’m very

new to php).

I think the AD-LDAP Server is ready to establish

successful TLS-LDAP connection because we already use this with another

Web-Application (tomcat based).

At last some information to the osTicket installation:

osTicket-Version: v1.9.12

(19292ad) — Up to date

Server-Software: Microsoft-IIS/8.5

MySQL-Version: 10.1.13

PHP-Version: 5.3.28

I hope you

can give me any hints to get TLS working.

Kind

regards

Andreas

ntozier

You downloaded the LDAP plugin from osticket.com/download (and clicking on plugins)?You and I appear to have very similar enviornments and this plugin works for me. Perhaps you would like to share how you configured your LDAP plugin?

andreas

Yes I downloaded the LDAP plugin from osticket.com/download

I have some problem when using the "Attach a file" function, this keeps in "Uploading..." state. Copying a screenshot in the textbox end up in too many characters or something like this, so i copied the text from the plugin page, I hope this is readable. Sorry I use the german language plugin so everthing is in german but you should know the fields I think.

Microsoft® Active DirectoryIn diesem Abschnitt sollte alles vorhanden sein, was für Active Directory Domänen erforderlich ist Standard-Domäne: Standard-Domäne zur Authentifizierung und Suche DNS-Server: (optional) DNS servers to query about AD servers. Useful if the AD server is not on the same network as this web server or does not have its DNS configured to point to the AD servers Allgemeine LDAP-KonfigurationNicht erforderlich, wenn Active Directory konfiguriert ist (oben) LDAP-Server: Verwenden Sie "Server" oder "Server". Maximal ein Server pro Zeile TLS could not be started: Connect error: Unknown Net_LDAP2 Error (-11): Verbindung zum Server adns3.net.company.de nicht möglich TLS verwenden: TLS verwenden, um mit dem LDAP Server zu kommunizieren VerbindungsdatenUseful only for information lookups. Not necessary for authentication. NOTE that this data is not necessary if your server allows anonymous searches Suchbenutzer: Bind DN (distinguished name) to bind to the LDAP server as in order to perform searches Passwort: Passwort des DN-Kontos Suchbasis: Wird beim Suchen nach Benutzern verwendet LDAP-Schema:— Automatisch erkennen — Microsoft® Active Directory Posix Account (rfc 2307) Layout der Benutzerdaten im LDAP-Server AuthentifizierungsmodiAuthentication modes for clients and staff members can be enabled independently Agenten-Authentifizierung: Agenten-Authentifizierung aktivieren Benutzer-Authentifizierung: Benutzer-Authentifizierung aktivieren

andreas

Sorry everthing from the Inputboxes is not shown when I send the post.

There is not really much configured. The Name of the Domain, a DNS Server, LDAP Server I left blank, and it gets one from Domainname. Search User is configured with CN and Password (anonymous search is not possible on AD-LDAP). I set LDAP to MS-AD

ntozier

I can't really compare your settings with mine with out the settings.You checked use TLS?Maybe you could try writing a quick and dirty script to see if you can connect?https://pear.php.net/manual/en/package.networking.net-ldap2.connecting.php

andreas

Yes I checked use TLS and the error is:

TLS could not be started: Connect error: Unknown Net_LDAP2 Error (-11)

I would like to try the quick and dirty script to test a TLS Connection, but I fail on my missing php experience. there is a problem with the require_once 'Net/LDAP2.php'; line

PHP Warning: require_once(Net/LDAP2.php): failed to open stream: No such file or directory in C:\inetpub\OSTicket\ldap.php on line 3 PHP Fatal error: require_once(): Failed opening required 'Net/LDAP2.php' (include_path='.;C:\php\pear') in C:\inetpub\OSTicket\ldap.php on line

<?php// Inclusion of the Net_LDAP2 package:require_once 'Net/LDAP2.php';

// The configuration array:$config = array ( 'binddn' => 'CN=Bind_osTicket,OU=Service,OU=Misc,DC=net,DC=company,DC=de', 'bindpw' => 'bindPWD', 'basedn' => 'dc=net,dc=company,dc=de', 'host' => 'adns1.net.company.de', 'starttls' => 'true');

// Connecting using the configuration:$ldap = Net_LDAP2:($config);

// Testing for connection errorif (PEAR:($ldap)) { die('Could not connect to LDAP-server: '.$ldap->getMessage());}?>

ntozier

in the dir where you made the script create a folder called Net. In it put the LDAP2.php from osTicket into it.

andreas

OK, I will do so. Next Problem I cannot find the LDAP2.php anywhere on the webserver or in the osTicket installer files. Where should the file normally be?

ntozier

It's at: \include\plugins\auth-ldap\include\NetIf your using the compressed .phar you will have to unphar it, or use the one I zipped and attached.

[LDAP2.zip](https://forum.osticket.com/assets/files/migrated/FileUpload/8a/19118f77e4cc66dc03fcf79867cc7b.zip)

andreas

I'm using the compressed .phar. I uncompressed it because there where much more missing php files required from ldap2.php that I found in the phar file.

Now the testscript seemed to work, I can see successful logins from the bind-user of the testscript on the DC, what I don't know if the LDAP-Bind was really TLS secured or not. I hope 'starttls' => 'true' Forces the LDAP Client to use TLS and if it doesn't work it will fail and give an error.

OK what to do next? We have found something confusing in php documentation about TLS Support. This should be given at Version 5.4 and later, we are currently using 5.3.28?

https://pear.php.net/package/Net_LDAP2

Dependencies for Net_LDAP2

PHP 5.4 ...

ntozier

Interesting.I've let the devs know. In the mean time I would suggest that you upgrade to 5.4 and see if that helps.https://github.com/osTicket/osTicket/issues/3060

andreas

I upgraded php to 5.6.20, TLS Option in osTicket PlugIn is now checkable and LDAP login is possible.

Note for someone is installing php newer than 5.3 using WPI and IIS 8.5 (W2k12R2) it is necessary to put a dll in systemdir otherwise php will not run, see: http://dave.harris.uno/php-5-6-with-wpi-on-iis-7-5-server-2012/

If php Manager in IIS is used, check for handler mappings in IIS pointing to old php versions!

ntozier

Regarding your note: I didn't have to put a dll in my systemdir to get 5.6.x to run.