Secure LDAP - LDAPS, port 636

(7 posts) (2 voices)
  1. evilbb9e, Member

    In March, Microsoft's Windows Updates are expected to break insecure LDAP connections, requiring us to move to LDAPS, which we probably all should have done long ago. We've been using the LDAP auth (premium license) for years now, and it's been fine, so this is only about switching protocol.

    I'm not finding any documentation, GUI field, forum post, or defaults.php entry that suggests how to set the port to 636. From looking on github, adLDAP.php does seem like it can support SSL and TLS and STARTTLS and port 636 and all that jazz, but the port number has to be passed as a separate parameter from the hostname and/or those options explicitly set on the connection object, and I don't see how to tell myDBR to do that. I've tried variations of LDAPS://hostname, LDAP://hostname:636, hostname:636, etc. and they all fail in various ways:

    PHP Warning: ldap_connect(): Could not create session handle: Bad parameter to an ldap routine in C:\inetpub\wwwroot\btreporting\lib\external\adLDAP\adLDAP.php on line 630
    PHP Warning: ldap_set_option(): supplied argument is not a valid ldap link resource in C:\inetpub\wwwroot\btreporting\lib\external\adLDAP\adLDAP.php on line 634
    PHP Warning: ldap_set_option(): supplied argument is not a valid ldap link resource in C:\inetpub\wwwroot\btreporting\lib\external\adLDAP\adLDAP.php on line 635
    PHP Warning: ldap_set_option(): supplied argument is not a valid ldap link resource in C:\inetpub\wwwroot\btreporting\lib\external\adLDAP\adLDAP.php on line 636

    or

    Bind to Active Directory failed. Check the login credentials and/or server details. AD said: Can't contact LDAP server

  2. myDBR Team, Key Master

    Hi,
    What is the version and build you are using?

    If you are using a version prior to 5.7.4 / build 4044, run the updater and use format "server:port".
    --
    myDBR Team

  3. evilbb9e, Member

    We're currently running myDBR 5.7.4 (build 4005). I'll schedule an update to the latest build# and try again.

  4. evilbb9e, Member

    After auto-updating to 5.7.6 (build 4080), changing the "domain controller" field to a "hostname:636" format (I also tried an IP address + port) and clicking [Test connection] still errors with "Bind to Active Directory failed. Check the login credentials and/or server details. AD said: Can't contact LDAP server". Just in case it was a problem affecting only ad_test.php, I went ahead and changed the setting, logged out, and attempted AD auth: "Cannot connect to Active Directory". I have reverted the configuration change thanks to my &local=1 user.

    No other servers on our network have had trouble switching to use :636 . I've installed Softerra LDAP Browser on the same server as our myDBR instance, to verify its ability to connect to :636 and query LDAP, and had no difficulty with ldap://IPADDR:636/ or ldaps://IPADDR:636/ .

    What would you suggest trying next? Thanks!

  5. myDBR Team, Key Master

    OK,
    can you try with domain controller setting "ldaps://hostname:636" or "ldaps://ipaddress:636" (ldaps in lower case)?

    If that still does not work, see if the cause for the problem is that your PHP does not recognize the AD certificate. To see if that is the problem, add following line to user/defaults.php:

    putenv('LDAPTLS_REQCERT=never');

    This will tell PHP ldap to ignore the certificate for now.

    If you can connect after this setting, you need to configure your web server to see the ldap.conf-file. The file should contain the config for the server certificate.
    --
    myDBR Team

  6. evilbb9e, Member

    With the putenv in place (just in case), and with "anything" here meaning either IP or fully-qualified name (I tried both ways):

    [Test Connection] Works:
    anything
    anything:389
    ldap://anything
    ldap://anything:389

    (demonstrating that it can parse the various formats now)

    [Test Connection] Fails (i.e. returns 200 OK with message "Bind to Active Directory failed ... "):
    anything:636
    ldaps://anything
    ldaps://anything:636
    ldaps://anything:389

    (demonstrating that it understands the intent of ldaps://, and that last one indicates that even something like STARTTLS on :389 fails, so it's not just the port# that's the problem)

    Is there a log somewhere that would be helpful? I don't see anything of interest in the Event Viewer, nor in the IIS logfiles. Thanks for your patience!

  7. myDBR Team, Key Master

    Hi,
    The default TCP port for Active Directory is 636, so unless you are using another port, the correct URI is ldaps://anything:636.

    Check the web server error log for errors when you try to connect to the server with "Test connection"-button. (Something like tail -f /var/log/apache2/error.log in Ubuntu).

    You can also bypass myDBR altogether and use the test the connection with simple php-script (do not execute it from the command line, use web server / browser). Similarily, check the web server logs for entries:

    <?php
    ini_set('display_errors', 1);
    error_reporting(E_ALL); try {
    $uri = "ldaps://yourserver:636";
    $username = 'user@ad.yourcompany.com';
    $password = 'pass';
    ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7); $conn = ldap_connect($uri);
    if ($conn) {
    ldap_set_option($conn,LDAP_OPT_NETWORK_TIMEOUT,10); if (!ldap_set_option($conn,LDAP_OPT_PROTOCOL_VERSION,3)) {
    print 'Failed to set ldap protocol to version 3
    ';
    }
    ldap_set_option($conn, LDAP_OPT_REFERRALS,0);
    $ldapBind = ldap_bind($conn, $username, $password);
    if ($ldapBind) {
    echo "LDAP bind successful...";
    ldap_unbind($conn);
    } else {
    echo "LDAP bind failed...";
    }
    }
    } catch(Exception $e) {
    print($e->getMessage());
    }


Reply

You must log in to post.