New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
can't login with LDAPS on AD without LDAP_TLS_INSECURE=true #4075
Comments
I tried to configure php8.2-fpm as
But it changed nothing |
Reading #1922 didn't help |
It seems that the server certificate miss a SAN, so maybe the issue is not related to BookStack. |
Just something else to consider, are you sure you want to use |
We fixed the problem with the missing SAN, other services run with verified LDAPS. We are switching to LDAPS, and port 389 will be at some point closed. |
Just to confirm, have you restarted both nginx and php-fpm since updating the certs? Might also be worth restarting the system to ensure they're fully picked up. Alternatively, you could try interacting with the |
Yes, I restarted both at each test.
Is bookstack using system wide ldap client ? |
From what I can tell, the LDAP extension of PHP uses, and is compiled against, client libraries that handle LDAP abilities. In most cases this is OpenLDAP, and therefore certain configuration can be altered via openldap config. I did just access one of my ubuntu systems and noticed this config file is actually at |
As I run Debian, I'll check which package holds that file, I don't have it by default. |
I have the same issue as yours. i'm using AD LDAPs for other apps as well. it works just fine. until now, don't find any solution yet. it will only work with [LDAP_TLS_INSECURE=true]. was wondering how we can set up TLS since ldaps is old... |
I'm using BookStack v23.02.2 on Debian 11 with PHP 8.2 using the sury.org repo. LDAPS works perfectly fine for me. My ldap config:
I activated my internal CA certificates on debian using the command |
i'm using rocky linux with docker-compose to set up bookstack. where should i import the DC CA to ? on the linux host /etc/pki/tls ? let me try that out. and will update later. |
i didn't import the certificate, but directly change the settings below. AUTH_METHOD=ldap LDAP_USER_FILTER=(&(sAMAccountName=${user})) LDAP_EMAIL_ATTRIBUTE=mail But everytime i login to the system , it has to go twice . and the first time showed " An unknown error occured , xxx " . and the second time can successfully sign in. it's very strange. dont know why. |
@jasonyunliang If you're running bookstack in a docker container, you'll need to be doing any certificate stuff within the container itself, rather than the host.
BookStack will log detail upon this error to its error log file as described here: |
@ssddanbrown thanks for the info. it's really interesting. I removed the container and run the both container again. then tested the settings below LDAP_SERVER=ldap://server.domain.com:389 it worked just fine... I used tail -f for the laravel.log the error i got today Securing LDAP over SSL Safely [Windows Server 2019] I followed by the above youtube video to set up the LDAP over SSL on my DC. just for reference . Hope it helps. |
Now it is not working anymore, even with |
@eoli3n Not that I'm aware of. Any changes made to the wider system recently? What is the current error logged or seen? |
I just retested to give you logs : it now works and we had a problem on our AD. |
Describe the Bug
I configured BookStack to login with LDAPS on Active Directory, with a certificate produced by a self-signed certificate autority.
The certificate autority is available on the host system, but I can't log in, without setting
LDAP_TLS_INSECURE=true
.Steps to Reproduce
See https://unix.stackexchange.com/questions/97244/list-all-available-ssl-ca-certificates
LDAP_TLS_INSECURE
totrue
Expected Behaviour
Log in successful with
LDAP_TLS_INSECURE=false
Screenshots or Additional Context
APP_DEBUG log
Browser Details
Firefox on Linux 109.0.1
Exact BookStack Version
v23.01.1
PHP Version
8.2
Hosting Environment
Debian 11 up to date
Mariadb
Nginx with php8.2-fpm
The text was updated successfully, but these errors were encountered: