LDAPS issue, Unable to bind to LDAP server

[s0p4L1n3]

Code of Conduct

• I agree to follow this project's Code of Conduct

Is there an existing issue for this?

• I have searched the existing issues

Version

10.0.14

Bug description

Hello,

I'm trying to configure GLPI LDAPS binding over my Microsoft Active Directory but I'm stuck at this moment.
I'm testing on my GLPI Docker (production) and on a GLPI binary install on Linux Server (test server) to see the difference.

I have correctly deploy the DC Certificate on server side to Personnal and NTDS/Personnal stores.
I have deployed the SUB/ROOT CAs to Docker container / Linux trust stores and ca-certificate-updates

On both linux and docker glpi server I did a ldapsearch which result in success:

ldapsearch -LLL -x -v -H ldaps://srvad.enterprise.it.paris.lan -b 'dc=enterprise,dc=it,dc=paris,dc=lan' -D 'ENTERPRISE\ro_glpi' -W '(sAMAccountName=ro_glpi)'

I tried to play with php.ini also without success.

If I use LDAP with StartTLS, it is working.

Enterprise policy does not allow Anonymous Logon so chosing 'No' to Use Bind is not working in my case.

What's wrong with LDAPS on GLPI ? Certs are ok, we configured so it does not verify the certs.

We are also using another IT solution (Netbox) with LDAPS binding and it is working.

Relevant log output

==> /var/www/html/glpi/files/_log/php-errors.log <==
PHP User Warning (512): Unable to bind to LDAP server `srvad.enterprise.it.paris.lan` with RDN `ro_glpi@enterprise.it.paris.lan`
error: Can't contact LDAP server (-1) in /var/www/html/glpi/src/AuthLDAP.php at line 3194
  Backtrace:
  src/AuthLDAP.php:3194                             trigger_error()
  src_AuthLDAP.php:1666                             AuthLDAP::connectToServer()
  front/authldap.form.php:84                        AuthLDAP::testLDAPConnection()
  public/index.php:82                               require()

Page URL

No response

Steps To reproduce

No response

Your GLPI setup information

GLPI LDAP conf webUI:

[LDAP directory]
name: srvad
default server: yes
active: yes
Port: 636
Connection filter: template one for windows AD
BaseDN=dc=enterprise,dc=it,dc=paris,dc=lan
Use binding: yes
DN Account: ro_glpi@dc=enterprise,dc=it,dc=paris,dc=lan
login field: samaccountname
synchronize field: objectguid

[advanced informations]

• ldap.conf

TLS_CACERT path_to_certca.pem
TLS_REQCERT never

• php.ini

[curl]
curl.cainfo=path_to_certca.pem
[openssl]
openssl.cafile=path_to_certca.pem

Anything else?

No response

[cedric-anne]

Enterprise policy does not allow Anonymous Logon so chosing 'No' to Use Bind is not working in my case.

Did you try to set this option to No ? It will still trigger a certificate binding, so it may not be considered as anonymous logon.

[github-actions]

This issue has been closed as we only track bugs here.

You can get community support on forums or you can consider taking a subscription to get professional support.
You can also contact GLPI editor team directly.

[s0p4L1n3]

Enterprise policy does not allow Anonymous Logon so chosing 'No' to Use Bind is not working in my case.

Did you try to set this option to No ? It will still trigger a certificate binding, so it may not be considered as anonymous logon.

@cedric-anne If I try to set to No, the Test menu return Success Test but I don't see any traffic on wireshark, I wonder what is the test ?

In my knowledge, LDAP binding, for most solutions, is used to authenticate against AD.
The S in LDAPS is when it encrypts the channel so it will not send the password in plain text. It is independant from binding.
If I use No to Binding, it will just try to bind/authenticate without any credentials, meaning Anonymous logon/binding.

I will use LDAP with Starttls... as I can bind with credentials.

Another thing, I just tested (on the GLPI server) with the basic function in php and it is working, why GLPI php return failed when I chose Bind Yes ?

In my opinion, it look like AuthLDAP need a review because LDAPS + binding (user+password) is not working.

<?php

// using ldap bind
$ldaprdn  = 'ro_glpi';     // ldap rdn or dn
$ldappass = 'password';  // associated password

// connect to ldap server
$ldapconn = ldap_connect("ldaps://srvad.enterprise.it.paris.lan")
    or die("Could not connect to LDAP server.");

if ($ldapconn) {

    // binding to ldap server
    $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);

    // verify binding
    if ($ldapbind) {
        echo "LDAP bind successful...";
    } else {
        echo "LDAP bind failed...";
    }

}

?>

php test.php
LDAP Bind successful

[s0p4L1n3]

@cedric-anne Hello, I found the problem.

• Not working LDAPS configuration

• Working LDAPS configuration

It was written from the start on the GLPI documentation but my eyes did not see it

GLPI can connect to an LDAP directory through an LDAPS connection. To enable this, prefix your server field with ldaps:// and change the port to the LDAPS one of your LDAP directory (default 636).

Why do we have to specify the protocol ldaps:// in the server field when we are already setting port field with 636.
Then why we don't need to specify ldap:// when it is by default the port 389.

I propose different fixes:

• Add a condition in the code that checks if the user configures port 636 but did not write ldaps:// in the server field, then a detailed error log informs the user.

• Change the field description Server to something like this

• Edit LDAP configuration interface:
  • replace the port field with an LDAP / LDAPS selection button
  • (depending on the choice, it will pre-fill the server field with ldaps:// and port 636 or the default ldap and 389)