Hello,

I am trying to set up my LDAP server, but after I add the server, it says, "Connection successful, bind failed." under Server Reachable.

When I test the LDAP server configuration, the Test Results are:

TEST RESULT
Binding with DN for non-anonymous search (CN=firstname lastname,OU=organization,DC=company,DC=ca). Using password stored in configuration.
Failed to bind to server. ldap error #-1 Can't contact LDAP server FAIL


The output of the detailed logging is as follows:

TYPE MESSAGE
ldap LDAP ldap_search error. basedn: dc=company,dc=ca| filter: (sAMAccountName=firstname_lastname)| attributes: Array ( ) | errmsg: Can't contact LDAP server| ldap err no: -1|
ldap_server ldap_search() function error. LDAP Error: Can't contact LDAP server, ldap_search() parameters: ldap_search() call: base_dn: dc=company,dc=ca, filter = (sAMAccountName=firstname_lastname), attributes: , attrsonly = 0, sizelimit = 0, timelimit = 0, deref = , scope = 3

I understand this is a LDAP_OPERATIONS_ERROR.

My LDAP server configuration is:

SERVER

  • Name -SERVERNAME
  • Machine name - servername
  • Enabled - True
  • LDAP Server Type - Active Directory
  • Server Address - IPaddress
  • LDAP port - 389
  • Use Start-TLS - False

BINDING METHOD

  • Binding Method for searches - Service Account Bind: Use credentials in the Service Account field below to bind to LDAP
  • DN for non-anonymous search - CN=firstname lastname,OU=organization,DC=company,DC=ca
  • Password for non-anonymous search - password
  • Clear existing password from database - True

USERS

  • Base DNs for LDAP Users, Groups, and Other Entries - dc=company,dc=ca
  • AuthName Attribute - sAMAccountName
  • AccountName Attribute - sAMAccountName
  • Email Attribute - mail
  • Email Template -
  • Persistant and Unique User ID Attribute -
  • Does PUID hold a binary value? - False
  • Expression for User DN -
  • Testing Drupal Username - firstname_lastname
  • DN of Testing Username - CN=firstname lastname,OU=organization,DC=company,DC=ca

All the fields in GROUPS and PAGINATION are either blank or unchecked.

Any ideas on how to debug this? It would be greatly appreciated.

Thank you.

CommentFileSizeAuthor
#8 tcpdump.txt720 bytesamyli
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

amyli created an issue. See original summary.

grahl’s picture

grahl
he/him
Location Zürich
CreditAttribution: grahl as a volunteer commented

Hi

You should be able to get a successful bind, just with ldap_servers alone and nothing else enabled so I'm ignoring ldap_user for now.

What I found odd in your description is that you had "Clear existing password from database - True". This is not an option one would normally use since clearing the password is only relevant for sites where you want to unset the password in the database for some reason. Setting that checkbox will ignore anything you put into the password field on save.

FYI: I have sometimes noticed a false positive pertaining to a connection when the remote host does not explicitly reject the connection (e.g. local Docker loopback network) so maybe the connection is the issue, too.

  • grahl committed c93edc0 on 8.x-3.x 
    Issue #2857418: UX improvement for saved password
grahl’s picture

grahl
he/him
Location Zürich
CreditAttribution: grahl as a volunteer commented

I've pushed a UX improvement for this to the dev branch, no change in behavior.

amyli’s picture

amyli CreditAttribution: amyli commented

Hi grahl,

Thank you for replying. Yes, I later unchecked the "Clear existing password from database" but the binding still failed.

I did a tcpdump between my Apache web server where my Drupal site is hosted and the LDAP server. Then I tried to test the LDAP server configuration, and I still received the same error. tcpdump showed no talking between the LDAP server and the Drupal site through port 389.

Any advice on how I should proceed or what I should look for?

grahl’s picture

grahl
he/him
Location Zürich
CreditAttribution: grahl as a volunteer commented

Hi amyli

Thanks for the thorough debugging. Hmm, that's really weird!

I personally have a working setup with a FQDN, localhost as well as 127.0.0.1 directly, so your setup definitely should work. There isn't anything in the field except the IP, correct? No ldap:// or trailing spaces?

Can you locally connect to the LDAP server or is that not an option in your environment? The only thing that comes to mind otherwise is a firewall issue.

amyli’s picture

amyli CreditAttribution: amyli commented

Yes, I agree it's really weird and I think it might just be a firewall issue too. I've tried only putting the IP and then only putting the hostname.domain. I did not put "ldap://" and I double checked that there is no trailing white spaces.

I will try to locally connect to the LDAP server this afternoon and get back to you on that.

amyli’s picture

amyli CreditAttribution: amyli commented
FileSize
tcpdump.txt720 bytes

I've tried using only the IP and using only a FQDN. There's no "ldap://" or trailing spaces.

Interestingly enough, when I run ldapsearch -x -h serverAddress -p 389 -b "dn" in the command-line, I am able to search successfully and tcpdump shows traffic between the LDAP server and the Apache web server where my Drupal site is hosted.

Please find the attached tcpdump output when I try to test the LDAP server configuration. I apologize for forgetting to attach it on Tuesday.

amyli’s picture

amyli CreditAttribution: amyli commented
grahl’s picture

grahl
he/him
Location Zürich
CreditAttribution: grahl as a volunteer commented

Err, okay that is weird. Could you please try the example here from the LDAP help page to see if you can get it to bind with your configuration in a test.php?

http://php.net/manual/en/function.ldap-bind.php

If that works, could you please share an anonymized version of your ldap_servers yaml configuration?

amyli’s picture

amyli CreditAttribution: amyli commented

The ldap_bind function failed for me. I guess this is a PHP problem now, not Drupal.

May I ask which PHP packages you are using? I am on CentOS 7 and I installed the following PHP packages:

php56w.x86_64 5.6.30-1.w7 @webtatic
php56w-cli.x86_64 5.6.30-1.w7 @webtatic
php56w-common.x86_64 5.6.30-1.w7 @webtatic
php56w-devel.x86_64 5.6.30-1.w7 @webtatic
php56w-gd.x86_64 5.6.30-1.w7 @webtatic
php56w-intl.x86_64 5.6.30-1.w7 @webtatic
php56w-ldap.x86_64 5.6.30-1.w7 @webtatic
php56w-mbstring.x86_64 5.6.30-1.w7 @webtatic
php56w-mcrypt.x86_64 5.6.30-1.w7 @webtatic
php56w-mysql.x86_64 5.6.30-1.w7 @webtatic
php56w-opcache.x86_64 5.6.30-1.w7 @webtatic
php56w-pdo.x86_64 5.6.30-1.w7 @webtatic
php56w-xml.x86_64 5.6.30-1.w7 @webtatic

I also forgot to mention I attached the output from tcpdump when I test the LDAP server configuration - sorry about that.

grahl’s picture

grahl
he/him
Location Zürich
CreditAttribution: grahl as a volunteer commented

Good luck trying to narrowing this down...

I know that CentOS 7.x with IUS PHP 5.6 as well as macOS homebrew with PHP 7.0 both provide working sets of packages.

The only thing which I know can be tricky on CnetOS is TLS, since OpenLDAP will throw exceptions if the certificate chain for a custom CA is not correctly presented.

amyli’s picture

amyli CreditAttribution: amyli commented
Status: Active » Fixed

grahl!

I am able to bind to the LDAP server successfully now! It turns out SELinux didn't allow the httpd daemon to talk to the LDAP server on the same machine. I ran setsebool -P httpd_can_network_connect on to enable SELinux network connectivity through httpd.

Thank you very much for all your help - I really appreciate it.

grahl’s picture

grahl
he/him
Location Zürich
CreditAttribution: grahl as a volunteer commented

Glad to hear you found the solution :-)

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Freaze_or_burn’s picture

Freaze_or_burn CreditAttribution: Freaze_or_burn commented

This "setsebool -P httpd_can_network_connect" worked for me as well on centos7.

Wahmed’s picture

Wahmed CreditAttribution: Wahmed as a volunteer commented

#13 worked for me on Red Hat Enterprise Linux 8.6