Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I followed the steps on Microsoft's site: http://support.microsoft.com/kb/321051 - to setup SSL/TLS on my AD LDAP server. I tested using ldp.exe and it shows it working on port 636. I can telnet to port 636 from my web server. But I cannot get the LDAP authentication portion to test successfully using port 636. Is there anything I need to do on the web server side to get the communication flowing? Any assistance would be great!!!
Comments
Comment #1
clcrush CreditAttribution: clcrush commentedAny one have any suggestions? I really need to get the password change feature working on my Drupal install.
Comment #2
chicagomom CreditAttribution: chicagomom commentedAre you running IIS, Apache, or something else? If IIS, what version?
Can you verify via phpinfo() that you have the ldap dll running on php?
Comment #3
prufrock51 CreditAttribution: prufrock51 commentedonce you have certificate on your domain controller, your server has to trust it.
if you are on linux, review your ldap.conf file and place the exported certificate into a proper directory (on rhel5, /etc/openldap/cacerts)
also, you will need adpassword.patch from http://drupal.org/node/339821
Comment #4
clcrush CreditAttribution: clcrush commentedI applied the patch and put the certificate in /etc/openldap/cacerts and the test button still fails for port 636. Here is my /etc/openldap/ldap.conf:
URI ldaps://192.168.66.11/
BASE dc=csaaweb,dc=echo
HOST N01IAW801.csaaweb.echo
PORT 636
TLS_CACERTDIR /etc/openldap/cacert
Everything is pointing to my Active Directory Server.
Comment #5
prufrock51 CreditAttribution: prufrock51 commentedthis can be a number of issues
to troubleshoot, i would check that i can connect over LDAPS from webserver using ldapsearch utility
you can use something like
$ ldapsearch -b 'ou=Users,dc=csaaweb,dc=echo' -D 'binduser@csaaweb.echo' -H 'ldaps://no1iaw801.csaaweb.echo' -W -x
you have to specify bind user name and password... (-D and -W)
you can get debug info by adding -d 7 parameter
if everything works, then its the settings in the module - maybe your username/password...
if it does not work, maybe firewall, maybe LDAPS is not running on windows.
you can use windows utility LDP to connect from windows host over SSL and see if everything works.
keep in mind, after assigning certificate to domain controller, you have to restart.
you also have to restart apache
Comment #6
clcrush CreditAttribution: clcrush commentedI ran the ldapsearch command you recommended and at the end I get:
TLS certificate verification: Error, unable to get local issuer certificate
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
LDP.exe connects successfully on the AD server itself and I can telnet to 636 from outside of the AD server.
Comment #7
prufrock51 CreditAttribution: prufrock51 commentedtry to put this under /etc/openldap/ldap.conf
TLS_REQCERT never
Comment #8
clcrush CreditAttribution: clcrush commentedI went through all the steps and added ADpassword.patch - now when I do ldapsearch query I get:
Enter LDAP Password:
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
If I do the ldapsearch without ldaps and just ldap it goes through just fine.
Comment #9
clcrush CreditAttribution: clcrush commentedOk, this is weird.
I got the ldapsearch with LDAPS to work from the command line successfully. I then go into Drupal (after a httpd restart) and into the authentication area of LDAP and I tested the same account and got:
Authentication with the LDAP server failed.
Comment #10
presleyd CreditAttribution: presleyd commentedMust you use SSL instead of TLS? The above worked for me with TLS on port 389.
Comment #11
clcrush CreditAttribution: clcrush commentedYea, I have to use SSL. The TLS appears to be working though. But our data security team demands that we use SSL for our Production environment.
Comment #12
presleyd CreditAttribution: presleyd commentedI use SSL for web server traffic to the clients but TLS internally to let the web server talk to the AD domain controllers. If they insist on SSL internally I don't know what to say. TLS is certainly no less secure than homegrown certs and I don't have my domain controllers outside of the firewall anyway.
Comment #13
zbricoleur CreditAttribution: zbricoleur commentedThis sounds a bit like what we went through when we set up ours. If I remember correctly, the problem was that our AD server uses ldaps, not tls. To fix it, I changed this line in includes/LDAP_interface.inc:
to:
As a result, the module now effectively ignores what you specify for the port, so you have to include the port in the server field, e.g., ldaps://dc.example.com:636
Comment #14
arthur.duarte CreditAttribution: arthur.duarte commentedI can tell that solution #13 worked like a charm!
I have LDAP running over SSL and this solved my problem, maybe the developers should include this workaround in the next version.
Thank You.
Comment #15
kestes CreditAttribution: kestes commentedDo you have both ports 389 and 636 open? We are trying to get the SSL working and can only open port 636. Every test we run returns "Authentication with the LDAP server failed." I've made the suggested code change, created the ldap.conf file and put "TLS_REQCERT never" in it. We are using WAMP and I am able to connect to LDAP using ldapsearch on port 636 on the server with no issues.
Comment #16
zbricoleur CreditAttribution: zbricoleur commentedJust checking that you're specifying the port when you enter the server in the server field?
E.g., ldaps://dc.example.com:636
And make sure you have PHP LDAP service enabled (should be a matter of making sure the 'extension=php_ldap.dll' line is present and uncommented in php.ini).
Comment #17
kestes CreditAttribution: kestes commentedYes, everything is set as listed, but still receive "Authentication with the LDAP server failed" message.
Comment #18
jpamental CreditAttribution: jpamental commentedJust chiming in-
On a Media Temple DV (CentOS Linux) using D6 - using #7 & #13 got me going to connect to an AD server via SSL
Would be good to have a patch in there to allow check-box selection for SSL instead of just TLS (though would likely have to include a note about the TLS bit in ldap.conf)
Jason
Comment #19
cgmonroe CreditAttribution: cgmonroe commentedMostly a duplicate of #1263638: Start-TLS not working with Active Directory
As to SSL / LDAPS usage, both the admin screens (dev version) and online documentation has been updated with better info on this.