I followed the steps on Microsoft's site: http://support.microsoft.com/kb/321051 - to setup SSL/TLS on my AD LDAP server. I tested using ldp.exe and it shows it working on port 636. I can telnet to port 636 from my web server. But I cannot get the LDAP authentication portion to test successfully using port 636. Is there anything I need to do on the web server side to get the communication flowing? Any assistance would be great!!!

Comments

clcrush’s picture

Any one have any suggestions? I really need to get the password change feature working on my Drupal install.

chicagomom’s picture

Are you running IIS, Apache, or something else? If IIS, what version?

Can you verify via phpinfo() that you have the ldap dll running on php?

prufrock51’s picture

once you have certificate on your domain controller, your server has to trust it.
if you are on linux, review your ldap.conf file and place the exported certificate into a proper directory (on rhel5, /etc/openldap/cacerts)
also, you will need adpassword.patch from http://drupal.org/node/339821

clcrush’s picture

I applied the patch and put the certificate in /etc/openldap/cacerts and the test button still fails for port 636. Here is my /etc/openldap/ldap.conf:

URI ldaps://192.168.66.11/
BASE dc=csaaweb,dc=echo
HOST N01IAW801.csaaweb.echo
PORT 636
TLS_CACERTDIR /etc/openldap/cacert

Everything is pointing to my Active Directory Server.

prufrock51’s picture

this can be a number of issues
to troubleshoot, i would check that i can connect over LDAPS from webserver using ldapsearch utility
you can use something like
$ ldapsearch -b 'ou=Users,dc=csaaweb,dc=echo' -D 'binduser@csaaweb.echo' -H 'ldaps://no1iaw801.csaaweb.echo' -W -x
you have to specify bind user name and password... (-D and -W)
you can get debug info by adding -d 7 parameter

if everything works, then its the settings in the module - maybe your username/password...
if it does not work, maybe firewall, maybe LDAPS is not running on windows.
you can use windows utility LDP to connect from windows host over SSL and see if everything works.

keep in mind, after assigning certificate to domain controller, you have to restart.
you also have to restart apache

clcrush’s picture

I ran the ldapsearch command you recommended and at the end I get:

TLS certificate verification: Error, unable to get local issuer certificate
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

LDP.exe connects successfully on the AD server itself and I can telnet to 636 from outside of the AD server.

prufrock51’s picture

try to put this under /etc/openldap/ldap.conf
TLS_REQCERT never

clcrush’s picture

I went through all the steps and added ADpassword.patch - now when I do ldapsearch query I get:

Enter LDAP Password:
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

If I do the ldapsearch without ldaps and just ldap it goes through just fine.

clcrush’s picture

Ok, this is weird.

I got the ldapsearch with LDAPS to work from the command line successfully. I then go into Drupal (after a httpd restart) and into the authentication area of LDAP and I tested the same account and got:

Authentication with the LDAP server failed.

presleyd’s picture

Must you use SSL instead of TLS? The above worked for me with TLS on port 389.

clcrush’s picture

Yea, I have to use SSL. The TLS appears to be working though. But our data security team demands that we use SSL for our Production environment.

presleyd’s picture

I use SSL for web server traffic to the clients but TLS internally to let the web server talk to the AD domain controllers. If they insist on SSL internally I don't know what to say. TLS is certainly no less secure than homegrown certs and I don't have my domain controllers outside of the firewall anyway.

zbricoleur’s picture

This sounds a bit like what we went through when we set up ours. If I remember correctly, the problem was that our AD server uses ldaps, not tls. To fix it, I changed this line in includes/LDAP_interface.inc:

if (!$con = ldap_connect($this->server, $this->port)) {

to:

    if (!$con = ldap_connect($this->server)) {

As a result, the module now effectively ignores what you specify for the port, so you have to include the port in the server field, e.g., ldaps://dc.example.com:636

arthur.duarte’s picture

I can tell that solution #13 worked like a charm!

I have LDAP running over SSL and this solved my problem, maybe the developers should include this workaround in the next version.

Thank You.

kestes’s picture

Do you have both ports 389 and 636 open? We are trying to get the SSL working and can only open port 636. Every test we run returns "Authentication with the LDAP server failed." I've made the suggested code change, created the ldap.conf file and put "TLS_REQCERT never" in it. We are using WAMP and I am able to connect to LDAP using ldapsearch on port 636 on the server with no issues.

zbricoleur’s picture

Just checking that you're specifying the port when you enter the server in the server field?

E.g., ldaps://dc.example.com:636

And make sure you have PHP LDAP service enabled (should be a matter of making sure the 'extension=php_ldap.dll' line is present and uncommented in php.ini).

kestes’s picture

Yes, everything is set as listed, but still receive "Authentication with the LDAP server failed" message.

jpamental’s picture

Just chiming in-

On a Media Temple DV (CentOS Linux) using D6 - using #7 & #13 got me going to connect to an AD server via SSL

Would be good to have a patch in there to allow check-box selection for SSL instead of just TLS (though would likely have to include a note about the TLS bit in ldap.conf)

Jason

cgmonroe’s picture

Status: Active » Closed (duplicate)

Mostly a duplicate of #1263638: Start-TLS not working with Active Directory

As to SSL / LDAPS usage, both the admin screens (dev version) and online documentation has been updated with better info on this.