Was using ldap://my_ldap_server (port 389) and TLS without an issue until I was told that was only for testing. For production, I now have to use ldaps://my_ldap_server (port 636) and SSL without TLS. Now, I cannot bind with my service account. I'm able to run ldapsearch on the same system (using ldaps://) that Drupal is running on, and ldapsearch works fine. ldap.conf file is same.

I did a tcpdump trace and found that the drupal ldap module doesn't seem to be sending a SSLv2 "Client Hello," which is the first packet after the TCP handshake using ldapsearch. Drupal seems to send a SSL "Continuation Data" packet, instead of the client hello.


sammys’s picture

I've stumbled on this myself. I was also getting the same problem with NSS authentication. Fixing the NSS problem seemed to assist with the LDAP module. My fix was to add 'TLS_REQCERT never' to the /etc/ldap/ldap.conf file (on linux/Debian sarge).

After that i've been having login problems with the bind process failing intermittantly. I'm trying to find the source of the problem.

Sammy Spets

sammys’s picture

Thought it might be useful to add what I mean by intermittant.

I've managed to get the bind working occasionally by playing around with the settings:

  • Store passwords in encrypted form
  • Password for non-anonymous search

Kind of weird I know... but that's how it is!

js1’s picture

My fix was to add 'TLS_REQCERT never' to the /etc/ldap/ldap.conf file

Just checked... and that's in my ldap.conf file...

js1’s picture

Priority: Normal » Critical

Hmm... I'm wondering now if this is a PHP problem. I'm running some test scripts found on the php.net site for the ldap_bind() function, and it doesn't seem to send a SSLv2 "client hello" packet, either. I've tested the sample script on php4 and php5.

ssteinem’s picture

I'm having to configure my drupal instance with ldap / SSL the same way mentioned above with the only exception that I run drupal on Windows 2003. ldapsearch works fine.
Does anybody know where I have to place the ldap.conf file? Do I need this file? Using SYSINTERNALS-Tools I found no request for such a file.
My error message is:
LDAP Bind failure for user uid=.... . Error 81: Can't contact LDAP server.
Netmon shoes about 16 tcp packages being exchanged before it stops. I don't know if php does not find the certificates for the ldap server. Does Windows (oder IIS) tell php dll where to look for the cert?

js1’s picture

Priority: Critical » Minor

Figured it out... under settings->ldapauth->Server Settings, the LDAP Server should be ldaps://your_ldap_server and set LDAP port to be 636. Apparently, to use SSL, you have to explicitly state the ldaps:// protocol. I apologize for my confusion.

ablivio’s picture

Do not appologize...

Thanks to your post, I have been able to quickly figure out how to cope with the same problem here. :-)

chekolyn@gmail.com’s picture

Thanks for the post, this seems to have fix the secure ldap connection problem

lyricnz’s picture

Also, if you are using Zend Server, it appears to have broken support for LDAPS. See

Possible fix/workaround described at http://taniwhasolutions.com/news/free-beer-not-good-enough

johnbarclay’s picture

Status: Active » Closed (won't fix)

Closing 4.7 issues to clean out issue queue.

xaogeo’s picture

Hi man, I tryed to set my ldaps:// and 636 port but I still get the same error, did u set up something else to apache? or php?