Was using ldap://my_ldap_server (port 389) and TLS without an issue until I was told that was only for testing. For production, I now have to use ldaps://my_ldap_server (port 636) and SSL without TLS. Now, I cannot bind with my service account. I'm able to run ldapsearch on the same system (using ldaps://) that Drupal is running on, and ldapsearch works fine. ldap.conf file is same.
I did a tcpdump trace and found that the drupal ldap module doesn't seem to be sending a SSLv2 "Client Hello," which is the first packet after the TCP handshake using ldapsearch. Drupal seems to send a SSL "Continuation Data" packet, instead of the client hello.
Comments
Comment #1
sammys CreditAttribution: sammys commentedI've stumbled on this myself. I was also getting the same problem with NSS authentication. Fixing the NSS problem seemed to assist with the LDAP module. My fix was to add 'TLS_REQCERT never' to the /etc/ldap/ldap.conf file (on linux/Debian sarge).
After that i've been having login problems with the bind process failing intermittantly. I'm trying to find the source of the problem.
--
Sammy Spets
Synerger
http://synerger.com
Comment #2
sammys CreditAttribution: sammys commentedThought it might be useful to add what I mean by intermittant.
I've managed to get the bind working occasionally by playing around with the settings:
Kind of weird I know... but that's how it is!
Comment #3
js1 CreditAttribution: js1 commentedJust checked... and that's in my ldap.conf file...
Comment #4
js1 CreditAttribution: js1 commentedHmm... I'm wondering now if this is a PHP problem. I'm running some test scripts found on the php.net site for the ldap_bind() function, and it doesn't seem to send a SSLv2 "client hello" packet, either. I've tested the sample script on php4 and php5.
Comment #5
ssteinem CreditAttribution: ssteinem commentedI'm having to configure my drupal instance with ldap / SSL the same way mentioned above with the only exception that I run drupal on Windows 2003. ldapsearch works fine.
Does anybody know where I have to place the ldap.conf file? Do I need this file? Using SYSINTERNALS-Tools I found no request for such a file.
My error message is:
LDAP Bind failure for user uid=.... . Error 81: Can't contact LDAP server.
Netmon shoes about 16 tcp packages being exchanged before it stops. I don't know if php does not find the certificates for the ldap server. Does Windows (oder IIS) tell php dll where to look for the cert?
Thanks
Comment #6
js1 CreditAttribution: js1 commentedFigured it out... under settings->ldapauth->Server Settings, the LDAP Server should be ldaps://your_ldap_server and set LDAP port to be 636. Apparently, to use SSL, you have to explicitly state the ldaps:// protocol. I apologize for my confusion.
Comment #7
ablivio CreditAttribution: ablivio commentedDo not appologize...
Thanks to your post, I have been able to quickly figure out how to cope with the same problem here. :-)
Comment #9
chekolyn@gmail.com CreditAttribution: chekolyn@gmail.com commentedThanks for the post, this seems to have fix the secure ldap connection problem
Comment #11
lyricnz CreditAttribution: lyricnz commentedAlso, if you are using Zend Server, it appears to have broken support for LDAPS. See
http://forums.zend.com/viewtopic.php?f=44&t=7758
http://forums.zend.com/viewtopic.php?f=8&t=113
Possible fix/workaround described at http://taniwhasolutions.com/news/free-beer-not-good-enough
Comment #13
johnbarclay CreditAttribution: johnbarclay commentedClosing 4.7 issues to clean out issue queue.
Comment #14
xaogeo CreditAttribution: xaogeo commentedHi man, I tryed to set my ldaps:// and 636 port but I still get the same error, did u set up something else to apache? or php?