Not logged in. · Lost password · Register
Forum: General Help and Support Installation and Configuration RSS
Authldap - StartTLS failed
Avatar
iteng.jorgerodriguez #1
Member for 3 months · 1 post
Group memberships: Members
Show profile · Link to this post
Subject: Authldap - StartTLS failed
Hello everyone,  I hope someone can help me.  I am trying to setup LDAP authentication for dokuwiki but I keep getting a start TLS error and could not connect to server error.  I have validated my server settings.  I am able to authenticate with LDAP for other apps like NextCloud.  I am able to ping and telnet the ldap server from the wiki server.  I am using Let's Encrypt certs on both ldap and wiki server.

LDAP config:
https://www.dropbox.com/s/a4tofbby4inkq7c/2018-10-30_9-25-…

StartTLS Error:
https://www.dropbox.com/s/354yoonw3e67fr6/2018-10-30_9-29-…

Disabling TLS on dokuwiki results in:
https://www.dropbox.com/s/9t0robzn8sjtsxr/2018-10-30_9-28-…


Not sure what to try next.  How or where can I get more details on the start tls error?  What certificate is dokuwiki using for authldap?

Thanks for the help,

Jorge
Avatar
tikok974 #2
Member for a month · 3 posts
Group memberships: Members
Show profile · Link to this post
Hi everybody,

I've the same problem that @iteng.jorgerodriguez .
My Dokuwiki release is: Release 2014-05-05a "Ponder Stibbons"

When I try to enable TLS for LDAP authentication,

See my configuration:

<?php
/*
 * Dokuwiki's Main Configuration File - Local Settings
 * Auto-generated by config plugin
 * Run for user: tikok974
 * Date: Thu, 20 Dec 2018 16:45:53 +0100
 */

$conf['title'] = 'Intranet';
$conf['start'] = 'Accueil';
$conf['lang'] = 'fr';
$conf['license'] = 'cc-by-sa';
$conf['useacl'] = 1;
$conf['authtype'] = 'authldap';
$conf['defaultgroup'] = 'mydomain-users';
$conf['superuser'] = '@it-admin, @it-members, it-admin';
$conf['plugin']['database2']['console'] = 1;
$conf['plugin']['database2']['enableallpages'] = 1;
$conf['plugin']['forcessllogin']['actions'] = 'register,login,admin,resendpwd,profile,edit';
$conf['plugin']['authldap']['server'] = 'ldap://myserver';
$conf['plugin']['authldap']['port'] = 686;
$conf['plugin']['authldap']['usertree'] = 'ou=People,dc=mydomain,dc=com';
$conf['plugin']['authldap']['grouptree'] = 'ou=Groups,dc=mydomain,dc=com';
$conf['plugin']['authldap']['userfilter'] = '(&(uid=%{user})(objectClass=posixAccount))';
$conf['plugin']['authldap']['groupfilter'] = '(&(objectClass=posixGroup)(|(gidNumber=%{gid})(memberUID=%{user})))';
$conf['plugin']['authldap']['version'] = 3;
$conf['plugin']['authldap']['starttls'] = 1;
$conf['plugin']['authldap']['binddn'] = 'cn=myadmin,dc=mydomain,dc=com';
$conf['plugin']['authldap']['bindpw'] = 'mypassword';

// end auto-generated content


The message displayed on the login page is as follows:

Starting TLS failed
LDAP: couldn't connect to LDAP server


However, there is a communication with my LDAP server but it seems to be closed quickly :

..
..
Dec 20 16:30:15 myldap slapd[13177]: conn=1025 fd=18 ACCEPT from IP=192.12.12.26:59366 (IP=0.0.0.0:389)
Dec 20 16:30:15 myldap slapd[13177]: conn=1025 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Dec 20 16:30:15 myldap slapd[13177]: conn=1025 op=0 STARTTLS
Dec 20 16:30:15 myldap slapd[13177]: conn=1025 op=0 RESULT oid= err=0 text=
Dec 20 16:30:15 myldap slapd[13177]: conn=1025 fd=18 TLS established tls_ssf=128 ssf=128
Dec 20 16:30:15 myldap slapd[13177]: conn=1025 fd=18 closed (connection lost)
...
...

I have another server on the network that communicates perfectly in TLS with my LDAP server.

Someone would have a solution, please ?

Many thanks
This post was edited 2 times, last on 2018-12-20, 17:08 by tikok974.
Avatar
schplurtz (Moderator) #3
Member since Nov 2009 · 329 posts · Location: France, Finistère
Group memberships: Global Moderators, Members
Show profile · Link to this post
Bonjour,

Ponder stibbons has 5 hotfixes, one is LDAP/AD related. Please see https://www.dokuwiki.org/old_changes#release_2014-05-05e_p…

Not sure it will help.

Also
Dec 20 16:30:15 myldap slapd[13177]: conn=1025 fd=18 TLS established tls_ssf=128 ssf=128
 Dec 20 16:30:15 myldap slapd[13177]: conn=1025 fd=18 closed (connection lost)
I don't know the inner details of SSL/START_TLS protocol, but this could indicate that your server is using something that is only 128 bits
a cert signature or a cypher protocol. 128 bits things are not so well accepted nowadays. You may have to convince your PHP library to accept 128 bits, or to convince your LDAP SSL library to accept 128 bits things. Maybe, this openldap thread would bring light: http://www.openldap.org/lists/openldap-technical/201210/ms…

Just an idea, though.
http://schplurtz.free.fr/wiki/
Avatar
tikok974 #4
Member for a month · 3 posts
Group memberships: Members
Show profile · Link to this post
In reply to post #1
Thank you so much @schplurtz

My Dokuwiki is the latest version available under debian Jessie. So I manually applied the hotfix for my version of Dokuwiki. Unfortunately, this didn't solve my problem :(
I do agree with you that it may be due to the cypher protocol which is in 128bits. I looked at the TLS communications from another server that works correctly with my LDAP server and this one is in 256bits. I don't want to change the configuration of my LDAP server so as not to disturb the other server.

Is it possible to tell the Dokuwiki server to establish a communication in 256bits instead of 128bits ?

Many thanks
Avatar
schplurtz (Moderator) #5
Member since Nov 2009 · 329 posts · Location: France, Finistère
Group memberships: Global Moderators, Members
Show profile · Link to this post
OK. Your problem is now how to setup SSL/TLS on DW side to use 256 bits. If, there is some settings to tweak, then I guess it must be a ssl/tls library config file, or perhaps somewhere in PHP. I just don't know.

Debian forum, stackexchange or other system administration forum are probably your best option now...

Otherwise, you may consider upgrading Debian to 9.x stretch. Jessie is currently the «old stable» version.
Not sure this would fix anything, I don't use ldap/ssl, so I can't tell.
http://schplurtz.free.fr/wiki/
Avatar
tikok974 #6
Member for a month · 3 posts
Group memberships: Members
Show profile · Link to this post
Thank you so much @schplurtz,

I will do some research at Debian and others to find an answer.
If I have the solution. I'll put a new post here  ;-)

Many thanks
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Go to forum
Imprint
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Current time: 2019-01-17, 06:01:57 (UTC +01:00)