Not logged in. · Lost password · Register
Forum: General Help and Support Installation and Configuration RSS
authldap working with LDAP, but when switch to LDAPS it fails
snuffy #1
Member since Jan 2018 · 10 posts
Group memberships: Members
Show profile · Link to this post
Subject: authldap working with LDAP, but when switch to LDAPS it fails
Hi, I have configured LDAP and it's working great. However now when I attempt to change the LDAP type (see commented line below) to ldaps and port 636 it fails to connect: "Can't contact LDAP server [auth.php:592]".

I can telnet to the LDAP server on 389 and 386 636, so assume this test means that it's listening on that port. The LDAP server is an Active Directory server.

I have read the docs and examples but must be overlooking something? Can anyone point me in the right direction please? I'm new to this.


$conf['authtype'] = 'authldap';

#$conf['plugin']['authldap']['server'] = 'ldap://10.0.0.10:389';
$conf['plugin']['authldap']['server'] = 'ldaps://10.0.0.10:636';
$conf['plugin']['authldap']['usertree'] = 'OU=ACMECo,DC=ACMECo,DC=net';
$conf['plugin']['authldap']['grouptree'] = 'OU=ACMECo Groups,OU=ACMECo,DC=ACMECo,DC=net';
$conf['plugin']['authldap']['userfilter'] = '(&(objectClass=user)(sAMAccountName=%{user}))';
$conf['plugin']['authldap']['groupfilter'] = '(&(objectClass=*)(member=%{dn}))';
$conf['plugin']['authldap']['binddn'] = 'CN=Dokuwiki,OU=ACMECo Service Accounts,OU=ACMECo,DC=ACMECo,DC=net';
$conf['plugin']['authldap']['bindpw'] = 'Y7q9iTdfghdfhgdfhgde587cn';

# This is optional but may be required for your server:
$conf['plugin']['authldap']['version']    = 3;

# This is optional and is required to be off when using Active Directory:
$conf['plugin']['authldap']['referrals']  = 0;

$conf['plugin']['authldap']['debug'] = 1;
This post was edited on 2019-05-22, 12:46 by snuffy.
Avatar
FosseWay #2
Member since May 2016 · 118 posts · Location: Canada
Group memberships: Members
Show profile · Link to this post
Forgive me if I'm stating the obvious, but you say that:
Quote by snuffy:
I can telnet to the LDAP server on 389 and 386, so assume this test means that it's listening on that port.
But in your config, you have:
Quote by snuffy:
$conf['plugin']['authldap']['server'] = 'ldaps://10.0.0.10:636';
What happens if you telnet to port 636? Are other entities using LDAPS successfully with this domain controller, i.e. is LDAPS definitely configured and running on the server?
This post was edited on 2019-05-21, 21:39 by FosseWay.
snuffy #3
Member since Jan 2018 · 10 posts
Group memberships: Members
Show profile · Link to this post
Hi, erm yes... 636, sorry, typo. Telnet connects with the same result as with 389 port.

If the settings I provided are the only location of settings required I'll look to the AD server and other systems that may use LDAPS service on that server to verify functionality. I will need speak to colleagues that manage that server.

Thanks FosseWay.
Avatar
FosseWay #4
Member since May 2016 · 118 posts · Location: Canada
Group memberships: Members
Show profile · Link to this post
Other than local.php, I'm not aware of anywhere else you would need to add settings to get this working.

If you're working on the server directly, you might consider moving your auth settings from local.php to local.protected.php, since that will ensure that only you/someone with server access can modify them, rather than an admin via the web interface. Not directly relevant to your issue, but worth being aware of.

It is certainly worthwhile to verify with colleagues that LDAPS is working for other services talking to this AD server as you suggest. What platform is your web server? Whatever it is, it's also worth getting some LDAP/LDAPS command-line tools on your server and using them to narrow down the issue. Can you query/authenticate LDAPS using a command-line tool on your web server? If not, you'd need to solve that first.
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Go to forum
Imprint
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Current time: 2019-06-18, 17:02:12 (UTC +02:00)