LDAPS not working

[manoftheforest]

Hi,

I recently configured auth_ldap on my tt-rss instance. Authentication works with LDAP via port 389, but I get Wrong Username or Password when using LDAPS with port 636.
So basically changing define('LDAP_AUTH_SERVER_URI', 'ldap://my.org'); to define('LDAP_AUTH_SERVER_URI', 'ldaps://my.org') makes me unable to log in.

I downloaded tt-rss' and auth_ldap's most recent builds from their respective repositories.
I'm running CentOS Linux release 7.2.1511 with php 5.4.
LDAPS Connection to my Active Directory works fine with other applications.

My error log gets flooded with these PHP Notices, it throws a notice for every line in accept-to-gettext.php, but this happens with both LDAP and LDAPS configured (-> tt-rss related most likely):
PHP Notice: Undefined index: in /srv/web/my.org/lib/accept-to-gettext.php on line 150
PHP Notice: Array to string conversion in /srv/web/my.org/include/errorhandler.php on line 24
PHP Notice: Array to string conversion in /srv/web/my.org/include/errorhandler.php on line 24

[hydrian]

Sounds like there is an issue with PHP not trusting certificate that is being offered by the LDAP server.

Make sure you are using the hostname that is displayed in the certificate and make sure PHP trusts the end of the certificate chain offered by the LDAP server. PHP and LDAP treat untrusted certificates very harshly and often give back misleading errors.

The other option is it ignore disabled PHP certificate checking. This isn't recommended.

Currently there is no option to disable LDAPS certificate checking in just this module. If you'd like this please file a feature request for this feature.

[hydrian]

Those accept-to-gettext error look more like ttrss core issues.

[hydrian]

Added issue #25 for the enhancement

[manoftheforest]

Thanks for the reply and sorry for the long wait, I only recently had time to get back to this issue again.
I'm quite sure that this is not certificate related. I have a similar installation running on an older system (CentOS 6) which works fine with LDAP Auth over LDAPS.
I enabled debug logging and this is what I get when I try to log in with domain credentials and LDAPS enabled:

Failed login attempt for myuser from x.x.x.x

1. classes/handler/public.php(627): user_error(Failed login attempt for myuser from x.x.x.x, 512)
2. public.php(50): login()

E_WARNING (2) classes/db/pgsql.php:70 pg_affected_rows() expects parameter 1 to be resource, boolean given

1. classes/db/pgsql.php(70): pg_affected_rows()
2. classes/db.php(86): affected_rows()
3. classes/logger/sql.php(20): affected_rows()
4. classes/logger.php(28): log_error(256, LDAP bind(): Bind failed ()with DN cn=myorg, , , )
5. plugins/auth_ldap/init.php(84): log_error(256, LDAP bind(): Bind failed ()with DN cn=myorg, , , )
6. plugins/auth_ldap/init.php(313): _log(LDAP bind(): Bind failed ()with DN cn=myorg, 256)
7. include/functions.php(739): authenticate(myuser, mypassword)
8. classes/handler/public.php(604): authenticate_user(myuser, mypassword)
9. public.php(50): login()

E_USER_ERROR (256) classes/db/pgsql.php:47 Query INSERT INTO ttrss_error_log (errno, errstr, filename, lineno, context, owner_uid, created_at) VALUES (256, 'LDAP bind(): Bind failed ()with DN cn=myorg', '', '', '', NULL, NOW()) failed: ERROR: invalid input syntax for integer: "" ZEILE 3: mybasedn', '', '', '', NU... ^

1. classes/db/pgsql.php(47): user_error(Query INSERT INTO ttrss_error_log
   (errno, errstr, filename, lineno, context, owner_uid, created_at) VALUES
   (256, 'LDAP bind(): Bind failed ()with DN cn=myorg', '', '', '', NULL, NOW()) failed: ERROR: invalid input syntax for integer: ""
   ZEILE 3: mybasedn', '', '', '', NU...
   ^, 256)

2. classes/db.php(66): query(INSERT INTO ttrss_error_log
   (errno, errstr, filename, lineno, context, owner_uid, created_at) VALUES
   (256, 'LDAP bind(): Bind failed ()with DN cn=myorg', '', '', '', NULL, NOW()), 1)

3. classes/logger/sql.php(18): query(INSERT INTO ttrss_error_log
   (errno, errstr, filename, lineno, context, owner_uid, created_at) VALUES
   (256, 'LDAP bind(): Bind failed ()with DN cn=myorg', '', '', '', NULL, NOW()))

4. classes/logger.php(28): log_error(256, LDAP bind(): Bind failed ()with DN cn=myorg, , , )

5. plugins/auth_ldap/init.php(84): log_error(256, LDAP bind(): Bind failed ()with DN cn=myorg, , , )

6. plugins/auth_ldap/init.php(313): _log(LDAP bind(): Bind failed ()with DN cn=myorg, 256)

7. include/functions.php(739): authenticate(myuser, mypassword)

8. classes/handler/public.php(604): authenticate_user(myuser, mypassword)

9. public.php(50): login()

E_WARNING (2) classes/db/pgsql.php:70 pg_affected_rows() expects parameter 1 to be resource, boolean given

1. classes/db/pgsql.php(70): pg_affected_rows()

2. classes/db.php(86): affected_rows()

3. classes/logger/sql.php(20): affected_rows()

4. classes/logger.php(28): log_error(1024, Array
   (
   [host] => myhost
   [basedn] => mybasedn
   [port] => 636
   [starttls] =>
   )
   , , , )

5. plugins/auth_ldap/init.php(84): log_error(1024, Array
   (
   [host] => myhost
   [basedn] => mybasedn
   [port] => 636
   [starttls] =>
   )
   , , , )

6. plugins/auth_ldap/init.php(284): _log(Array
   (
   [host] => myhost
   [basedn] => mybasedn
   [port] => 636
   [starttls] =>
   )
   , 1024)

7. include/functions.php(739): authenticate(myuser, mypassword)

8. classes/handler/public.php(604): authenticate_user(myuser, mypassword)

9. public.php(50): login()

E_USER_ERROR (256) classes/db/pgsql.php:47 Query INSERT INTO ttrss_error_log (errno, errstr, filename, lineno, context, owner_uid, created_at) VALUES (1024, 'Array ( [host] => myhost [basedn] => mybasedn [port] => 636 [starttls] => ) ', '', '', '', NULL, NOW()) failed: ERROR: invalid input syntax for integer: "" ZEILE 10: ', '', '', '', NULL, NOW()) ^

1. classes/db/pgsql.php(47): user_error(Query INSERT INTO ttrss_error_log
   (errno, errstr, filename, lineno, context, owner_uid, created_at) VALUES
   (1024, 'Array
   (
   [host] => myhost
   [basedn] => mybasedn
   [port] => 636
   [starttls] =>
   )
   ', '', '', '', NULL, NOW()) failed: ERROR: invalid input syntax for integer: ""
   ZEILE 10: ', '', '', '', NULL, NOW())
   ^, 256)

2. classes/db.php(66): query(INSERT INTO ttrss_error_log
   (errno, errstr, filename, lineno, context, owner_uid, created_at) VALUES
   (1024, 'Array
   (
   [host] => myhost
   [basedn] => mybasedn
   [port] => 636
   [starttls] =>
   )
   ', '', '', '', NULL, NOW()), 1)

3. classes/logger/sql.php(18): query(INSERT INTO ttrss_error_log
   (errno, errstr, filename, lineno, context, owner_uid, created_at) VALUES
   (1024, 'Array
   (
   [host] => myhost
   [basedn] => mybasedn
   [port] => 636
   [starttls] =>
   )
   ', '', '', '', NULL, NOW()))

4. classes/logger.php(28): log_error(1024, Array
   (
   [host] => myhost
   [basedn] => mybasedn
   [port] => 636
   [starttls] =>
   )
   , , , )

5. plugins/auth_ldap/init.php(84): log_error(1024, Array
   (
   [host] => myhost
   [basedn] => mybasedn
   [port] => 636
   [starttls] =>
   )
   , , , )

6. plugins/auth_ldap/init.php(284): _log(Array
   (
   [host] => myhost
   [basedn] => mybasedn
   [port] => 636
   [starttls] =>
   )
   , 1024)

7. include/functions.php(739): authenticate(myuser, mypassword)

8. classes/handler/public.php(604): authenticate_user(myuser, mypassword)

9. public.php(50): login()

[Alexconquer]

Hello,
I up my OpenLDAP server to ldaps and i'm lost TTrss auth.

I found problem: line 285 in init.php

In ldap_connect, the scheme of URI It's missing

And line 303, the test is wrong : It must test $this->_scheme not $this->_host

[hydrian]

I'm doing LDAP over TLS via StartTLS and it is working fine. Have you verified that php trusts you LDAP server? PHP treats untrusted LDAP certificate chains very harshly before PHP 7.1.

To test it on an standard linux box use the following command:
#> openssl s_client -connect ldap.mydomain.internal:636 -showcerts

If that doesn't verify the whole chain, you'll probably have LDAPS/StartTLS connection problems but it will error will just be can't connect to server.

[hydrian]

Sorry @Alexconquer, I was looking at the some older code and I hadn't pulled from the master in a while. Another merge broke it. FIxing..

[Alexconquer]

This command return "Verification: OK".

And others programs : Dovecot, PostFix and OpenXchange are't problem.

I add information of my context, i close ldap port and i only open ldaps.

[kettbi]

Hi,
Same here, this pull request #34 didn't work for me.
I use SSL, not TLS.

logs :

Failed login attempt for MyUser from x.x.x.x
1. classes/handler/public.php(505): user_error(Failed login attempt for MyUser from x.x.x.x, 512)
2. public.php(50): login()

LDAP bind(): Bind failed ()with DN cn=myadmin,dc=domain,dc=com
Array ( [host] => LDAP [basedn] => ou=users,ou=myou,dc=domain,dc=com [port] => 636 [starttls] => )

conf :

/// append auth_ldap to the list
        define('PLUGINS', 'auth_ldap, auth_internal, note');
        define('LDAP_AUTH_SERVER_URI', 'ldaps://LDAP/');
        define('LDAP_AUTH_USETLS', FALSE); // Enable TLS Support for ldaps://
        define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', TRUE); // Allows untrusted certificate
        define('LDAP_AUTH_BASEDN', 'myBaseDN');
        define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE);
        // ??? will be replaced with the entered username(escaped) at login
        define('LDAP_AUTH_SEARCHFILTER', '(&(objectClass=posixAccount)(uid=???))');
        // Optional configuration
        define('LDAP_AUTH_BINDDN', 'adminDN');
        define('LDAP_AUTH_BINDPW', 'password');
        define('LDAP_AUTH_LOGIN_ATTRIB', 'uid');
        define('LDAP_AUTH_LOG_ATTEMPTS', TRUE);
        //Enable Debug Logging
        define('LDAP_AUTH_DEBUG', TRUE);

Without SSL it works just fine

[eNBeWe]

I had the same problem initially.
Manually adding the changes from #34 solved the issue and the Authentication works fine.