Open warlord0 opened 6 years ago
Hi @warlord0, I think this is an issue inside tinker. Are you running your custom PHP script on the server and then testing Adldap2 in tinker?
Have you tried TLS with your application itself using Adldap2? Nothing is different in the Adldap2 library in regards to your code sample.
Yeah I tried the developed app to start with and failed to get any authentication. So decided to try in tinker to get some proper error messages. Got some success adding the option for REQCERT so I can at least auth over SSL.
As it's a warning the authentication succeeds, but I suspect that's because it's failed back to non-starttls and just bound as plain text.
I can't figure out where the warning comes from. I'm guessing straight from ldap_start_tls()
Just because I can I set this up using the OpenLDAP server on my synology. I know the certificate won't be trusted so have the TLS_REQCERT option set to never in /etc/ldap/ldap.conf
I figured I could at least try to rule out a problem with our AD server and see if OpenLDAP might be different.
ldapsearch -D "uid=username,cn=users,dc=domain,dc=co,dc=uk" -LLL -x -w secret "(uid=*)" uid -ZZ -u
connects and returns results.
> $ php artisan tinker [±master ●]
Psy Shell v0.8.17 (PHP 7.0.27-0+deb9u1 — cli) by Justin Hileman
>>> Auth::attempt(['name' => 'username', 'password' => 'secret'])
PHP Warning: ldap_start_tls(): Unable to start TLS: Local error in /var/www/flex/vendor/adldap2/adldap2/src/Connections/Ldap.php on line 209
PHP Warning: ldap_start_tls(): Unable to start TLS: Local error in /var/www/flex/vendor/adldap2/adldap2/src/Connections/Ldap.php on line 209
=> true
tinker still returns a start tls warning.
Description:
Unable to get a connection using STARTTLS.
Steps To Reproduce:
Using the following options in .env
Then using tinker
If I change things to SSL
I get a connection and successfully validate. I did have to add in the custom_options:
But this has no marked effect on STARTTLS.
So I then used a test php script to see if I were able to get ldap_start_tls to work.
And this connects with no complaint about starttls.