search

Adldap2 / Adldap2-Laravel

LDAP Authentication & Management for Laravel
MIT License
911 stars 184 forks source link

STARTTLS #513

Open warlord0 opened 6 years ago

warlord0 commented 6 years ago

Description:

Unable to get a connection using STARTTLS.

Steps To Reproduce:

Using the following options in .env

ADLDAP_CONTROLLERS=dc1srvr.domain.local
ADLDAP_PORT=389
ADLDAP_BASEDN="dc=domain,dc=local"
ADLDAP_ADMIN_USERNAME=username
ADLDAP_ADMIN_PASSWORD=password
ADLDAP_USE_SSL=false
ADLDAP_USE_TLS=true
ADLDAP_ADMIN_ACCOUNT_SUFFIX="@domain.local"
ADLDAP_PASSWORD_SYNC=true
ADLDAP_LOGIN_FALLBACK=false

Then using tinker

Psy Shell v0.8.17 (PHP 7.2.3-1 — cli) by Justin Hileman
>>> Auth::attempt(['name' => 'user', 'password' => 'password'])
PHP Warning:  ldap_start_tls(): Unable to start TLS: Local error in /var/www/flex/vendor/adldap2/adldap2/src/Connections/Ldap.php on line 209
PHP Warning:  ldap_start_tls(): Unable to start TLS: Local error in /var/www/flex/vendor/adldap2/adldap2/src/Connections/Ldap.php on line 209
=> true

If I change things to SSL

ADLDAP_PORT=636
ADLDAP_USE_SSL=true
ADLDAP_USE_TLS=false

I get a connection and successfully validate. I did have to add in the custom_options:

                'custom_options' => [
                  // See: http://php.net/ldap_set_option
                  LDAP_OPT_X_TLS_REQUIRE_CERT => LDAP_OPT_X_TLS_NEVER
                ]

But this has no marked effect on STARTTLS.

So I then used a test php script to see if I were able to get ldap_start_tls to work.

   $ldap="dc1srvr.domain.local";
   $usr="username@domain.local";
   $pwd="password";

   $ds=ldap_connect($ldap);
   $ldapbind=false;
   if(ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3))
      if(ldap_set_option($ds, LDAP_OPT_REFERRALS, 0))
         if(ldap_start_tls($ds))
               $ldapbind = ldap_bind($ds, $usr, $pwd);
   ldap_close($ds);

   if(!$ldapbind)
      echo "ERROR";
   else
      echo "OK";

And this connects with no complaint about starttls.

stevebauman commented 6 years ago

Hi @warlord0, I think this is an issue inside tinker. Are you running your custom PHP script on the server and then testing Adldap2 in tinker?

Have you tried TLS with your application itself using Adldap2? Nothing is different in the Adldap2 library in regards to your code sample.

warlord0 commented 6 years ago

Yeah I tried the developed app to start with and failed to get any authentication. So decided to try in tinker to get some proper error messages. Got some success adding the option for REQCERT so I can at least auth over SSL.

As it's a warning the authentication succeeds, but I suspect that's because it's failed back to non-starttls and just bound as plain text.

I can't figure out where the warning comes from. I'm guessing straight from ldap_start_tls()

warlord0 commented 6 years ago

Just because I can I set this up using the OpenLDAP server on my synology. I know the certificate won't be trusted so have the TLS_REQCERT option set to never in /etc/ldap/ldap.conf

I figured I could at least try to rule out a problem with our AD server and see if OpenLDAP might be different.

ldapsearch -D "uid=username,cn=users,dc=domain,dc=co,dc=uk" -LLL -x -w secret "(uid=*)" uid -ZZ -u

connects and returns results.

> $ php artisan tinker                                                                           [±master ●]
Psy Shell v0.8.17 (PHP 7.0.27-0+deb9u1 — cli) by Justin Hileman
>>> Auth::attempt(['name' => 'username', 'password' => 'secret'])
PHP Warning:  ldap_start_tls(): Unable to start TLS: Local error in /var/www/flex/vendor/adldap2/adldap2/src/Connections/Ldap.php on line 209
PHP Warning:  ldap_start_tls(): Unable to start TLS: Local error in /var/www/flex/vendor/adldap2/adldap2/src/Connections/Ldap.php on line 209
=> true

tinker still returns a start tls warning.