search

BookStackApp / BookStack

A platform to create documentation/wiki content built with PHP & Laravel
https://www.bookstackapp.com/
MIT License
15.43k stars 1.94k forks source link

LDAPS not working with ActiveDirectory #5310

Closed gamebird92 closed 2 weeks ago

gamebird92 commented 2 weeks ago

Describe the Bug

Hello everyone, I am running a Microsoft Active Directory (on windows server 2016) and bookstack on a non-domain ubuntu machine.

My setup works with LDAP over port 389. When I do enable LDAPS in the .env the login does not work any more. I did add the internal root-certificate authority on the ubuntu server to the trusted one (as I did in other linux setups).

I have APP_DEBUG=true but I do not receive further information on the login screen than "Could not start TLS connection. Further details in the application log".

The laravel.log showing me the following:

[2024-11-05 14:06:33] production.INFO: LDAP STARTTLS failure: ldap_start_tls(): Unable to start TLS: Can't contact LDAP server :: Can't contact LDAP server (unknown error code)
[2024-11-05 14:06:33] production.ERROR: Could not start TLS connection. Further details in the application log. {"exception":"[object] (BookStack\\Exceptions\\LdapException(code: 0): Could not start TLS connection. Further details in the application log. at /var/www/bookstack/app/Access/LdapService.php:238)
[stacktrace]

Where can I find the "application log"?

The LDAP section from my .env: (I did replace business informations with "xxx" but it works with LDAP so these must be correct). I also tried several combination of the LDAP_TLS_INSECURE and the LDAP_TLS_CA_CERT parameter - but these does not seem to change anything. 

#LDAP
AUTH_METHOD=ldap
LDAP_SERVER=ldaps://192.168.73.250:636
LDAP_BASE_DN="xxx"
LDAP_DN="xxx"
LDAP_PASS="xxx"
LDAP_USER_FILTER=(&(sAMAccountName={user}))
LDAP_VERSION=3
LDAP_ID_ATTRIBUTE=BIN;objectGUID
LDAP_EMAIL_ATTRIBUTE=mail
LDAP_DISPLAY_NAME_ATTRIBUTE=sAMAccountName
LDAP_START_TLS=true
#LDAP_TLS_INSECURE=true
#LDAP_TLS_CA_CERT=/usr/local/share/ca-certificates/xxx.crt
LDAP_THUMBNAIL_ATTRIBUTE=thumbnailPhoto`

Steps to Reproduce

  1. Go to login page
  2. Try to login via LDAPS

Expected Behaviour

Login does work after enabling LDAPS

Screenshots or Additional Context

bookstack_LDAPS_error

Browser Details

No response

Exact BookStack Version

v24.10

ssddanbrown commented 2 weeks ago

Hi @gamebird92,

Do you actually mean to use LDAPS? or does your system actually use LDAP via STARTTLS? These are two distinct mechanisms, that both look to be at play in your configured options which is probably not desired.

gamebird92 commented 2 weeks ago

@ssddanbrown Thanks for the hint! I do want to use LDAPS and took a deeper look into the differences.

I figured it out:

Thanks to your video from the LDAP setup you mentioned to use the name and not IP adress on the LDAP_SERVER. Seems like it works with the domain name but not the IP Adress. Probably because of the certificate verification.

I also did reboot my server (after installing the trusted certificate used for LDAPS on the server) but I am unsure if the reboot was really necessary.