Error Ldap_start_tls(): Unable to start TLS

[rodrigosegatto]

Good Morning,

Here is the code:

require __DIR__ . '/vendor/autoload.php';
use LdapRecord\Container;
use LdapRecord\Connection;
//model
use LdapRecord\Models\Model;
use LdapRecord\Models\ActiveDirectory\User;
use LdapRecord\LdapRecordException;

$config = [
    // Mandatory Configuration Options
    'hosts'            => ['192.168.1.11'],
    'base_dn'          => 'dc=empresa,dc=com,dc=br',
    'username'         => 'empresa\administrador',
    'password'         => 'unimed.123',

    // Optional Configuration Options
    'port'             => 389,
    'follow_referrals' => false,
    'use_ssl'          => false,
    'use_tls'          => true,
    'version'          => 3,
    'timeout'          => 5
];

$connection = new Connection($config);

Container::addConnection($connection);

$user = User::find('CN=Jhon Doe,U=Users,DC=empresa,DC=com,DC=br');

$user->unicodepwd = ['oldPass', 'newPass'];
try {
    $user->save();

    echo "User password changed!";
} catch (LdapRecordException $ex) {
    // Failed changing password.
    $connection = $user->getConnection();

    // Get the last LDAP error to determine the cause of failure.
    $error = $connection->getLdapConnection()->getDetailedError();

    echo $error->getErrorCode();
    echo $error->getErrorMessage();
    echo $error->getDiagnosticMessage();
}

• PHP Version: 7.4.3
• LDAP Server Type: ActiveDirectory

I'm trying to connect via TLS to make changes to the user's password, however, there is an error below:

PHP Fatal error: Uncaught ErrorException: ldap_start_tls(): Unable to start TLS: Server is unavailable in /var/www/html/activedirectory/vendor/directorytree/ldaprecord/src/Ldap.php:416\nStack trace:\n#0 [internal function]: LdapRecord\Ldap->LdapRecord{closure}()\n#1 /var/www/html/activedirectory/vendor/directorytree/ldaprecord/src/Ldap.php(416): ldap_start_tls()\n#2 /var/www/html/activedirectory/vendor/directorytree/ldaprecord/src/Ldap.php(889): LdapRecord\Ldap->LdapRecord{closure}()\n#3 /var/www/html/activedirectory/vendor/directorytree/ldaprecord/src/Ldap.php(417): LdapRecord\Ldap->executeFailableOperation()\n#4 /var/www/html/activedirectory/vendor/directorytree/ldaprecord/src/Auth/Guard.php(114): LdapRecord\Ldap->startTLS()\n#5 /var/www/html/activedirectory/vendor/directorytree/ldaprecord/src/Auth/Guard.php(142): LdapRecord\Auth\Guard->bind()\n#6 /var/www/html/activedirectory/vendor/directorytree/ldaprecord/src/Connection.php(202): LdapRecord\Auth\Guard->bindAsConfiguredUser()\n#7 /var/www/html/activedirectory/vendor/directorytre in /var/www/html/activedirectory/vendor/directorytree/ldaprecord/src/Ldap.php on line 416

[AlexH-HankIT]

Can you post the output of

openssl s_client -connect <server>:389 -starttls ldap -showcerts

so we can see, if there is a certificate available?

If you already know that there is one available, is it trusted by your client?

[rodrigosegatto]

Return this:

CONNECTED(00000003)
STARTTLS failed, LDAP Result Code: 52
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 131 bytes and written 31 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

[AlexH-HankIT]

This means there is no certificate available on your server. You will either have to manually create a self signed certificate or request one from a certificate authority, either your own (e.g. Active Directory Certificate Services) or from a third party.

[rodrigosegatto]

How do I create a certificate manually?

[AlexH-HankIT]

You can check out this question on stackoverflow: https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl

Since this problem is not actually related to the library, we should close this issue.

[stevebauman]

Thanks for your help on this @AlexH269!

[rodrigosegatto]

This command below, should I change anything? Should I run in a specific location? Is "cert.pem" any files that I need to download?

openssl req -x509 -newkey rsa: 4096 -keyout key.pem -out cert.pem -days 365

[zyqaicyy]

CONNECTED(00000003)
depth=1 DC = cc, DC = dobot, CN = dobot-WIN-MENDMGOKJ0B-CA
verify return:1
depth=0 CN = WIN-MENDMGOKJ0B.dobot.cc
verify return:1
---
Certificate chain
 0 s:/CN=WIN-MENDMGOKJ0B.dobot.cc
   i:/DC=cc/DC=dobot/CN=dobot-WIN-MENDMGOKJ0B-CA
-----BEGIN CERTIFICATE-----
MIIGDDCCBPSgAwIBAgITNgAAAAP0dFM2CDbLmQAAAAAAAzANBgkqhkiG9w0BAQsF
ADBOMRIwEAYKCZImiZPyLGQBGRYCY2MxFTATBgoJkiaJk/IsZAEZFgVkb2JvdDEh
MB8GA1UEAxMYZG9ib3QtV0lOLU1FTkRNR09LSjBCLUNBMB4XDTIzMDMyNDA5MjA1
NFoXDTI0MDMyMzA5MjA1NFowIzEhMB8GA1UEAxMYV0lOLU1FTkRNR09LSjBCLmRv
Ym90LmNjMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxO6a1v9QmhrE
XWesEbh8HFBoqsJFXPGApa4TKj8qUOS6VpvQvjBaboLWsN0FAwpZImCDZJQxKGUj
TjyoWg3YEvSZUN9oUB6B2YtD1yKv+VIa1fwPpFFvnwOp8v4og6RClHnqWKbr9fSj
rciAKZ5/dqPQVD7u2N9P/Ucl26j1jDuuCoRWF9+IEWQCn6YBmBNMhfUYJ3iwOHcg
fao/HIrVJ2jXddMDVsxpWZTfM+NzRa52CBXLubkfKWnkKdaq0BpzgTi2f1/mBUhh
tIy5j+XljydQ6axN/ZkgcuAvqxKXd4F9zJs6L46I34eIQuHnmTnZYs31C4Itg52I
cjAai20QRQIDAQABo4IDDDCCAwgwLwYJKwYBBAGCNxQCBCIeIABEAG8AbQBhAGkA
bgBDAG8AbgB0AHIAbwBsAGwAZQByMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEF
BQcDATAOBgNVHQ8BAf8EBAMCBaAweAYJKoZIhvcNAQkPBGswaTAOBggqhkiG9w0D
AgICAIAwDgYIKoZIhvcNAwQCAgCAMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAS0w
CwYJYIZIAWUDBAECMAsGCWCGSAFlAwQBBTAHBgUrDgMCBzAKBggqhkiG9w0DBzAd
BgNVHQ4EFgQUSUHgu6+6lrn/eQ3X3XfjJEk0ZxMwHwYDVR0jBBgwFoAUwcWJ7FRe
Qg02VIqwWL25gOO6cX0wgdsGA1UdHwSB0zCB0DCBzaCByqCBx4aBxGxkYXA6Ly8v
Q049ZG9ib3QtV0lOLU1FTkRNR09LSjBCLUNBLENOPVdJTi1NRU5ETUdPS0owQixD
Tj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049
Q29uZmlndXJhdGlvbixEQz1kb2JvdCxEQz1jYz9jZXJ0aWZpY2F0ZVJldm9jYXRp
b25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgccG
CCsGAQUFBwEBBIG6MIG3MIG0BggrBgEFBQcwAoaBp2xkYXA6Ly8vQ049ZG9ib3Qt
V0lOLU1FTkRNR09LSjBCLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2
aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWRvYm90LERDPWNj
P2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0
aG9yaXR5MEQGA1UdEQQ9MDugHwYJKwYBBAGCNxkBoBIEEAzfy9bEbCdNrRsSkoq9
1GGCGFdJTi1NRU5ETUdPS0owQi5kb2JvdC5jYzANBgkqhkiG9w0BAQsFAAOCAQEA
bL1pHBOiB4ao+m5svEXs8sNuLtifn5lnWP1R6dE4ubnL77txP0YVWCoBwmUmnbF0
WMnm9ypHm/2AQ/xZLLb4V+SV/L2m8501LygoN7pFlVut9plBe6sCCuyI0VmRFPap
PJmFBs2AL6+ACEnPMmV93FgQhykwagsVdldiKrUHBqz2TTgODH3vitK5MmLuCx1C
eHZLW4idhXDeNlsXjfrSAwyzP8+0/iycy1UiQfZM8YSGYprLj3f9BUiVzzl9IKOM
0LErUWYLFcT7GMPJ1HZ29xtwdYb0+I39zALJkvSovxTiFs8Fv1BWcVPuE3M6hBaq
ihMnW4XYB8QkfPZ4wzZFqw==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=WIN-MENDMGOKJ0B.dobot.cc
issuer=/DC=cc/DC=dobot/CN=dobot-WIN-MENDMGOKJ0B-CA
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
Peer signing digest: SHA1
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2168 bytes and written 514 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: 530400004270D1AE89088F3525FCE2A7A127148A16B311242CEA0C8455362253
    Session-ID-ctx: 
    Master-Key: 5715B24B1E575BAAF80A8871B5058124E19D1A9E69AF705D6711BB1F18136DC67CBFB9935518E7DB998B43BE2E934C8B
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1681465036
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---