[Bug] ldap_start_tls(): Unable to start TLS: Local error

lastdino commented 10 months ago

Environment:

LDAP Server Type: ActiveDirectory
LdapRecord-Laravel Major Version: v3
PHP Version:8.2
Laravel Version:10.30.1
Laravel Jetstream:v4.0.5

Describe the bug:

If you enter the wrong password, an error will occur. If you enter the correct password, you can log in successfully. Has TLS/SSL certificate not expired.

This problem started occurring after updating from version 2 to version 3. Version 2 works fine.

[2023-11-01 03:18:58] local.INFO: LDAP (ldap://xxx.xxx.x.xxx:389) - Operation: Binding - Username: CN=aaa,CN=Users,DC=xxx,DC=local  
[2023-11-01 03:18:58] local.INFO: LDAP (ldap://xxx.xxx.x.xxx:389) - Operation: Bound - Username: CN=aaa,CN=Users,DC=xxx,DC=local  
[2023-11-01 03:18:58] local.INFO: LDAP (ldap://xxx.xxx.x.xxx:389) - Operation: Search - Base DN: DC=xxx,DC=local - Filter: (&(objectclass=\74\6f\70)(objectclass=\70\65\72\73\6f\6e)(objectclass=\6f\72\67\61\6e\69\7a\61\74\69\6f\6e\61\6c\70\65\72\73\6f\6e)(objectclass=\75\73\65\72)(samaccountname=\68\73\6b\65\6e\6f\31)(!(objectclass=\63\6f\6d\70\75\74\65\72))) - Selected: (objectguid,*) - Time Elapsed: 24.79  
[2023-11-01 03:18:58] local.DEBUG: User [AAA] has been successfully discovered for authentication.  
[2023-11-01 03:18:58] local.DEBUG: Object with name [AAA] is being synchronized.  
[2023-11-01 03:18:58] local.DEBUG: Object with name [AAA] has been successfully synchronized.  
[2023-11-01 03:18:58] local.DEBUG: User [AAA] is authenticating.  
[2023-11-01 03:18:58] local.INFO: LDAP (ldap://xxx.xxx.x.xxx:389) - Operation: Attempting - Username: CN=AAA,OU=zzz,DC=xxx,DC=local  
[2023-11-01 03:18:58] local.INFO: LDAP (ldap://xxx.xxx.x.xxx:389) - Operation: Binding - Username: CN=AAA,OU=zzz,DC=xxx,DC=local  
[2023-11-01 03:18:58] local.WARNING: LDAP (ldap://xxx.xxx.x.xxx:389) - Operation: Failed - Username: CN=AAA,OU=zzz,DC=xxx,DC=local - Reason: Invalid credentials  
[2023-11-01 03:18:58] local.INFO: LDAP (ldap://xxx.xxx.x.xxx:389) - Operation: Binding - Username: CN=aaa,CN=Users,DC=xxx,DC=local  
[2023-11-01 03:18:58] local.ERROR: ldap_start_tls(): Unable to start TLS: Local error {"exception":"[object] (LdapRecord\\LdapRecordException(code: 2): ldap_start_tls(): Unable to start TLS: Local error at /volume1/web/test/vendor/directorytree/ldaprecord/src/LdapRecordException.php:19)
[stacktrace]
#0 /volume1/web/test/vendor/directorytree/ldaprecord/src/HandlesConnection.php(174): LdapRecord\\LdapRecordException::withDetailedError(Object(ErrorException), Object(LdapRecord\\DetailedError))
DirectoryTree/LdapRecord-Laravel#1 /volume1/web/test/vendor/directorytree/ldaprecord/src/Ldap.php(153): LdapRecord\\Ldap->executeFailableOperation(Object(Closure))
DirectoryTree/LdapRecord-Laravel#2 /volume1/web/test/vendor/directorytree/ldaprecord/src/Auth/Guard.php(84): LdapRecord\\Ldap->startTLS()
DirectoryTree/LdapRecord-Laravel#3 /volume1/web/test/vendor/directorytree/ldaprecord/src/Auth/Guard.php(125): LdapRecord\\Auth\\Guard->bind('CN=aaa,CN...', 'xxxxxxxxx')
DirectoryTree/LdapRecord-Laravel#4 /volume1/web/test/vendor/directorytree/ldaprecord/src/Auth/Guard.php(64): LdapRecord\\Auth\\Guard->bindAsConfiguredUser()
DirectoryTree/LdapRecord-Laravel#5 /volume1/web/test/vendor/directorytree/ldaprecord-laravel/src/LdapUserAuthenticator.php(45): LdapRecord\\Auth\\Guard->attempt('CN=AAA,OU=\\xE7...', 'sfaag')
DirectoryTree/LdapRecord-Laravel#6 [internal function]: LdapRecord\\Laravel\\LdapUserAuthenticator->LdapRecord\\Laravel\\{closure}(Object(LdapRecord\\Models\\ActiveDirectory\\User), 'sfaag')
DirectoryTree/LdapRecord-Laravel#7 /volume1/web/test/vendor/directorytree/ldaprecord-laravel/src/LdapUserAuthenticator.php(75): call_user_func(Object(Closure), Object(LdapRecord\\Models\\ActiveDirectory\\User), 'sfaag')
DirectoryTree/LdapRecord-Laravel#8 /volume1/web/test/vendor/directorytree/ldaprecord-laravel/src/Auth/DatabaseUserProvider.php(187): LdapRecord\\Laravel\\LdapUserAuthenticator->attempt(Object(LdapRecord\\Models\\ActiveDirectory\\User), 'sfaag')
DirectoryTree/LdapRecord-Laravel#9 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Auth/SessionGuard.php(438): LdapRecord\\Laravel\\Auth\\DatabaseUserProvider->validateCredentials(Object(App\\Models\\User), Array)
DirectoryTree/LdapRecord-Laravel#10 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Support/Timebox.php(32): Illuminate\\Auth\\SessionGuard->Illuminate\\Auth\\{closure}(Object(Illuminate\\Support\\Timebox))
DirectoryTree/LdapRecord-Laravel#11 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Auth/SessionGuard.php(437): Illuminate\\Support\\Timebox->call(Object(Closure), 200000)
DirectoryTree/LdapRecord-Laravel#12 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Auth/SessionGuard.php(281): Illuminate\\Auth\\SessionGuard->hasValidCredentials(Object(App\\Models\\User), Array)
DirectoryTree/LdapRecord-Laravel#13 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Auth/AuthManager.php(340): Illuminate\\Auth\\SessionGuard->validate(Array)
DirectoryTree/LdapRecord-Laravel#14 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Support/Facades/Facade.php(353): Illuminate\\Auth\\AuthManager->__call('validate', Array)
DirectoryTree/LdapRecord-Laravel#15 /volume1/web/test/app/Providers/AuthServiceProvider.php(29): Illuminate\\Support\\Facades\\Facade::__callStatic('validate', Array)
DirectoryTree/LdapRecord-Laravel#16 [internal function]: App\\Providers\\AuthServiceProvider->App\\Providers\\{closure}(Object(Laravel\\Fortify\\Http\\Requests\\LoginRequest))
DirectoryTree/LdapRecord-Laravel#17 /volume1/web/test/vendor/laravel/fortify/src/Actions/AttemptToAuthenticate.php(72): call_user_func(Object(Closure), Object(Laravel\\Fortify\\Http\\Requests\\LoginRequest))
DirectoryTree/LdapRecord-Laravel#18 /volume1/web/test/vendor/laravel/fortify/src/Actions/AttemptToAuthenticate.php(50): Laravel\\Fortify\\Actions\\AttemptToAuthenticate->handleUsingCustomCallback(Object(Laravel\\Fortify\\Http\\Requests\\LoginRequest), Object(Closure))
DirectoryTree/LdapRecord-Laravel#19 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Laravel\\Fortify\\Actions\\AttemptToAuthenticate->handle(Object(Laravel\\Fortify\\Http\\Requests\\LoginRequest), Object(Closure))
DirectoryTree/LdapRecord-Laravel#20 /volume1/web/test/vendor/laravel/fortify/src/Actions/CanonicalizeUsername.php(23): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Laravel\\Fortify\\Http\\Requests\\LoginRequest))
DirectoryTree/LdapRecord-Laravel#21 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Laravel\\Fortify\\Actions\\CanonicalizeUsername->handle(Object(Laravel\\Fortify\\Http\\Requests\\LoginRequest), Object(Closure))
DirectoryTree/LdapRecord-Laravel#22 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(116): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Laravel\\Fortify\\Http\\Requests\\LoginRequest))
DirectoryTree/LdapRecord-Laravel#23 /volume1/web/test/vendor/laravel/fortify/src/Http/Controllers/AuthenticatedSessionController.php(60): Illuminate\\Pipeline\\Pipeline->then(Object(Closure))
DirectoryTree/LdapRecord-Laravel#24 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Routing/Controller.php(54): Laravel\\Fortify\\Http\\Controllers\\AuthenticatedSessionController->store(Object(Laravel\\Fortify\\Http\\Requests\\LoginRequest))
DirectoryTree/LdapRecord-Laravel#25 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Routing/ControllerDispatcher.php(43): Illuminate\\Routing\\Controller->callAction('store', Array)
DirectoryTree/LdapRecord-Laravel#26 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Routing/Route.php(259): Illuminate\\Routing\\ControllerDispatcher->dispatch(Object(Illuminate\\Routing\\Route), Object(Laravel\\Fortify\\Http\\Controllers\\AuthenticatedSessionController), 'store')
DirectoryTree/LdapRecord-Laravel#27 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Routing/Route.php(205): Illuminate\\Routing\\Route->runController()
DirectoryTree/LdapRecord-Laravel#28 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Routing/Router.php(799): Illuminate\\Routing\\Route->run()
DirectoryTree/LdapRecord-Laravel#29 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(141): Illuminate\\Routing\\Router->Illuminate\\Routing\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#30 /volume1/web/test/app/Http/Middleware/RedirectIfAuthenticated.php(28): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#31 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): App\\Http\\Middleware\\RedirectIfAuthenticated->handle(Object(Illuminate\\Http\\Request), Object(Closure), 'web')
DirectoryTree/LdapRecord-Laravel#32 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Routing/Middleware/SubstituteBindings.php(50): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#33 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Routing\\Middleware\\SubstituteBindings->handle(Object(Illuminate\\Http\\Request), Object(Closure))
DirectoryTree/LdapRecord-Laravel#34 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Routing/Middleware/ThrottleRequests.php(159): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#35 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Routing/Middleware/ThrottleRequests.php(125): Illuminate\\Routing\\Middleware\\ThrottleRequests->handleRequest(Object(Illuminate\\Http\\Request), Object(Closure), Array)
DirectoryTree/LdapRecord-Laravel#36 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Routing/Middleware/ThrottleRequests.php(87): Illuminate\\Routing\\Middleware\\ThrottleRequests->handleRequestUsingNamedLimiter(Object(Illuminate\\Http\\Request), Object(Closure), 'login', Object(Closure))
DirectoryTree/LdapRecord-Laravel#37 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Routing\\Middleware\\ThrottleRequests->handle(Object(Illuminate\\Http\\Request), Object(Closure), 'login')
DirectoryTree/LdapRecord-Laravel#38 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php(78): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#39 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Foundation\\Http\\Middleware\\VerifyCsrfToken->handle(Object(Illuminate\\Http\\Request), Object(Closure))
DirectoryTree/LdapRecord-Laravel#40 /volume1/web/test/vendor/laravel/framework/src/Illuminate/View/Middleware/ShareErrorsFromSession.php(49): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#41 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\View\\Middleware\\ShareErrorsFromSession->handle(Object(Illuminate\\Http\\Request), Object(Closure))
DirectoryTree/LdapRecord-Laravel#42 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php(121): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#43 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php(64): Illuminate\\Session\\Middleware\\StartSession->handleStatefulRequest(Object(Illuminate\\Http\\Request), Object(Illuminate\\Session\\Store), Object(Closure))
DirectoryTree/LdapRecord-Laravel#44 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Session\\Middleware\\StartSession->handle(Object(Illuminate\\Http\\Request), Object(Closure))
DirectoryTree/LdapRecord-Laravel#45 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/AddQueuedCookiesToResponse.php(37): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#46 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Cookie\\Middleware\\AddQueuedCookiesToResponse->handle(Object(Illuminate\\Http\\Request), Object(Closure))
DirectoryTree/LdapRecord-Laravel#47 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/EncryptCookies.php(67): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#48 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Cookie\\Middleware\\EncryptCookies->handle(Object(Illuminate\\Http\\Request), Object(Closure))
DirectoryTree/LdapRecord-Laravel#49 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(116): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#50 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Routing/Router.php(798): Illuminate\\Pipeline\\Pipeline->then(Object(Closure))
DirectoryTree/LdapRecord-Laravel#51 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Routing/Router.php(777): Illuminate\\Routing\\Router->runRouteWithinStack(Object(Illuminate\\Routing\\Route), Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#52 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Routing/Router.php(741): Illuminate\\Routing\\Router->runRoute(Object(Illuminate\\Http\\Request), Object(Illuminate\\Routing\\Route))
DirectoryTree/LdapRecord-Laravel#53 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Routing/Router.php(730): Illuminate\\Routing\\Router->dispatchToRoute(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#54 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(200): Illuminate\\Routing\\Router->dispatch(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#55 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(141): Illuminate\\Foundation\\Http\\Kernel->Illuminate\\Foundation\\Http\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#56 /volume1/web/test/vendor/livewire/livewire/src/Features/SupportDisablingBackButtonCache/DisableBackButtonCacheMiddleware.php(19): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#57 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Livewire\\Features\\SupportDisablingBackButtonCache\\DisableBackButtonCacheMiddleware->handle(Object(Illuminate\\Http\\Request), Object(Closure))
DirectoryTree/LdapRecord-Laravel#58 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php(21): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#59 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ConvertEmptyStringsToNull.php(31): Illuminate\\Foundation\\Http\\Middleware\\TransformsRequest->handle(Object(Illuminate\\Http\\Request), Object(Closure))
DirectoryTree/LdapRecord-Laravel#60 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Foundation\\Http\\Middleware\\ConvertEmptyStringsToNull->handle(Object(Illuminate\\Http\\Request), Object(Closure))
DirectoryTree/LdapRecord-Laravel#61 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php(21): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#62 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TrimStrings.php(40): Illuminate\\Foundation\\Http\\Middleware\\TransformsRequest->handle(Object(Illuminate\\Http\\Request), Object(Closure))
DirectoryTree/LdapRecord-Laravel#63 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Foundation\\Http\\Middleware\\TrimStrings->handle(Object(Illuminate\\Http\\Request), Object(Closure))
DirectoryTree/LdapRecord-Laravel#64 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ValidatePostSize.php(27): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#65 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Foundation\\Http\\Middleware\\ValidatePostSize->handle(Object(Illuminate\\Http\\Request), Object(Closure))
DirectoryTree/LdapRecord-Laravel#66 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/PreventRequestsDuringMaintenance.php(99): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#67 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Foundation\\Http\\Middleware\\PreventRequestsDuringMaintenance->handle(Object(Illuminate\\Http\\Request), Object(Closure))
DirectoryTree/LdapRecord-Laravel#68 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Http/Middleware/HandleCors.php(49): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#69 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Http\\Middleware\\HandleCors->handle(Object(Illuminate\\Http\\Request), Object(Closure))
DirectoryTree/LdapRecord-Laravel#70 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Http/Middleware/TrustProxies.php(39): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#71 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Http\\Middleware\\TrustProxies->handle(Object(Illuminate\\Http\\Request), Object(Closure))
DirectoryTree/LdapRecord-Laravel#72 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(116): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#73 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(175): Illuminate\\Pipeline\\Pipeline->then(Object(Closure))
DirectoryTree/LdapRecord-Laravel#74 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(144): Illuminate\\Foundation\\Http\\Kernel->sendRequestThroughRouter(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#75 /volume1/web/test/public/index.php(51): Illuminate\\Foundation\\Http\\Kernel->handle(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#76 {main}

[previous exception] [object] (ErrorException(code: 2): ldap_start_tls(): Unable to start TLS: Local error at /volume1/web/test/vendor/directorytree/ldaprecord/src/Ldap.php:154)
[stacktrace]
#0 [internal function]: LdapRecord\\Ldap->LdapRecord\\{closure}(2, 'ldap_start_tls(...', '/volume1/web/Ne...', 154)
DirectoryTree/LdapRecord-Laravel#1 /volume1/web/test/vendor/directorytree/ldaprecord/src/Ldap.php(154): ldap_start_tls(Object(LDAP\\Connection))
DirectoryTree/LdapRecord-Laravel#2 /volume1/web/test/vendor/directorytree/ldaprecord/src/HandlesConnection.php(161): LdapRecord\\Ldap->LdapRecord\\{closure}()
DirectoryTree/LdapRecord-Laravel#3 /volume1/web/test/vendor/directorytree/ldaprecord/src/Ldap.php(153): LdapRecord\\Ldap->executeFailableOperation(Object(Closure))
DirectoryTree/LdapRecord-Laravel#4 /volume1/web/test/vendor/directorytree/ldaprecord/src/Auth/Guard.php(84): LdapRecord\\Ldap->startTLS()
DirectoryTree/LdapRecord-Laravel#5 /volume1/web/test/vendor/directorytree/ldaprecord/src/Auth/Guard.php(125): LdapRecord\\Auth\\Guard->bind('CN=aaa,CN...', 'xxxxxxxxx')
DirectoryTree/LdapRecord-Laravel#6 /volume1/web/test/vendor/directorytree/ldaprecord/src/Auth/Guard.php(64): LdapRecord\\Auth\\Guard->bindAsConfiguredUser()
DirectoryTree/LdapRecord-Laravel#7 /volume1/web/test/vendor/directorytree/ldaprecord-laravel/src/LdapUserAuthenticator.php(45): LdapRecord\\Auth\\Guard->attempt('CN=AAA,OU=\\xE7...', 'sfaag')
DirectoryTree/LdapRecord-Laravel#8 [internal function]: LdapRecord\\Laravel\\LdapUserAuthenticator->LdapRecord\\Laravel\\{closure}(Object(LdapRecord\\Models\\ActiveDirectory\\User), 'sfaag')
DirectoryTree/LdapRecord-Laravel#9 /volume1/web/test/vendor/directorytree/ldaprecord-laravel/src/LdapUserAuthenticator.php(75): call_user_func(Object(Closure), Object(LdapRecord\\Models\\ActiveDirectory\\User), 'sfaag')
DirectoryTree/LdapRecord-Laravel#10 /volume1/web/test/vendor/directorytree/ldaprecord-laravel/src/Auth/DatabaseUserProvider.php(187): LdapRecord\\Laravel\\LdapUserAuthenticator->attempt(Object(LdapRecord\\Models\\ActiveDirectory\\User), 'sfaag')
DirectoryTree/LdapRecord-Laravel#11 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Auth/SessionGuard.php(438): LdapRecord\\Laravel\\Auth\\DatabaseUserProvider->validateCredentials(Object(App\\Models\\User), Array)
DirectoryTree/LdapRecord-Laravel#12 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Support/Timebox.php(32): Illuminate\\Auth\\SessionGuard->Illuminate\\Auth\\{closure}(Object(Illuminate\\Support\\Timebox))
DirectoryTree/LdapRecord-Laravel#13 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Auth/SessionGuard.php(437): Illuminate\\Support\\Timebox->call(Object(Closure), 200000)
DirectoryTree/LdapRecord-Laravel#14 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Auth/SessionGuard.php(281): Illuminate\\Auth\\SessionGuard->hasValidCredentials(Object(App\\Models\\User), Array)
DirectoryTree/LdapRecord-Laravel#15 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Auth/AuthManager.php(340): Illuminate\\Auth\\SessionGuard->validate(Array)
DirectoryTree/LdapRecord-Laravel#16 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Support/Facades/Facade.php(353): Illuminate\\Auth\\AuthManager->__call('validate', Array)
DirectoryTree/LdapRecord-Laravel#17 /volume1/web/test/app/Providers/AuthServiceProvider.php(29): Illuminate\\Support\\Facades\\Facade::__callStatic('validate', Array)
DirectoryTree/LdapRecord-Laravel#18 [internal function]: App\\Providers\\AuthServiceProvider->App\\Providers\\{closure}(Object(Laravel\\Fortify\\Http\\Requests\\LoginRequest))
DirectoryTree/LdapRecord-Laravel#19 /volume1/web/test/vendor/laravel/fortify/src/Actions/AttemptToAuthenticate.php(72): call_user_func(Object(Closure), Object(Laravel\\Fortify\\Http\\Requests\\LoginRequest))
DirectoryTree/LdapRecord-Laravel#20 /volume1/web/test/vendor/laravel/fortify/src/Actions/AttemptToAuthenticate.php(50): Laravel\\Fortify\\Actions\\AttemptToAuthenticate->handleUsingCustomCallback(Object(Laravel\\Fortify\\Http\\Requests\\LoginRequest), Object(Closure))
DirectoryTree/LdapRecord-Laravel#21 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Laravel\\Fortify\\Actions\\AttemptToAuthenticate->handle(Object(Laravel\\Fortify\\Http\\Requests\\LoginRequest), Object(Closure))
DirectoryTree/LdapRecord-Laravel#22 /volume1/web/test/vendor/laravel/fortify/src/Actions/CanonicalizeUsername.php(23): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Laravel\\Fortify\\Http\\Requests\\LoginRequest))
DirectoryTree/LdapRecord-Laravel#23 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Laravel\\Fortify\\Actions\\CanonicalizeUsername->handle(Object(Laravel\\Fortify\\Http\\Requests\\LoginRequest), Object(Closure))
DirectoryTree/LdapRecord-Laravel#24 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(116): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Laravel\\Fortify\\Http\\Requests\\LoginRequest))
DirectoryTree/LdapRecord-Laravel#25 /volume1/web/test/vendor/laravel/fortify/src/Http/Controllers/AuthenticatedSessionController.php(60): Illuminate\\Pipeline\\Pipeline->then(Object(Closure))
DirectoryTree/LdapRecord-Laravel#26 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Routing/Controller.php(54): Laravel\\Fortify\\Http\\Controllers\\AuthenticatedSessionController->store(Object(Laravel\\Fortify\\Http\\Requests\\LoginRequest))
DirectoryTree/LdapRecord-Laravel#27 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Routing/ControllerDispatcher.php(43): Illuminate\\Routing\\Controller->callAction('store', Array)
DirectoryTree/LdapRecord-Laravel#28 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Routing/Route.php(259): Illuminate\\Routing\\ControllerDispatcher->dispatch(Object(Illuminate\\Routing\\Route), Object(Laravel\\Fortify\\Http\\Controllers\\AuthenticatedSessionController), 'store')
DirectoryTree/LdapRecord-Laravel#29 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Routing/Route.php(205): Illuminate\\Routing\\Route->runController()
DirectoryTree/LdapRecord-Laravel#30 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Routing/Router.php(799): Illuminate\\Routing\\Route->run()
DirectoryTree/LdapRecord-Laravel#31 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(141): Illuminate\\Routing\\Router->Illuminate\\Routing\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#32 /volume1/web/test/app/Http/Middleware/RedirectIfAuthenticated.php(28): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#33 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): App\\Http\\Middleware\\RedirectIfAuthenticated->handle(Object(Illuminate\\Http\\Request), Object(Closure), 'web')
DirectoryTree/LdapRecord-Laravel#34 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Routing/Middleware/SubstituteBindings.php(50): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#35 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Routing\\Middleware\\SubstituteBindings->handle(Object(Illuminate\\Http\\Request), Object(Closure))
DirectoryTree/LdapRecord-Laravel#36 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Routing/Middleware/ThrottleRequests.php(159): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#37 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Routing/Middleware/ThrottleRequests.php(125): Illuminate\\Routing\\Middleware\\ThrottleRequests->handleRequest(Object(Illuminate\\Http\\Request), Object(Closure), Array)
DirectoryTree/LdapRecord-Laravel#38 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Routing/Middleware/ThrottleRequests.php(87): Illuminate\\Routing\\Middleware\\ThrottleRequests->handleRequestUsingNamedLimiter(Object(Illuminate\\Http\\Request), Object(Closure), 'login', Object(Closure))
DirectoryTree/LdapRecord-Laravel#39 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Routing\\Middleware\\ThrottleRequests->handle(Object(Illuminate\\Http\\Request), Object(Closure), 'login')
DirectoryTree/LdapRecord-Laravel#40 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php(78): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#41 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Foundation\\Http\\Middleware\\VerifyCsrfToken->handle(Object(Illuminate\\Http\\Request), Object(Closure))
DirectoryTree/LdapRecord-Laravel#42 /volume1/web/test/vendor/laravel/framework/src/Illuminate/View/Middleware/ShareErrorsFromSession.php(49): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#43 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\View\\Middleware\\ShareErrorsFromSession->handle(Object(Illuminate\\Http\\Request), Object(Closure))
DirectoryTree/LdapRecord-Laravel#44 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php(121): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#45 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php(64): Illuminate\\Session\\Middleware\\StartSession->handleStatefulRequest(Object(Illuminate\\Http\\Request), Object(Illuminate\\Session\\Store), Object(Closure))
DirectoryTree/LdapRecord-Laravel#46 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Session\\Middleware\\StartSession->handle(Object(Illuminate\\Http\\Request), Object(Closure))
DirectoryTree/LdapRecord-Laravel#47 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/AddQueuedCookiesToResponse.php(37): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#48 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Cookie\\Middleware\\AddQueuedCookiesToResponse->handle(Object(Illuminate\\Http\\Request), Object(Closure))
DirectoryTree/LdapRecord-Laravel#49 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/EncryptCookies.php(67): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#50 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Cookie\\Middleware\\EncryptCookies->handle(Object(Illuminate\\Http\\Request), Object(Closure))
DirectoryTree/LdapRecord-Laravel#51 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(116): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#52 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Routing/Router.php(798): Illuminate\\Pipeline\\Pipeline->then(Object(Closure))
DirectoryTree/LdapRecord-Laravel#53 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Routing/Router.php(777): Illuminate\\Routing\\Router->runRouteWithinStack(Object(Illuminate\\Routing\\Route), Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#54 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Routing/Router.php(741): Illuminate\\Routing\\Router->runRoute(Object(Illuminate\\Http\\Request), Object(Illuminate\\Routing\\Route))
DirectoryTree/LdapRecord-Laravel#55 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Routing/Router.php(730): Illuminate\\Routing\\Router->dispatchToRoute(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#56 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(200): Illuminate\\Routing\\Router->dispatch(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#57 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(141): Illuminate\\Foundation\\Http\\Kernel->Illuminate\\Foundation\\Http\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#58 /volume1/web/test/vendor/livewire/livewire/src/Features/SupportDisablingBackButtonCache/DisableBackButtonCacheMiddleware.php(19): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#59 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Livewire\\Features\\SupportDisablingBackButtonCache\\DisableBackButtonCacheMiddleware->handle(Object(Illuminate\\Http\\Request), Object(Closure))
DirectoryTree/LdapRecord-Laravel#60 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php(21): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#61 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ConvertEmptyStringsToNull.php(31): Illuminate\\Foundation\\Http\\Middleware\\TransformsRequest->handle(Object(Illuminate\\Http\\Request), Object(Closure))
DirectoryTree/LdapRecord-Laravel#62 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Foundation\\Http\\Middleware\\ConvertEmptyStringsToNull->handle(Object(Illuminate\\Http\\Request), Object(Closure))
DirectoryTree/LdapRecord-Laravel#63 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php(21): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#64 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TrimStrings.php(40): Illuminate\\Foundation\\Http\\Middleware\\TransformsRequest->handle(Object(Illuminate\\Http\\Request), Object(Closure))
DirectoryTree/LdapRecord-Laravel#65 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Foundation\\Http\\Middleware\\TrimStrings->handle(Object(Illuminate\\Http\\Request), Object(Closure))
DirectoryTree/LdapRecord-Laravel#66 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ValidatePostSize.php(27): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#67 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Foundation\\Http\\Middleware\\ValidatePostSize->handle(Object(Illuminate\\Http\\Request), Object(Closure))
DirectoryTree/LdapRecord-Laravel#68 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/PreventRequestsDuringMaintenance.php(99): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#69 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Foundation\\Http\\Middleware\\PreventRequestsDuringMaintenance->handle(Object(Illuminate\\Http\\Request), Object(Closure))
DirectoryTree/LdapRecord-Laravel#70 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Http/Middleware/HandleCors.php(49): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#71 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Http\\Middleware\\HandleCors->handle(Object(Illuminate\\Http\\Request), Object(Closure))
DirectoryTree/LdapRecord-Laravel#72 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Http/Middleware/TrustProxies.php(39): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#73 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Http\\Middleware\\TrustProxies->handle(Object(Illuminate\\Http\\Request), Object(Closure))
DirectoryTree/LdapRecord-Laravel#74 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(116): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#75 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(175): Illuminate\\Pipeline\\Pipeline->then(Object(Closure))
DirectoryTree/LdapRecord-Laravel#76 /volume1/web/test/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(144): Illuminate\\Foundation\\Http\\Kernel->sendRequestThroughRouter(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#77 /volume1/web/test/public/index.php(51): Illuminate\\Foundation\\Http\\Kernel->handle(Object(Illuminate\\Http\\Request))
DirectoryTree/LdapRecord-Laravel#78 {main}
"}

aitzol76 commented 10 months ago

I get exactly the same error, only when entering an incorrect password.

Environment:

LDAP server: OpenLdap
LdapRecord-Laravel v3
Laravel: 10.15.0
PHP: 8.1.25

stevebauman commented 10 months ago

Hi @lastdino,

Can you please post your LDAP config with sensitive details masked or omitted?

aitzol76 commented 10 months ago

It seems as if LDAP events are mishandled, in this case it is not able to handle the event with errorCode:49 "Invalid credentials" from LDAP server. If it can be useful, this is my configuration:

.env:

LDAP_LOGGING=true
LDAP_CONNECTION=default
LDAP_CONNECTIONS=default

LDAP_DEFAULT_HOSTS=example.com
LDAP_DEFAULT_USERNAME="cn=readonlyuser,dc=example,dc=com"
LDAP_DEFAULT_PASSWORD="????????"
LDAP_DEFAULT_PORT=389
LDAP_DEFAULT_BASE_DN="dc=example,dc=com"
LDAP_DEFAULT_TIMEOUT=5
LDAP_DEFAULT_SSL=false
LDAP_DEFAULT_TLS=true
LDAP_CACHE=true

auth.php:

<?php

return [

    'defaults' => [
        'guard'     => 'web',
        'passwords' => 'users',
    ],

    'guards' => [
        'web' => [
            'driver'   => 'session',
            'provider' => 'users',
        ],

        'api' => [
            'driver'   => 'passport',
            'provider' => 'users',
        ],
    ],

    'providers' => [
         'users' => [
            'driver' => 'ldap',
            'model' => LdapRecord\Models\OpenLDAP\User::class,
            'rules' => [],
            'database' => [
                'model' => App\User::class,
                'sync_passwords' => true,
                        'sync_attributes' => [
                    'name' => 'cn',
                    'email' => 'mail',
                ],
            ],
         ],
    ],
    'passwords' => [
        'users' => [
            'provider' => 'users',
            'table'    => 'password_resets',
            'expire'   => 60,
            'throttle' => 60,
        ],
    ],

];

ldap.conf:

<?php

return [

    'default' => env('LDAP_CONNECTION', 'default'),

    'connections' => [

        'default' => [
            'hosts' => [env('LDAP_HOST', '127.0.0.1')],
            'username' => env('LDAP_USERNAME', 'cn=user,dc=local,dc=com'),
            'password' => env('LDAP_PASSWORD', 'secret'),
            'port' => env('LDAP_PORT', 389),
            'base_dn' => env('LDAP_BASE_DN', 'dc=local,dc=com'),
            'timeout' => env('LDAP_TIMEOUT', 5),
            'use_ssl' => env('LDAP_SSL', false),
            'use_tls' => env('LDAP_TLS', false),
        ],

    ],

    'logging' => env('LDAP_LOGGING', true),

    'cache' => [
        'enabled' => env('LDAP_CACHE', false),
        'driver' => env('CACHE_DRIVER', 'file'),
    ],

];

lastdino commented 10 months ago

.env

LDAP_LOGGING=false
LDAP_CONNECTION=default
LDAP_HOST=xxx.xxx.x.xxx
LDAP_USERNAME="CN=aaa,CN=Users,DC=xxx,DC=local"
LDAP_PASSWORD="xxxxxxxxx"
LDAP_PORT=389
LDAP_BASE_DN="DC=xxx,DC=local"
LDAP_TIMEOUT=5
LDAP_SSL=false
LDAP_TLS=true

auth.php

'providers' => [
        'users' => [
            'driver' => 'ldap',
            'model' => LdapRecord\Models\ActiveDirectory\User::class,
            'rules' => [],
            'scopes' => [],
            'database' => [
                'model' => App\Models\User::class,
                'sync_passwords' => true,
                'sync_attributes' => [
                    'name' => 'sn',
                    'Full_name' => 'displayName',
                    'username' => 'samaccountname',
                ],
                'sync_existing' => [
                    'username' => 'samaccountname',
                ],

            ],
        ],
    ],

ldap.php Not changed Default.

stevebauman commented 10 months ago

Thanks for posting those!

Can you both run the below command and post the output?

openssl s_client -connect <server>:389 -starttls ldap -showcerts

stevebauman commented 10 months ago

Also could either of you try the below as well and post the results of the dump of the DetailedError?

use LdapRecord\Container;
use LdapRecord\LdapRecordException;

try {
    Container::getDefaultConnection()->auth()->attempt('cn=foo,dc=local,dc=com', 'invalidpassword');
} catch (LdapRecordException $e) {
    dd($e->getDetailedError()); // <-- Post the results of this
}

mvanbeekum commented 10 months ago

I'm having the same issue coming from adldap2. These are the results of the DetailedError

^ LdapRecord\DetailedError {#1681 ▼
  #errorCode: -11
  #errorMessage: "Connect error"
  #diagnosticMessage: "(unknown error code)"
}

aitzol76 commented 10 months ago

This is the DetailedError I received

LdapRecord\DetailedError {#497 ▼
  #errorCode: 49
  #errorMessage: "Invalid credentials"
  #diagnosticMessage: null
}

aitzol76 commented 10 months ago

Thanks for posting those!

Can you both run the below command and post the output?
openssl s_client -connect <server>:389 -starttls ldap -showcerts

This is the result of the above command:

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = example.org
verify return:1
---
Certificate chain
 0 s:CN = example.org
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Oct 30 14:23:14 2023 GMT; NotAfter: Jan 28 14:23:13 2024 GMT
-----BEGIN CERTIFICATE-----
MIIGZzCC................................................................................................
..................................................................WpuIv59I7b2UQAgKuSHgkfk
0soFW3Nr473Li34=
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIB..................................................................................................
....................................................................................................VGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIB.................................................................................................
..........................................................................................Bpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
---
Server certificate
subject=CN = example.org
issuer=C = US, O = Let's Encrypt, CN = R3
---
Acceptable client certificate CA names
CN = example.org
C = US, O = Let's Encrypt, CN = R3
C = US, O = Internet Security Research Group, CN = ISRG Root X1
Requested Signature Algorithms: RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512
Shared Requested Signature Algorithms: RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512
Peer signing digest: SHA384
Peer signature type: RSA-PSS
Server Temp Key: ECDH, secp521r1, 521 bits
---
SSL handshake has read 5322 bytes and written 876 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

mvanbeekum commented 10 months ago

forge@server:~/webapp$ openssl s_client -connect <server>:389 -starttls ldap -showcerts                                                                                                                                     
CONNECTED(00000003)                                                                                                                                                                                                                           
Can't use SSL_get_servername                                                                                                                                                                                                                  
depth=1 DC = com, DC = mydomain, CN = servername                                                                                                                                                                                                    
verify return:1                                                                                                                                                                                                                               
depth=0 CN = ldap-server                                                                                                                                                                                                                
verify return:1                                                                                                                                                                                                                               
---                                                                                                                                                                                                                                           
Certificate chain                                                                                                                                                                                                                             
 0 s:CN = <ldap-server>                                                                                                                                                                                                                   
   i:DC = com, DC = mydomain, CN = servername                                                                                                                                                                                                       
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256                                                                                                                                                                                      
   v:NotBefore: Apr  5 12:23:41 2023 GMT; NotAfter: Apr  4 12:23:41 2024 GMT                                                                                                                                                                  
-----BEGIN CERTIFICATE-----                                                                                                                                                                                                                   
MIIGEzCCBPugAwIBAgI...
...J6S4+AzQ=                                                                                                                                                                                                              
-----END CERTIFICATE-----                                                                                                                                                                                                                     
---                                                                                                                                                                                                                                           
Server certificate                                                                                                                                                                                                                            
subject=CN = ldap-server                                                                                                                                                                                                                
issuer=DC = com, DC = mydomain, CN = servername                                                                                                                                                                                                     
---                                                                                                                                                                                                                                           
No client certificate CA names sent                                                                                                                                                                                                           
Requested Signature Algorithms: RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512                                                             
Shared Requested Signature Algorithms: RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:ECDSA+SHA256:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512                                                                                   
Peer signing digest: SHA256                                                                                                                                                                                                                   
Peer signature type: RSA-PSS                                                                                                                                                                                                                  
Server Temp Key: X25519, 253 bits                                                                                                                                                                                                             
---                                                                                                                                                                                                                                           
SSL handshake has read 2132 bytes and written 434 bytes                                                                                                                                                                                       
Verification: OK                                                                                                                                                                                                                              
---                                                                                                                                                                                                                                           
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384                                                                                                                                                                                                
Server public key is 2048 bit                                                                                                                                                                                                                 
Secure Renegotiation IS NOT supported                                                                                                                                                                                                         
Compression: NONE                                                                                                                                                                                                                             
Expansion: NONE                                                                                                                                                                                                                               
No ALPN negotiated                                                                                                                                                                                                                            
Early data was not sent                                                                                                                                                                                                                       
Verify return code: 0 (ok)                                                                                                                                                                                                                    
---                                                                                                                                                                                                                                           
---                                                                                                                                                                                                                                           
Post-Handshake New Session Ticket arrived:                                                                                                                                                                                                    
SSL-Session:                                                                                                                                                                                                                                  
    Protocol  : TLSv1.3                                                                                                                                                                                                                       
    Cipher    : TLS_AES_256_GCM_SHA384                                                                                                                                                                                                        
    Session-ID: 0385D5D9CF9C...AC606A214F                                                                                                                                                              
    Session-ID-ctx:                                                                                                                                                                                                                           
    Resumption PSK: 4CEB1693E66D...215739051E07777000547D1D5FC1BDF                                                                                                                          
    PSK identity: None                                                                                                                                                                                                                        
    PSK identity hint: None                                                                                                                                                                                                                   
    SRP username: None                                                                                                                                                                                                                        
    TLS session ticket lifetime hint: 36000 (seconds)                                                                                                                                                                                         
    TLS session ticket:                                                                                                                                                                                                                       
    0000 - 59 2d 00 00 ...
    Y-.....-E..}-...                                                                                                                                                                 
    0010 - 36 77 72 41 a2 0d ab ...
    6wrA......[|E'J:                                                                                                                                                                 

    Start Time: 1699755738                                                                                                                                                                                                                    
    Timeout   : 7200 (sec)                                                                                                                                                                                                                    
    Verify return code: 0 (ok)                                                                                                                                                                                                                
    Extended master secret: no                                                                                                                                                                                                                
    Max Early Data: 0                                                                                                                                                                                                                         
---                                                                                                                                                                                                                                           
read R BLOCK                                                                                                                                                                                                                                  

read:errno=104

lastdino commented 10 months ago

DetailedError

LdapRecord\DetailedError {#739 ▼
  #errorCode: 49
  #errorMessage: "Invalid credentials"
  #diagnosticMessage: "80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1"
}

command

CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = <ldap-server>
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = <ldap-server>
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = <ldap-server>
verify return:1
---
Certificate chain
 0 s:CN = <ldap-server>
   i:CN = <ldap-server>
-----BEGIN CERTIFICATE-----
MIIDUz..........
-----END CERTIFICATE-----
---
Server certificate
subject=CN = <ldap-server>

issuer=CN = <ldap-server>

---
Acceptable client certificate CA names
CN = <ldap-server>
Requested Signature Algorithms: RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:Ed448:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:Ed448:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1550 bytes and written 434 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---

bucari commented 7 months ago

I get the same error with with active directory, any solution?

stevebauman commented 7 months ago

Apologies for the lateness of my replies. Have you all tried the debugging steps here? Want to make sure before proceeding further:

https://ldaprecord.com/docs/core/v3/configuration/#debugging

stevebauman commented 7 months ago

Also, are you sure it's working in v2? Is it possibly failing silently in v2?

I find that really bizarre, as there weren't any changes to the path or logic, just additions of return types:

v3.0:

https://github.com/DirectoryTree/LdapRecord/blob/da3d5dff87d476a7ea9dd72d6a8972cfa907204c/src/Auth/Guard.php#L76-L85

https://github.com/DirectoryTree/LdapRecord/blob/da3d5dff87d476a7ea9dd72d6a8972cfa907204c/src/Ldap.php#L151-L156

v2.0:

https://github.com/DirectoryTree/LdapRecord/blob/5bd0a5a9d257cf1049ae83055dbba4c3479ddf16/src/Auth/Guard.php#L98-L107

https://github.com/DirectoryTree/LdapRecord/blob/5bd0a5a9d257cf1049ae83055dbba4c3479ddf16/src/Ldap.php#L174-L179

bucari commented 7 months ago

Hi @stevebauman Finally i solved inserting my code in a try catch like this

Fortify::authenticateUsing(function ($request) {
    try {
        $validated = Auth::validate([
            'samaccountname' => $request->username,
            'password' => $request->password
        ]);
        return $validated ? Auth::getLastAttempted() : null;

    } catch (\LdapRecord\LdapRecordException $ex) {
        return null;
    }

before, in version 2, i was using a try catch with a generic Throwable exeption

} catch (\Throwable $th) {
    return null;
}

stevebauman commented 7 months ago

Ok thanks for reporting back @bucari 🙏

Closing this for now -- let me know if anyone is still encountering this and has not reached a solution yet and I will re-open.

bakanyaka commented 6 months ago

Im getting the same error in v3 when I enter invalid credentials. It seems to be caused by attempting to start TLS the second time after failing the auth attempt.

[2024-02-29 10:21:34] local.INFO: LDAP (ldap://srv-dc01.arsenal.plm:389) - Operation: Binding - Username: CN=ad-service-account,OU=Service Accounts,OU=Special Accounts,DC=domain,DC=my [2024-02-29 10:21:34] local.INFO: LDAP (ldap://srv-dc01.arsenal.plm:389) - Operation: Bound - Username: CN=ad-service-account,OU=Service Accounts,OU=Special Accounts,DC=domain,DC=my [2024-02-29 10:21:34] local.INFO: LDAP (ldap://srv-dc01.arsenal.plm:389) - Operation: Search - Base DN: DC=domain,DC=my- Filter: (&(objectclass=\74\6f\70)(objectclass=\70\65\72\73\6f\6e)(objectclass=\6f\72\67\61\6e\69\7a\61\74\69\6f\6e\61\6c\70\65\72\73\6f\6e)(objectclass=\75\73\65\72)(samaccountname=\62\64\73\34\37\30\34\39)(!(objectclass=\63\6f\6d\70\75\74\65\72))) - Selected: (objectguid,*) - Time Elapsed: 37.25 [2024-02-29 10:21:34] local.DEBUG: User [Firstname Middlename Lastname] has been successfully discovered for authentication. [2024-02-29 10:21:34] local.DEBUG: Object with name [Firstname Middlename Lastname] is being imported. [2024-02-29 10:21:34] local.DEBUG: Object with name [Firstname Middlename Lastname] is being synchronized. [2024-02-29 10:21:34] local.DEBUG: Object with name [Firstname Middlename Lastname] has been successfully synchronized. [2024-02-29 10:21:34] local.DEBUG: User [Firstname Middlename Lastname] is authenticating. [2024-02-29 10:21:34] local.INFO: LDAP (ldap://srv-dc01.arsenal.plm:389) - Operation: Attempting - Username: CN=Firstname Middlename Lastname,OU=Department,OU=Users,OU=Domain Units,DC=domain,DC=my [2024-02-29 10:21:34] local.INFO: LDAP (ldap://srv-dc01.arsenal.plm:389) - Operation: Binding - Username: CN=Firstname Middlename Lastname,OU=Department,OU=Users,OU=Domain Units,DC=domain,DC=my [2024-02-29 10:21:34] local.WARNING: LDAP (ldap://srv-dc01.arsenal.plm:389) - Operation: Failed - Username: CN=Firstname Middlename Lastname,OU=Department,OU=Users,OU=Domain Units,DC=domain,DC=my - Reason: Invalid credentials [2024-02-29 10:21:34] local.INFO: LDAP (ldap://srv-dc01.arsenal.plm:389) - Operation: Binding - Username: CN=ad-service-account,OU=Service Accounts,OU=Special Accounts,DC=domain,DC=my [2024-02-29 10:21:34] local.ERROR: ldap_start_tls(): Unable to start TLS: Local error {"exception":"[object] (LdapRecord\\LdapRecordException(code: 2): ldap_start_tls(): Unable to start TLS: Local error at /var/www/html/vendor/directorytree/ldaprecord/src/LdapRecordException.php:19) [stacktrace]

stevebauman commented 6 months ago

Thanks for the info @bakanyaka! Going to look at this right now.

bakanyaka commented 6 months ago

I have investigated the problem a bit more and found out that in v3 "LdapRecord\Ldap::bind" method sets $this->bound to "false" when auth fails which causes attempt to bind again (that throws error on startTls) but in v2 it did not not set it to false

v2:

v3:

stevebauman commented 5 months ago

Hi guys, this issue should be resolved in the latest update v3.6.0. I appreciate your patience.

Please run composer update and you should be all set.

Let me know if you encounter any issues! 🙏

DirectoryTree / LdapRecord

[Bug] ldap_start_tls(): Unable to start TLS: Local error #669