LDAPS issue on Linux & Apache

shiizeen commented 1 year ago

Code of Conduct

[X] I agree to follow this project's Code of Conduct

Is there an existing issue for this?

[X] I have searched the existing issues

Version

10.0.10

Bug description

LDAPS binding is not working when on port 636, but it works on 389.

LDAPS is working when setting "Use Bind" on the "no" option.

My current setup :

CentOS Stream 8 + Apache/2.4.37 and PHP 8.1.25 (I also try with PHP 7.4) + firewalld with ldap & ldaps open. I tried to disable SELinux for testing.

Relevant log output

[2023-11-06 15:02:01] glpiphplog.WARNING:   *** PHP User Warning (512): Unable to bind to LDAP server `:636` with RDN `CN=myuser,OU=myOU,DC=mydc,DC=local`
error: Can't contact LDAP server (-1) in /var/www/html/glpi/src/AuthLDAP.php at line 3164
  Backtrace :
  src/AuthLDAP.php:3164                              trigger_error()
  src/AuthLDAP.php:3038                              AuthLDAP::connectToServer()
  src/AuthLDAP.php:2862                              AuthLDAP->connect()
  src/AuthLDAP.php:3327                              AuthLDAP::ldapImportUserByServerId()
  front/user.form.php:222                            AuthLDAP::importUserFromServers()
  public/index.php:82                                require()

Page URL

No response

Steps To reproduce

No response

Your GLPI setup information

Informations sur le système, l'installation et la configuration

GLPI 10.0.10 ( => /var/www/html/glpi)
Installation mode: TARBALL
Current language:fr_FR

Server

 
Operating system: Linux 4.18.0-513.el8.x86_64 #1 SMP Fri Aug 25 14:33:28 UTC 2023 x86_64
PHP 8.1.25 fpm-fcgi (Core, PDO, Phar, Reflection, SPL, SimpleXML, Zend OPcache, apcu, bz2, calendar, cgi-fcgi, ctype, curl,
    date, dom, exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, intl, json, ldap, libxml, mbstring, mysql, mysqli, mysqlnd,
    openssl, pcre, pdo_mysql, pdo_sqlite, session, sockets, sodium, sqlite3, standard, tokenizer, xml, xmlreader, xmlwriter, xsl,
    zip, zlib)
Setup: max_execution_time="30" memory_limit="128M" post_max_size="8M" safe_mode="" session.save_handler="files"
    upload_max_filesize="2M" 
Software: Apache/2.4.37 (CentOS Stream) OpenSSL/1.1.1k ()
    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Server Software: MariaDB Server
    Server Version: 10.5.22-MariaDB
    Server SQL Mode: STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
    Parameters: glpiadmin@127.0.0.1/glpi
    Host info: 127.0.0.1 via TCP/IP

PHP version (8.1.25) is supported.
Sessions configuration is OK.
Allocated memory is sufficient.
mysqli extension is installed.
Following extensions are installed: dom, fileinfo, filter, libxml, json, simplexml, xmlreader, xmlwriter.
curl extension is installed.
gd extension is installed.
intl extension is installed.
zlib extension is installed.
The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present.
Database engine version (10.5.22) is supported.
No files from previous GLPI version detected.
The log file has been created successfully.
Write access to /var/www/html/glpi/files/_cache has been validated.
Write access to /var/www/html/glpi/config has been validated.
Write access to /var/www/html/glpi/files/_cron has been validated.
Write access to /var/www/html/glpi/files has been validated.
Write access to /var/www/html/glpi/files/_dumps has been validated.
Write access to /var/www/html/glpi/files/_graphs has been validated.
Write access to /var/www/html/glpi/files/_lock has been validated.
Write access to /var/www/html/glpi/files/_pictures has been validated.
Write access to /var/www/html/glpi/files/_plugins has been validated.
Write access to /var/www/html/glpi/files/_rss has been validated.
Write access to /var/www/html/glpi/files/_sessions has been validated.
Write access to /var/www/html/glpi/files/_tmp has been validated.
Write access to /var/www/html/glpi/files/_uploads has been validated.
For security reasons, SELinux mode should be Enforcing.

Web server root directory configuration seems safe.
PHP directive "session.cookie_httponly" should be set to "on" to prevent client-side script to access cookie values.
OS and PHP are relying on 64 bits integers.
exif extension is installed.
ldap extension is installed.
openssl extension is installed.
Following extensions are installed: bz2, Phar, zip.
Zend OPcache extension is installed.
Following extensions are installed: ctype, iconv, mbstring, sodium.
Write access to /var/www/html/glpi/marketplace has been validated.
Access to timezone database (mysql) is not allowed.

GLPI constants

 
GLPI_ROOT: "/var/www/html/glpi"
GLPI_CONFIG_DIR: "/var/www/html/glpi/config"
GLPI_VAR_DIR: "/var/www/html/glpi/files"
GLPI_MARKETPLACE_DIR: "/var/www/html/glpi/marketplace"
GLPI_USE_CSRF_CHECK: "1"
GLPI_CSRF_EXPIRES: "7200"
GLPI_CSRF_MAX_TOKENS: "100"
GLPI_USE_IDOR_CHECK: "1"
GLPI_IDOR_EXPIRES: "7200"
GLPI_ALLOW_IFRAME_IN_RICH_TEXT: false
GLPI_SERVERSIDE_URL_ALLOWLIST: ["/^(https?|feed):\\/\\/[^@:]+(\\/.*)?$/"]
GLPI_TELEMETRY_URI: "https://telemetry.glpi-project.org"
GLPI_INSTALL_MODE: "TARBALL"
GLPI_NETWORK_MAIL: "glpi@teclib.com"
GLPI_NETWORK_SERVICES: "https://services.glpi-network.com"
GLPI_MARKETPLACE_ALLOW_OVERRIDE: true
GLPI_MARKETPLACE_MANUAL_DOWNLOADS: true
GLPI_USER_AGENT_EXTRA_COMMENTS: ""
GLPI_DISABLE_ONLY_FULL_GROUP_BY_SQL_MODE: "1"
GLPI_AJAX_DASHBOARD: "1"
GLPI_CALDAV_IMPORT_STATE: 0
GLPI_DEMO_MODE: "0"
GLPI_CENTRAL_WARNINGS: "1"
GLPI_DOC_DIR: "/var/www/html/glpi/files"
GLPI_CACHE_DIR: "/var/www/html/glpi/files/_cache"
GLPI_CRON_DIR: "/var/www/html/glpi/files/_cron"
GLPI_DUMP_DIR: "/var/www/html/glpi/files/_dumps"
GLPI_GRAPH_DIR: "/var/www/html/glpi/files/_graphs"
GLPI_LOCAL_I18N_DIR: "/var/www/html/glpi/files/_locales"
GLPI_LOCK_DIR: "/var/www/html/glpi/files/_lock"
GLPI_LOG_DIR: "/var/www/html/glpi/files/_log"
GLPI_PICTURE_DIR: "/var/www/html/glpi/files/_pictures"
GLPI_PLUGIN_DOC_DIR: "/var/www/html/glpi/files/_plugins"
GLPI_RSS_DIR: "/var/www/html/glpi/files/_rss"
GLPI_SESSION_DIR: "/var/www/html/glpi/files/_sessions"
GLPI_TMP_DIR: "/var/www/html/glpi/files/_tmp"
GLPI_UPLOAD_DIR: "/var/www/html/glpi/files/_uploads"
GLPI_INVENTORY_DIR: "/var/www/html/glpi/files/_inventories"
GLPI_NETWORK_REGISTRATION_API_URL: "https://services.glpi-network.com/api/registration/"
GLPI_MARKETPLACE_PLUGINS_API_URI: "https://services.glpi-network.com/api/marketplace/"
GLPI_I18N_DIR: "/var/www/html/glpi/locales"
GLPI_VERSION: "10.0.10"
GLPI_SCHEMA_VERSION: "10.0.10@05de68add675fb55abaeec10f3a2552085594a16"
GLPI_MARKETPLACE_PRERELEASES: false
GLPI_MIN_PHP: "7.4.0"
GLPI_MAX_PHP: "8.4.0"
GLPI_YEAR: "2023"

Libraries

 
htmlawed/htmlawed version 1.2.14 in (/var/www/html/glpi/vendor/htmlawed/htmlawed)
phpmailer/phpmailer version 6.8.0 in (/var/www/html/glpi/vendor/phpmailer/phpmailer/src)
simplepie/simplepie version 1.5.8 in (/var/www/html/glpi/vendor/simplepie/simplepie/library)
tecnickcom/tcpdf version 6.6.2 in (/var/www/html/glpi/vendor/tecnickcom/tcpdf)
michelf/php-markdown in (/var/www/html/glpi/vendor/michelf/php-markdown/Michelf)
true/punycode in (/var/www/html/glpi/vendor/true/punycode/src)
iamcal/lib_autolink in (/var/www/html/glpi/vendor/iamcal/lib_autolink)
sabre/dav in (/var/www/html/glpi/vendor/sabre/dav/lib/DAV)
sabre/http in (/var/www/html/glpi/vendor/sabre/http/lib)
sabre/uri in (/var/www/html/glpi/vendor/sabre/uri/lib)
sabre/vobject in (/var/www/html/glpi/vendor/sabre/vobject/lib)
laminas/laminas-i18n in (/var/www/html/glpi/vendor/laminas/laminas-i18n/src)
laminas/laminas-servicemanager in (/var/www/html/glpi/vendor/laminas/laminas-servicemanager/src)
monolog/monolog in (/var/www/html/glpi/vendor/monolog/monolog/src/Monolog)
sebastian/diff in (/var/www/html/glpi/vendor/sebastian/diff/src)
donatj/phpuseragentparser in (/var/www/html/glpi/vendor/donatj/phpuseragentparser/src/UserAgent)
elvanto/litemoji in (/var/www/html/glpi/vendor/elvanto/litemoji/src)
symfony/console in (/var/www/html/glpi/vendor/symfony/console)
scssphp/scssphp in (/var/www/html/glpi/vendor/scssphp/scssphp/src)
laminas/laminas-mail in (/var/www/html/glpi/vendor/laminas/laminas-mail/src/Protocol)
laminas/laminas-mime in (/var/www/html/glpi/vendor/laminas/laminas-mime/src)
rlanvin/php-rrule in (/var/www/html/glpi/vendor/rlanvin/php-rrule/src)
ramsey/uuid in (/var/www/html/glpi/vendor/ramsey/uuid/src)
psr/log in (/var/www/html/glpi/vendor/psr/log/Psr/Log)
psr/simple-cache in (/var/www/html/glpi/vendor/psr/simple-cache/src)
psr/cache in (/var/www/html/glpi/vendor/psr/cache/src)
league/csv in (/var/www/html/glpi/vendor/league/csv/src)
mexitek/phpcolors in (/var/www/html/glpi/vendor/mexitek/phpcolors/src/Mexitek/PHPColors)
guzzlehttp/guzzle in (/var/www/html/glpi/vendor/guzzlehttp/guzzle/src)
guzzlehttp/psr7 in (/var/www/html/glpi/vendor/guzzlehttp/psr7/src)
glpi-project/inventory_format in (/var/www/html/glpi/vendor/glpi-project/inventory_format/lib/php)
wapmorgan/unified-archive in (/var/www/html/glpi/vendor/wapmorgan/unified-archive/src)
paragonie/sodium_compat in (/var/www/html/glpi/vendor/paragonie/sodium_compat/src)
symfony/cache in (/var/www/html/glpi/vendor/symfony/cache)
html2text/html2text in (/var/www/html/glpi/vendor/html2text/html2text/src)
symfony/css-selector in (/var/www/html/glpi/vendor/symfony/css-selector)
symfony/dom-crawler in (/var/www/html/glpi/vendor/symfony/dom-crawler)
twig/twig in (/var/www/html/glpi/vendor/twig/twig/src)
twig/string-extra in (/var/www/html/glpi/vendor/twig/string-extra)
symfony/polyfill-ctype not found
symfony/polyfill-iconv not found
symfony/polyfill-mbstring not found
symfony/polyfill-php80 not found
symfony/polyfill-php81 not found
symfony/polyfill-php82 in (/var/www/html/glpi/vendor/symfony/polyfill-php82)
league/oauth2-client in (/var/www/html/glpi/vendor/league/oauth2-client/src/Provider)
league/oauth2-google in (/var/www/html/glpi/vendor/league/oauth2-google/src/Provider)
thenetworg/oauth2-azure in (/var/www/html/glpi/vendor/thenetworg/oauth2-azure/src/Provider)
phpCas version 1.3.8 in (/usr/share/pear)

### Anything else?

_No response_

cedric-anne commented 1 year ago

Hi,

Can you check, from the GLPI server, to execute telnet XXX 636, where XXX is your server host?

shiizeen commented 1 year ago

Hi, I already try the telnet and it's fully working

thx,

ZAck1387 commented 1 year ago

Hi, I have the same issue in an MS AD DS environment, but thought that this could be an issue with not configuring TLS Certfile and TLS Keyfile under Authentication > Advanced Information.

1nsan33 commented 10 months ago

Hi,

Same issue here. IIS 10, PHP 8.2.13, GLPI 10.0.11.

Setup ldaps://srv.domain.local port 636 with Bind on 'No' & test connection is successfull. Setup ldaps://srv.domain.local port 636 with Bind on 'yes' & test connection isn't successfull. But when i'm running php bin/console glpi:ldap:synchronize_users it's triggering the following error :

PHP User Warning (512): LDAP search with base DN XXXX and filter XXX failed error: Can't contact LDAP server (-1) extended error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate) err string: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate) in GLPI_ROOT\glpi\src\AuthLDAP.php at line 1948

I've got aswell thoses errors in php_error.log.

error: Can't contact LDAP server (-1) extended error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate) err string: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate) in GLPI_ROOT\glpi\src\AuthLDAP.php at line 3186 Backtrace : src\AuthLDAP.php:3186 trigger_error() src\AuthLDAP.php:3050 AuthLDAP::connectToServer() src\AuthLDAP.php:2081 AuthLDAP->connect() src\Console\Ldap\SynchronizeUsersCommand.php:299 AuthLDAP::getAllUsers() vendor\symfony\console\Command\Command.php:298 Glpi\Console\Ldap\SynchronizeUsersCommand->execute() vendor\symfony\console\Application.php:1040 Symfony\Component\Console\Command\Command->run() src\Console\Application.php:286 Symfony\Component\Console\Application->doRunCommand() vendor\symfony\console\Application.php:301 Glpi\Console\Application->doRunCommand() vendor\symfony\console\Application.php:171 Symfony\Component\Console\Application->doRun() bin\console:122 Symfony\Component\Console\Application->run()

and now :

error: Can't contact LDAP server (-1) extended error: error:16000069:STORE routines::unregistered scheme err string: error:16000069:STORE routines::unregistered scheme in GLPI_ROOT\glpi\src\AuthLDAP.php at line 3590 Backtrace : src\AuthLDAP.php:3590 trigger_error() src\Auth.php:271 AuthLDAP::searchUserDn() src\AuthLDAP.php:3385 Auth->connection_ldap() src\AuthLDAP.php:3481 AuthLDAP::ldapAuth() src\Auth.php:962 AuthLDAP::tryLdapAuth() front\login.php:94 Auth->login() public\index.php:82 require()

i've tried to manually set curl.cainfo + openssl.cafile location in my php.ini with .cer / .pem file, isn't working.

Port 636 is open. Authentication > Advanced Information is left by default.

dvazart commented 10 months ago

Hello,

Just to give a little UP on this subject, I have the same bug, here is my conf:

Ubuntu server 22.04 LTS
Apache 2
PHP 8.1
GLPI 10.0.11

wolicape commented 8 months ago

Hi,

I've had the exact same issue.

Followed this https://github.com/glpi-project/glpi/pull/15172 and fixed. Desactivate bind option worked for me

trasher commented 8 months ago

Disabling bind option seems to just be the way to go, this issue is fixed

glpi-project / glpi