PHP Fatal error: Uncaught Error: Call to undefined function Ltb\\ldap_sasl_bind()

I'm trying to run self-service-password using docker container ( image: ltbproject/self-service-password:latest ) to connect to AD, but I'm getting this stacktrace:

self-service-password-app | ldap_url_parse_ext(ldap://localhost/) self-service-password-app | ldap_init: trying /etc/ldap/ldap.conf self-service-password-app | ldap_init: using /etc/ldap/ldap.conf self-service-password-app | ldap_init: HOME env is NULL self-service-password-app | ldap_init: trying ldaprc self-service-password-app | ldap_init: LDAPCONF env is NULL self-service-password-app | ldap_init: LDAPRC env is NULL self-service-password-app | ldap_create self-service-password-app | ldap_url_parse_ext(ldaps://ABC.local) self-service-password-app | [Wed Nov 20 16:51:27.399481 2024] [php:warn] [pid 20:tid 20] [client 172.18.0.1:53104] PHP Warning: Undefined variable $ldap_krb5ccname in /var/www/vendor/ltb-project/ltb-common/src/Ltb/Ldap.php on line 63, referer: http://localhost/ self-service-password-app | [Wed Nov 20 16:51:27.399585 2024] [php:error] [pid 20:tid 20] [client 172.18.0.1:53104] PHP Fatal error: Uncaught Error: Call to undefined function Ltb\ldap_sasl_bind() in /var/www/vendor/ltb-project/ltb-common/src/Ltb/PhpLDAP.php:41\nStack trace:\n#0 /var/www/vendor/ltb-project/ltb-common/src/Ltb/Ldap.php(64): Ltb\PhpLDAP::ldap_sasl_bind()\n#1 /var/www/htdocs/change.php(70): Ltb\Ldap->connect()\n#2 /var/www/htdocs/index.php(229): require_once('...')\n#3 {main}\n thrown in /var/www/vendor/ltb-project/ltb-common/src/Ltb/PhpLDAP.php on line 41, referer: http://localhost/

Could you help me? Is there something I have to install to the container?

Best regards, Luca

You can give a look to the configuration procedure with docker: https://self-service-password.readthedocs.io/en/stable/installation.html#docker

I have just tested the docker image by myself, but I don't have any error:

docker run -p 80:80 \
    -v $PWD/conf/config.inc.docker.php:/var/www/conf/config.inc.local.php \
    -it ltbproject/self-service-password:latest

You should set at least a local configuration file with the LDAP URL and credentials.

Hi David, thanks for your quick reply.

I have already read all the documentation , but I'm stuck with that error.

Here is my main configuration:

ssp.conf.php

<?php // My SSP configuration
$keyphrase = "mysecret";
$debug = true;
$ldap_url = "ldaps://ABC.local";

$ldap_login_attribute = "sAMAccountName";
$ldap_fullname_attribute = "cn";

$ldap_base = "OU=Users,OU=Accounts,DC=ABC,DC=local";

$ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
$who_change_password = "manager";

$ldap_binddn = null;
$ldap_bindpw = null;
$ldap_krb5ccname = "/tmp/krb5cc_1000";

$ad_mode = true;
$audit_log_file = "/tmp/audit.log";
$show_extended_error = true;
?>

docker-compose.yml

name: self-service-password

services:
  ssp-app:
    image: ltbproject/self-service-password:latest
    container_name: self-service-password-app
    volumes:
      - ./ssp.conf.php:/var/www/conf/config.inc.local.php
      - ./ssl/ABC-CA.pem:/etc/ssl/ca.crt
      - ./ldap.conf:/etc/ldap/ldap.conf
      - /tmp/krb5cc_1000:/tmp/krb5cc_1000
    ports:
      - "80:80"
    extra_hosts:
      - "host.docker.internal:host-gateway"
      - "ABC.local:111.111.111.111"
    restart: always

ldap.conf

TLS_CACERT /etc/ssl/ca.crt
sasl_secprops minssf=0,maxssf=0

I also verified that, with Ldap Admin, I can sucessfully change the password of an AD user, using the same parameters that I'm trying to use with SSP.

Also I can successfully search with ldapsearch in that AD with that parameters.

I'm not familiar with PHP, but two things are not clear to me.

First this error:

Undefined variable $ldap_krb5ccname in /var/www/vendor/ltb-project/ltb-common/src/Ltb/Ldap.php on line 63, referer: http://localhost/

It is about this line: putenv("KRB5CCNAME=".$ldap_krb5ccname);

Or should it be like that? putenv("KRB5CCNAME=".$this->ldap_krb5ccname);

The second error:

PHP Fatal error: Uncaught Error: Call to undefined function Ltb\ldap_sasl_bind() in /var/www/vendor/ltb-project/ltb-common/src/Ltb/PhpLDAP.php:41\nStack trace:\n#0 /var/www/vendor/ltb-project/ltb-common/src/Ltb/Ldap.php(64): Ltb\PhpLDAP::ldap_sasl_bind()\n#1 /var/www/htdocs/change.php(70): Ltb\Ldap->connect()\n#2 /var/www/htdocs/index.php(229): require_once('...')\n#3 {main}\n thrown in /var/www/vendor/ltb-project/ltb-common/src/Ltb/PhpLDAP.php on line 41, referer: http://localhost/

It is about an undefined function. Am I missing something? Should I install something else on the docker container?

It is about this line:
putenv("KRB5CCNAME=".$ldap_krb5ccname);

Or should it be like that?
putenv("KRB5CCNAME=".$this->ldap_krb5ccname);

Indeed, this is a bug in our code. Could you open an issue at the ltb-common project for this?

PHP Fatal error: Uncaught Error: Call to undefined function Ltb\ldap_sasl_bind() in /var/www/vendor/ltb-project/ltb-common/src/Ltb/PhpLDAP.php:41

This one is weird. Maybe it is a consequence of the first bug. ldap_sasl_bind is a function available in standard php ldap library. It should be available already.

I reproduce this bug on my side:

PHP Fatal error: Uncaught Error: Call to undefined function Ltb\ldap_sasl_bind() in /var/www/vendor/ltb-project/ltb-common/src/Ltb/PhpLDAP.php:41

Also, the variables ldap_binddn and ldap_bindpw, even when empty ("") do not permit to use gssapi auth. I think the test must be fixed

I fixed the "Undefined variable $ldap_krb5ccname" on my side and opened the issue as per your request.

The second error still remains.

I checked if any module is missing in the container, but don't know if this is correct.

root@3a1e04260431:/var/www/htdocs# php -m | grep ldap
ldap

This is the output of php -i: php_info.txt

I see in particular: GSSAPI => Yes GSASL => No

The GASL could be connected to the missing ldap_sasl_bind() method?

Yes, there is indeed a problem with the docker image.

@luandrea could you try building the new docker image using the branch:

https://github.com/ltb-project/self-service-password/tree/1008-fix-ldap-sasl-bind-docker

You can build with this command:

DOCKER_BUILDKIT=1 docker build -t self-service-password -f ./docker/Dockerfile ../

Anyway, thanks for the bug report

Hi @davidcoutadeur , I succesfully rebuild the image and tested it on my enviroment, now the previous error has gone!

However , I'm getting another error now: Bind error -6 (Unknown authentication method)

self-service-password-app  | ldap_url_parse_ext(ldap://localhost/)
self-service-password-app  | ldap_init: trying /etc/ldap/ldap.conf
self-service-password-app  | ldap_init: using /etc/ldap/ldap.conf
self-service-password-app  | ldap_init: HOME env is NULL
self-service-password-app  | ldap_init: trying ldaprc
self-service-password-app  | ldap_init: LDAPCONF env is NULL
self-service-password-app  | ldap_init: LDAPRC env is NULL
self-service-password-app  | ldap_create
self-service-password-app  | ldap_url_parse_ext(ldaps://ABC.local)
self-service-password-app  | ldap_sasl_interactive_bind: user selected: GSSAPI
self-service-password-app  | ldap_int_sasl_bind: GSSAPI
self-service-password-app  | ldap_new_connection 1 1 0
self-service-password-app  | ldap_int_open_connection
self-service-password-app  | ldap_connect_to_host: TCP ABC.local:636
self-service-password-app  | ldap_new_socket: 11
self-service-password-app  | ldap_prepare_socket: 11
self-service-password-app  | ldap_connect_to_host: Trying 1111.111.111.111:636
self-service-password-app  | ldap_pvt_connect: fd: 11 tm: 10 async: 0
self-service-password-app  | ldap_ndelay_on: 11
self-service-password-app  | attempting to connect:
self-service-password-app  | connect errno: 115
self-service-password-app  | ldap_int_poll: fd: 11 tm: 10
self-service-password-app  | ldap_is_sock_ready: 11
self-service-password-app  | ldap_ndelay_off: 11
self-service-password-app  | ldap_pvt_connect: 0
self-service-password-app  | ldap_int_sasl_open: host=ABC.local
self-service-password-app  | ldap_msgfree
self-service-password-app  | ldap_err2string
self-service-password-app  | [Thu Nov 21 14:04:17.661198 2024] [php:warn] [pid 18:tid 18] [client 172.18.0.1:34044] PHP Warning:  ldap_sasl_bind(): Unable to bind to server: Unknown authentication method in /var/www/vendor/ltb-project/ltb-common/src/Ltb/PhpLDAP.php on line 41, referer: http://localhost/
self-service-password-app  | [Thu Nov 21 14:04:17.661232 2024] [php:notice] [pid 18:tid 18] [client 172.18.0.1:34044] LDAP - GSSAPI Bind failed, referer: http://localhost/
self-service-password-app  | ldap_err2string
self-service-password-app  | [Thu Nov 21 14:04:17.661395 2024] [php:notice] [pid 18:tid 18] [client 172.18.0.1:34044] LDAP - Bind error -6  (Unknown authentication method), referer: http://localhost/
self-service-password-app  | ldap_free_connection 1 1
self-service-password-app  | ldap_send_unbind
self-service-password-app  | ldap_free_connection: actually freed

I think there was still a missing module for enabling GSSAPI: libsasl2-modules-gssapi-mit Could you try with my last commit?

Ok, also this error has gone!

I still cannot connect to the AD, this is the stacktrace now:

ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/ldap/ldap.conf
ldap_init: using /etc/ldap/ldap.conf
ldap_init: HOME env is NULL
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
ldap_create
ldap_url_parse_ext(ldaps://ABC.local)
ldap_sasl_interactive_bind: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ABC:636
ldap_new_socket: 11
ldap_prepare_socket: 11
ldap_connect_to_host: Trying 111.111.111.111:636
ldap_pvt_connect: fd: 11 tm: 10 async: 0
ldap_ndelay_on: 11
attempting to connect:
connect errno: 115
ldap_int_poll: fd: 11 tm: 10
ldap_is_sock_ready: 11
ldap_ndelay_off: 11
ldap_pvt_connect: 0
ldap_int_sasl_open: host=ABC.local
ldap_msgfree
ldap_err2string
PHP Warning:  ldap_sasl_bind(): Unable to bind to server: Local error in /var/www/vendor/ltb-project/ltb-common/src/Ltb/PhpLDAP.php on line 41, referer: http://localhost/
LDAP - GSSAPI Bind failed, referer: http://localhost/
ldap_err2string
LDAP - Bind error -2  (Local error), referer: http://localhost/
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed

Now I don't see any useful information in it. Could you help me?

Indeed this error is not quite precise...

Maybe do you have more details in system logs? (especially security logs)

Other possibility: maybe you need a saslauthd daemon for treating this authentication. You could try this by entering manually in the container and installing sasl2-bin, and then running manually saslauthd

Ok, I didn't find any useful log.

BUT I found that I was missing the correct permission for the Kerberos token cache that I create using kinit and then mount in the container. I do it like this for now because I want to check if everything works before automating it through k5start.

After fixing the permissions, as you can see, I get a successful connection (status: Connected) to the AD server, but, as I understand, the search does not return what I'm searching:

ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/ldap/ldap.conf
ldap_init: using /etc/ldap/ldap.conf
ldap_init: HOME env is NULL
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
ldap_create
ldap_url_parse_ext(ldaps://ABC.local)
ldap_sasl_interactive_bind: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ABC.local:636
ldap_new_socket: 11
ldap_prepare_socket: 11
ldap_connect_to_host: Trying 111.111.111.111:636
ldap_pvt_connect: fd: 11 tm: 10 async: 0
ldap_ndelay_on: 11
attempting to connect:
connect errno: 115
ldap_int_poll: fd: 11 tm: 10
ldap_is_sock_ready: 11
ldap_ndelay_off: 11
ldap_pvt_connect: 0
ldap_int_sasl_open: host=ABC.local
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_msgfree
ldap_result ld 0x55ac7d36d340 msgid 1
wait4msg ld 0x55ac7d36d340 msgid 1 (infinite timeout)
wait4msg continue ld 0x55ac7d36d340 msgid 1 all 1
** ld 0x55ac7d36d340 Connections:
* host: ABC.local  port: 636  (default)
* from: IP=172.18.0.2:48270
  refcnt: 2  status: Connected
  last used: Thu Nov 21 16:11:25 2024

** ld 0x55ac7d36d340 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x55ac7d36d340 request count 1 (abandoned 0)
** ld 0x55ac7d36d340 Response Queue:
   Empty
  ld 0x55ac7d36d340 response count 0
ldap_chkResponseList ld 0x55ac7d36d340 msgid 1 all 1
ldap_chkResponseList returns ld 0x55ac7d36d340 NULL
ldap_int_select
read1msg: ld 0x55ac7d36d340 msgid 1 all 1
ldap_find_request_by_msgid: msgid 1, lr 0x55ac7d38a610 lr->lr_refcnt = 1
read1msg: ld 0x55ac7d36d340 msgid 1 message type bind
read1msg: ld 0x55ac7d36d340 0 new referrals
read1msg:  mark request completed, ld 0x55ac7d36d340 msgid 1
request done: ld 0x55ac7d36d340 msgid 1
res_errno: 14, res_error: <>, res_matched: <>
ldap_return_request: lrx 0x55ac7d38a610, lr 0x55ac7d38a610
ldap_return_request: lrx->lr_msgid 1, lrx->lr_refcnt is now 0, lr is still present
ldap_free_request (origid 1, msgid 1)
ldap_free_request_int: lr 0x55ac7d38a610 msgid 1 removed
ldap_do_free_request: asked to free lr 0x55ac7d38a610 msgid 1 refcnt 0
ldap_int_sasl_bind: GSSAPI
ldap_parse_sasl_bind_result
ldap_parse_result
sasl_client_step: 2
sasl_client_step: 1
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_msgfree
ldap_result ld 0x55ac7d36d340 msgid 2
wait4msg ld 0x55ac7d36d340 msgid 2 (infinite timeout)
wait4msg continue ld 0x55ac7d36d340 msgid 2 all 1
** ld 0x55ac7d36d340 Connections:
* host: ABC.local  port: 636  (default)
* from: IP=172.18.0.2:48270
  refcnt: 2  status: Connected
  last used: Thu Nov 21 16:11:25 2024

** ld 0x55ac7d36d340 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x55ac7d36d340 request count 1 (abandoned 0)
** ld 0x55ac7d36d340 Response Queue:
   Empty
  ld 0x55ac7d36d340 response count 0
ldap_chkResponseList ld 0x55ac7d36d340 msgid 2 all 1
ldap_chkResponseList returns ld 0x55ac7d36d340 NULL
ldap_int_select
read1msg: ld 0x55ac7d36d340 msgid 2 all 1
ldap_find_request_by_msgid: msgid 2, lr 0x55ac7d38a940 lr->lr_refcnt = 1
read1msg: ld 0x55ac7d36d340 msgid 2 message type bind
read1msg: ld 0x55ac7d36d340 0 new referrals
read1msg:  mark request completed, ld 0x55ac7d36d340 msgid 2
request done: ld 0x55ac7d36d340 msgid 2
res_errno: 14, res_error: <>, res_matched: <>
ldap_return_request: lrx 0x55ac7d38a940, lr 0x55ac7d38a940
ldap_return_request: lrx->lr_msgid 2, lrx->lr_refcnt is now 0, lr is still present
ldap_free_request (origid 2, msgid 2)
ldap_free_request_int: lr 0x55ac7d38a940 msgid 2 removed
ldap_do_free_request: asked to free lr 0x55ac7d38a940 msgid 2 refcnt 0
ldap_int_sasl_bind: GSSAPI
ldap_parse_sasl_bind_result
ldap_parse_result
sasl_client_step: 0
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_msgfree
ldap_result ld 0x55ac7d36d340 msgid 3
wait4msg ld 0x55ac7d36d340 msgid 3 (infinite timeout)
wait4msg continue ld 0x55ac7d36d340 msgid 3 all 1
** ld 0x55ac7d36d340 Connections:
* host: ABC.local  port: 636  (default)
* from: IP=172.18.0.2:48270
  refcnt: 2  status: Connected
  last used: Thu Nov 21 16:11:25 2024

** ld 0x55ac7d36d340 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x55ac7d36d340 request count 1 (abandoned 0)
** ld 0x55ac7d36d340 Response Queue:
   Empty
  ld 0x55ac7d36d340 response count 0
ldap_chkResponseList ld 0x55ac7d36d340 msgid 3 all 1
ldap_chkResponseList returns ld 0x55ac7d36d340 NULL
ldap_int_select
read1msg: ld 0x55ac7d36d340 msgid 3 all 1
ldap_find_request_by_msgid: msgid 3, lr 0x55ac7d38ec90 lr->lr_refcnt = 1
read1msg: ld 0x55ac7d36d340 msgid 3 message type bind
read1msg: ld 0x55ac7d36d340 0 new referrals
read1msg:  mark request completed, ld 0x55ac7d36d340 msgid 3
request done: ld 0x55ac7d36d340 msgid 3
res_errno: 0, res_error: <>, res_matched: <>
ldap_return_request: lrx 0x55ac7d38ec90, lr 0x55ac7d38ec90
ldap_return_request: lrx->lr_msgid 3, lrx->lr_refcnt is now 0, lr is still present
ldap_free_request (origid 3, msgid 3)
ldap_free_request_int: lr 0x55ac7d38ec90 msgid 3 removed
ldap_do_free_request: asked to free lr 0x55ac7d38ec90 msgid 3 refcnt 0
ldap_int_sasl_bind: GSSAPI
ldap_parse_sasl_bind_result
ldap_parse_result
ldap_pvt_sasl_generic_install
ldap_msgfree
ldap_search_ext
put_filter: "(&(objectClass=user)(sAMAccountName=x_tandrea)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
put_filter: AND
put_filter_list "(objectClass=user)(sAMAccountName=x_tandrea)(!(userAccountControl:1.2.840.113556.1.4.803:=2))"
put_filter: "(objectClass=user)"
put_filter: simple
put_simple_filter: "objectClass=user"
put_filter: "(sAMAccountName=x_tandrea)"
put_filter: simple
put_simple_filter: "sAMAccountName=x_tandrea"
put_filter: "(!(userAccountControl:1.2.840.113556.1.4.803:=2))"
put_filter: NOT
put_filter_list "(userAccountControl:1.2.840.113556.1.4.803:=2)"
put_filter: "(userAccountControl:1.2.840.113556.1.4.803:=2)"
put_filter: simple
put_simple_filter: "userAccountControl:1.2.840.113556.1.4.803:=2"
ldap_build_search_req ATTRS: *
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 0x55ac7d36d340 msgid 4
wait4msg ld 0x55ac7d36d340 msgid 4 (infinite timeout)
wait4msg continue ld 0x55ac7d36d340 msgid 4 all 1
** ld 0x55ac7d36d340 Connections:
* host: ABC.local  port: 636  (default)
* from: IP=172.18.0.2:48270
  refcnt: 2  status: Connected
  last used: Thu Nov 21 16:11:25 2024

** ld 0x55ac7d36d340 Outstanding Requests:
 * msgid 4,  origid 4, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x55ac7d36d340 request count 1 (abandoned 0)
** ld 0x55ac7d36d340 Response Queue:
   Empty
  ld 0x55ac7d36d340 response count 0
ldap_chkResponseList ld 0x55ac7d36d340 msgid 4 all 1
ldap_chkResponseList returns ld 0x55ac7d36d340 NULL
ldap_int_select
read1msg: ld 0x55ac7d36d340 msgid 4 all 1
ldap_err2string
[Thu Nov 21 16:11:25.649335 2024] [php:warn] [pid 21:tid 21] [client 172.18.0.1:43858] PHP Warning:  ldap_search(): Search: Can't contact LDAP server in /var/www/vendor/ltb-project/ltb-common/src/Ltb/PhpLDAP.php on line 56, referer: http://localhost/
ldap_err2string
[Thu Nov 21 16:11:25.649377 2024] [php:notice] [pid 21:tid 21] [client 172.18.0.1:43858] LDAP - Search error -1  (Can't contact LDAP server), referer: http://localhost/
ldap_do_free_request: asked to free lr 0x55ac7d38dc70 msgid 4 refcnt 0
ldap_free_connection 1 1
ldap_free_connection: actually freed
172.18.0.1 - - [21/Nov/2024:16:11:25 +0000] "POST / HTTP/1.1" 200 1460 "http://localhost/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"
172.18.0.1 - - [21/Nov/2024:16:11:25 +0000] "GET /css/self-service-password.css HTTP/1.1" 404 487 "http://localhost/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"
172.18.0.1 - - [21/Nov/2024:16:11:25 +0000] "GET /css/ppolicy.css HTTP/1.1" 404 488 "http://localhost/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"
172.18.0.1 - - [21/Nov/2024:16:11:25 +0000] "GET /images/favicon.ico HTTP/1.1" 200 1450 "http://localhost/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"

If I make the same search using ldasearch I get the correct result:

ldapsearch -d 1 -Y GSSAPI -H ldaps://ABC.local -b "dc=devops-esl,dc=local" "(&(objectClass=user)(sAMAccountName=x_tandrea)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";

Output:

ldap_url_parse_ext(ldaps://ABC.local)
ldap_create
ldap_url_parse_ext(ldaps://ABC.local:636/??base)
ldap_sasl_interactive_bind: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ABC.local:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 111.111.111.111:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_int_sasl_open: host=ABC.local
SASL/GSSAPI authentication started
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 1590 bytes to sd 3
ldap_msgfree
ldap_result ld 0x5626cde56bc0 msgid 1
wait4msg ld 0x5626cde56bc0 msgid 1 (infinite timeout)
wait4msg continue ld 0x5626cde56bc0 msgid 1 all 1
** ld 0x5626cde56bc0 Connections:
* host: ABC.local  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Thu Nov 21 17:20:44 2024

** ld 0x5626cde56bc0 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x5626cde56bc0 request count 1 (abandoned 0)
** ld 0x5626cde56bc0 Response Queue:
   Empty
  ld 0x5626cde56bc0 response count 0
ldap_chkResponseList ld 0x5626cde56bc0 msgid 1 all 1
ldap_chkResponseList returns ld 0x5626cde56bc0 NULL
ldap_int_select
read1msg: ld 0x5626cde56bc0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 176 contents:
read1msg: ld 0x5626cde56bc0 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x5626cde56bc0 0 new referrals
read1msg:  mark request completed, ld 0x5626cde56bc0 msgid 1
request done: ld 0x5626cde56bc0 msgid 1
res_errno: 14, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_int_sasl_bind: GSSAPI
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
sasl_client_step: 1
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 22 bytes to sd 3
ldap_msgfree
ldap_result ld 0x5626cde56bc0 msgid 2
wait4msg ld 0x5626cde56bc0 msgid 2 (infinite timeout)
wait4msg continue ld 0x5626cde56bc0 msgid 2 all 1
** ld 0x5626cde56bc0 Connections:
* host: ABC.local  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Thu Nov 21 17:20:44 2024

** ld 0x5626cde56bc0 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x5626cde56bc0 request count 1 (abandoned 0)
** ld 0x5626cde56bc0 Response Queue:
   Empty
  ld 0x5626cde56bc0 response count 0
ldap_chkResponseList ld 0x5626cde56bc0 msgid 2 all 1
ldap_chkResponseList returns ld 0x5626cde56bc0 NULL
ldap_int_select
read1msg: ld 0x5626cde56bc0 msgid 2 all 1
ber_get_next
ber_get_next: tag 0x30 len 50 contents:
read1msg: ld 0x5626cde56bc0 msgid 2 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x5626cde56bc0 0 new referrals
read1msg:  mark request completed, ld 0x5626cde56bc0 msgid 2
request done: ld 0x5626cde56bc0 msgid 2
res_errno: 14, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_int_sasl_bind: GSSAPI
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
sasl_client_step: 0
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 56 bytes to sd 3
ldap_msgfree
ldap_result ld 0x5626cde56bc0 msgid 3
wait4msg ld 0x5626cde56bc0 msgid 3 (infinite timeout)
wait4msg continue ld 0x5626cde56bc0 msgid 3 all 1
** ld 0x5626cde56bc0 Connections:
* host: ABC.local  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Thu Nov 21 17:20:44 2024

** ld 0x5626cde56bc0 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x5626cde56bc0 request count 1 (abandoned 0)
** ld 0x5626cde56bc0 Response Queue:
   Empty
  ld 0x5626cde56bc0 response count 0
ldap_chkResponseList ld 0x5626cde56bc0 msgid 3 all 1
ldap_chkResponseList returns ld 0x5626cde56bc0 NULL
ldap_int_select
read1msg: ld 0x5626cde56bc0 msgid 3 all 1
ber_get_next
ber_get_next: tag 0x30 len 18 contents:
read1msg: ld 0x5626cde56bc0 msgid 3 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x5626cde56bc0 0 new referrals
read1msg:  mark request completed, ld 0x5626cde56bc0 msgid 3
request done: ld 0x5626cde56bc0 msgid 3
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 3, msgid 3)
ldap_int_sasl_bind: GSSAPI
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
SASL username: ssp-admin@DEVOPS-ESL.LOCAL
SASL SSF: 0
ldap_msgfree
# extended LDIF
#
# LDAPv3
# base <dc=devops-esl,dc=local> with scope subtree
# filter: (&(objectClass=user)(sAMAccountName=x_tandrea)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
# requesting: ALL
#

ldap_search_ext
put_filter: "(&(objectClass=user)(sAMAccountName=x_tandrea)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
put_filter: AND
put_filter_list "(objectClass=user)(sAMAccountName=x_tandrea)(!(userAccountControl:1.2.840.113556.1.4.803:=2))"
put_filter: "(objectClass=user)"
put_filter: simple
put_simple_filter: "objectClass=user"
put_filter: "(sAMAccountName=x_tandrea)"
put_filter: simple
put_simple_filter: "sAMAccountName=x_tandrea"
put_filter: "(!(userAccountControl:1.2.840.113556.1.4.803:=2))"
put_filter: NOT
put_filter_list "(userAccountControl:1.2.840.113556.1.4.803:=2)"
put_filter: "(userAccountControl:1.2.840.113556.1.4.803:=2)"
put_filter: simple
put_simple_filter: "userAccountControl:1.2.840.113556.1.4.803:=2"
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 153 bytes to sd 3
ldap_result ld 0x5626cde56bc0 msgid -1
wait4msg ld 0x5626cde56bc0 msgid -1 (infinite timeout)
wait4msg continue ld 0x5626cde56bc0 msgid -1 all 0
** ld 0x5626cde56bc0 Connections:
* host: ABC.local  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Thu Nov 21 17:20:44 2024

** ld 0x5626cde56bc0 Outstanding Requests:
 * msgid 4,  origid 4, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x5626cde56bc0 request count 1 (abandoned 0)
** ld 0x5626cde56bc0 Response Queue:
   Empty
  ld 0x5626cde56bc0 response count 0
ldap_chkResponseList ld 0x5626cde56bc0 msgid -1 all 0
ldap_chkResponseList returns ld 0x5626cde56bc0 NULL
ldap_int_select
read1msg: ld 0x5626cde56bc0 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 1497 contents:
read1msg: ld 0x5626cde56bc0 msgid 4 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
ldap_dn2ufn
ldap_dn_normalize
# TEST Andreatta, Users, Accounts, devops-esl.local
dn: CN=TEST Andreatta,OU=Users,OU=Accounts,DC=devops-esl,DC=local

This one is a connectivity problem:

LDAP - Search error -1  (Can't contact LDAP server)

either ABC.local is not reachable, either the TLS establishment has problems.

Hi @davidcoutadeur , inside the container telnet connects correctly on that address and port, so the server is reachable.

About TLS, if I remove the cert, I get a specific error, something like this:

TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).

I added again this row in ldap.conf that I removed in previous tests:

sasl_secprops minssf=0,maxssf=0

Now I get a different error:

res_errno: 1, res_error: <000004DC: LdapErr: DSID-0C091048, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839>, res_matched: <>

I will investigate better tomorrow.

ltb-project / self-service-password

PHP Fatal error: Uncaught Error: Call to undefined function Ltb\\ldap_sasl_bind() #1008