Self Service Password Unable to access LDAP server Php7.2 ldap_start_tls(): Unable to start TLS

Not able to connect to the LDAP server using Start TLS. Receiving the error below: "PHP message: PHP Warning: ldap_start_tls(): Unable to start TLS: Connect error

Self Service Password reset is running on an RHEL 7.6 Linux instance with PHP 7.2.17 Nginx 1.12.2. It is trying to connect to an Active Directory server running on Windows Server 2016. The Active Directory server is also a Certificate Authority and the CA Certificate is on the Linux server. Any help is appreciated!

LDAP Config in PHP:

# LDAP
$ldap_url = "ldap://hostname.domain.com:389";
$ldap_starttls = true;
$ldap_binddn = "cn=service,ou=Service Accounts,dc=domain,dc=com";
$ldap_bindpw = "password";
$ldap_base = "dc=domain,dc=com";
$ldap_login_attribute = "sAMAccountName";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";

OpenLDAP Config in \etc\openldap\ldap.conf:

TLS_CACERT /etc/openldap/certs/rootCA.cer

PHP Function:

if ( $result === "" ) {
    # Connect to LDAP
    $ldap = ldap_connect($ldap_url);
    ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
    ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
    if ( $ldap_starttls && !ldap_start_tls($ldap) ) {
        $result = "ldaperror";
        error_log("LDAP - Unable to use StartTLS");
    } else {

    # Bind
    if ( isset($ldap_binddn) && isset($ldap_bindpw) ) {
        $bind = ldap_bind($ldap, $ldap_binddn, $ldap_bindpw);
    } else {
        $bind = ldap_bind($ldap);
    }

    if ( !$bind ) {
        $result = "ldaperror";
        $errno = ldap_errno($ldap);
        if ( $errno ) {
            error_log("LDAP - Bind error $errno  (".ldap_error($ldap).")");
        }

I am able to connect to Active Directory server using the following ldapsearch command

ldapsearch -h hoostname.domain.com -D "cn=service,ou=Service Accounts,dc=domain,dc=com" -b "dc=domain,dc=com" -W -ZZ

Can you set $debug in SSP conf to get full LDAP debug messages?

$debug is set to true however I don't see the full debug for ldap in nginx error.log. Also I am not sure why it writes logs in nginx error.log file.

HI I am using windows active directory 2012 and when we are tying to connect ssl it is not happending...

hi @maxr786 did you manage to solve your issue ?

Also I am not sure why it writes logs in nginx error.log file. This is a limitation from php-ldap, the underlying library for ldap used by php do not use the same logging functions as the rest of php.

Hello,

I'm using Service-Desk/White-Pages/Self-Service-Password (and working very well), and currently migrating the LDAP connection to STARTTLS.

It went without any issue for Service-Desk and White-Pages, I just had to enable starttls in the config.inc.php.

But for Self-Service-Password, I have the issue as well.

Here is the openldap logs :

5fd7b648 conn=1427 fd=18 ACCEPT from IP=172.19.0.7:57958 (IP=0.0.0.0:389)
5fd7b648 conn=1427 op=0 EXT oid=1.3.6.1.4.1.1466.20037
5fd7b648 conn=1427 op=0 STARTTLS
5fd7b648 conn=1427 op=0 RESULT oid= err=0 text=
TLS: gnutls_certificate_verify_peers2 failed -49
5fd7b648 conn=1427 fd=18 TLS established tls_ssf=256 ssf=256
5fd7b648 conn=1427 fd=18 closed (connection lost)

The apache log :

PHP Warning:  ldap_start_tls(): Unable to start TLS: Connect error in /usr/share/self-service-password/htdocs/change.php on line 74, referer: https://ssp.mydomain.com/
LDAP - Unable to use StartTLS, referer: https://ssp.mydomain.com/
PHP Notice:  Undefined index: msg_changehelpextramessage in /usr/share/self-service-password/templates_c/f6b50b13b91599a6d59a20cb1147ad5af3c8d817_2.file.change.tpl.php on line 42, referer: https://ssp.mydomain.com/
PHP Notice:  Trying to get property 'value' of non-object in /usr/share/self-service-password/templates_c/f6b50b13b91599a6d59a20cb1147ad5af3c8d817_2.file.change.tpl.php on line 42, referer: https://ssp.mydomain.com/

I'm afraid there is a bug

The code to use start_tls is the same in SSP, WP and SD:

    $ldap = ldap_connect($ldap_url);
    ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
    ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
    if ( $ldap_starttls && !ldap_start_tls($ldap) ) {
        $result = "ldaperror";
        error_log("LDAP - Unable to use StartTLS");
    }

Are you running all softwares on the same server?

Hello @coudot I'm a running all the differents softwares on a docker container, but each image is almost the same, the only difference being the application being hosted : https://github.com/NoxInmortus/docker-ldap-tool-box

The image is pretty simple, installing some packages, php packages being php7.4 php7.4-ldap php7.4-mbstring php7.4-curl

Here is the relevant config.inc.php for SSP (as you can see, nothing unusual):

$ldap_url = "ldap://ldap.mydom.com";
$ldap_starttls = true;
$ldap_binddn = "cn=ldap_user,ou=users,dc=mydom";
$ldap_bindpw = "pwd";
$ldap_base = "dc=mydom";
$ldap_login_attribute = "uid";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))";
$ldap_use_exop_passwd = false;

My OpenLDAP already have the required configuration:

TLS_CACERT /path/to/my/ca.cert
TLS_REQCERT allow

Also tried to enable the debug mode, but it doesnt offer anything useful...

I don't see why it is failing with SSP and not other products.

Anything I can give to provide something useful to you @coudot ?

You can provide the logs of startTLS operation done with WP or SD, on PHP side and on OpenLDAP side. And a tcpdump of the request with WP or DS, and another with SSP, so we can track the differences.

Here is white-page apache logs when submitting a request :

172.20.0.8 - firstname.name [15/Dec/2020:16:34:57 +0100] "POST /index.php?page=search HTTP/1.1" 200 2691 "https://wp.mydom.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0" 2491 389298 0 22 wp.mydom.com:80
vhost_combined
172.20.0.8 - firstname.name [15/Dec/2020:16:34:58 +0100] "GET /vendor/bootstrap-datepicker/css/bootstrap-datepicker3.standalone.min.css HTTP/1.1" 200 2898 "https://wp.mydom.com/index.php?page=search" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0" 2613 2027 0 19 wp.mydom.com:80
vhost_combined
[Tue Dec 15 16:34:58.459197 2020] [php7:notice] [pid 21] [client 172.20.0.8:59374] PHP Notice:  Undefined variable: ldap_network_timeout in /usr/share/white-pages/htdocs/photo.php on line 29, referer: https://wp.mydom.com/index.php?page=search
[Tue Dec 15 16:34:58.621414 2020] [php7:notice] [pid 21] [client 172.20.0.8:59374] PHP Notice:  Undefined variable: photo_local_ldap_attribute in /usr/share/white-pages/htdocs/photo.php on line 60, referer: https://wp.mydom.com/index.php?page=search
[Tue Dec 15 16:34:58.621535 2020] [php7:error] [pid 21] [client 172.20.0.8:59374] PHP Fatal error:  Uncaught Error: Call to undefined function imagecreatefromjpeg() in /usr/share/white-pages/htdocs/photo.php:77\nStack trace:\n#0 {main}\n  thrown in /usr/share/white-pages/htdocs/photo.php on line 77, referer: https://wp.mydom.com/index.php?page=search
172.20.0.8 - firstname.name [15/Dec/2020:16:34:58 +0100] "GET /photo.php?dn=cn%3Dfirstname%20name%2Cou%3Dusers%2Cdc%3Dmydom HTTP/1.1" 500 169 "https://wp.mydom.com/index.php?page=search" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0" - 165582 0 21 wp.mydom.com:80
vhost_combined

openldap logs for white-page request:

5fd8d88f conn=1860 fd=19 ACCEPT from IP=172.19.0.2:52322 (IP=0.0.0.0:389)
5fd8d88f conn=1860 op=0 EXT oid=1.3.6.1.4.1.1466.20037
5fd8d88f conn=1860 op=0 STARTTLS
5fd8d88f conn=1860 op=0 RESULT oid= err=0 text=
TLS: gnutls_certificate_verify_peers2 failed -49
5fd8d88f conn=1860 fd=19 TLS established tls_ssf=256 ssf=256
5fd8d88f conn=1860 op=1 BIND dn="cn=readonly,dc=mydom" method=128
5fd8d88f conn=1860 op=1 BIND dn="cn=readonly,dc=mydom" mech=SIMPLE ssf=0
5fd8d88f conn=1860 op=1 RESULT tag=97 err=0 text=
5fd8d88f get_ssa: conn 1860 unknown attribute type=organization (17)
5fd8d88f conn=1860 op=2 SRCH base="ou=users,dc=mydom" scope=2 deref=0 filter="(&(objectClass=inetOrgPerson)(|(uid=*firstname*)(cn=*firstname*)(mail=*firstname*)(postalCode=*firstname*)(?organization=*firstname*)))"
5fd8d88f conn=1860 op=2 SRCH attr=mail o postalcode cn sn
5fd8d88f <= mdb_substring_candidates: (uid) not indexed
5fd8d88f <= mdb_substring_candidates: (cn) not indexed
5fd8d88f <= mdb_substring_candidates: (mail) not indexed
5fd8d88f <= mdb_substring_candidates: (postalCode) not indexed
5fd8d88f conn=1860 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
5fd8d88f conn=1861 fd=20 ACCEPT from IP=172.19.0.2:52324 (IP=0.0.0.0:389)
5fd8d88f conn=1861 op=0 EXT oid=1.3.6.1.4.1.1466.20037
5fd8d88f conn=1861 op=0 STARTTLS
5fd8d88f conn=1861 op=0 RESULT oid= err=0 text=
TLS: gnutls_certificate_verify_peers2 failed -49
5fd8d88f conn=1861 fd=20 TLS established tls_ssf=256 ssf=256
5fd8d88f conn=1861 op=1 BIND dn="cn=readonly,dc=mydom" method=128
5fd8d88f conn=1861 op=1 BIND dn="cn=readonly,dc=mydom" mech=SIMPLE ssf=0
5fd8d88f conn=1861 op=1 RESULT tag=97 err=0 text=
5fd8d88f conn=1860 op=3 UNBIND
5fd8d88f conn=1860 fd=19 closed
5fd8d88f conn=1861 op=2 SRCH base="cn=firstname name,ou=users,dc=mydom" scope=0 deref=0 filter="(objectClass=inetOrgPerson)"
5fd8d88f conn=1861 op=2 SRCH attr=givenname sn title businesscategory employeenumber employeetype mail gosamailquota telephonenumber mobile facsimiletelephonenumber postaladdress street postalcode l st manager secretary ou o description memberof cn
5fd8d88f conn=1861 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
5fd8d88f conn=1861 op=3 UNBIND
5fd8d88f conn=1861 fd=20 closed
5fd8d890 conn=1862 fd=19 ACCEPT from IP=172.19.0.2:52330 (IP=0.0.0.0:389)
5fd8d890 conn=1862 op=0 EXT oid=1.3.6.1.4.1.1466.20037
5fd8d890 conn=1862 op=0 STARTTLS
5fd8d890 conn=1862 op=0 RESULT oid= err=0 text=
TLS: gnutls_certificate_verify_peers2 failed -49
5fd8d890 conn=1862 fd=19 TLS established tls_ssf=256 ssf=256
5fd8d890 conn=1862 op=1 BIND dn="cn=readonly,dc=mydom" method=128
5fd8d890 conn=1862 op=1 BIND dn="cn=readonly,dc=mydom" mech=SIMPLE ssf=0
5fd8d890 conn=1862 op=1 RESULT tag=97 err=0 text=
5fd8d890 conn=1862 op=2 SRCH base="cn=firstname name,ou=users,dc=mydom" scope=0 deref=0 filter="(objectClass=inetOrgPerson)"
5fd8d890 conn=1862 op=2 SRCH attr=jpegPhoto
5fd8d890 conn=1862 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
5fd8d890 conn=1862 op=3 UNBIND
5fd8d890 conn=1862 fd=19 closed

Service-desk apache logs when submitting a request:

[Tue Dec 15 16:41:19.198506 2020] [php7:notice] [pid 24] [client 172.20.0.8:40538] PHP Notice:  Undefined variable: smarty_compile_dir in /usr/share/service-desk/htdocs/index.php on line 38, referer: https://sd.mydom.com/
[Tue Dec 15 16:41:19.198831 2020] [php7:notice] [pid 24] [client 172.20.0.8:40538] PHP Notice:  Undefined variable: smarty_cache_dir in /usr/share/service-desk/htdocs/index.php on line 39, referer: https://sd.mydom.com/
172.20.0.8 - firstname.name [15/Dec/2020:16:41:19 +0100] "POST /index.php?page=search HTTP/1.1" 200 2953 "https://sd.mydom.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0" 2753 518912 0 24 sd.mydom.com:80
vhost_combined
172.20.0.8 - firstname.name [15/Dec/2020:16:41:20 +0100] "GET /vendor/datatables/datatables.min.js HTTP/1.1" 200 45098 "https://sd.mydom.com/index.php?page=search" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0" 44797 27018 0 20 sd.mydom.com:80
vhost_combined

open-ldap logs when submitting a request:

5fd8d93d conn=1867 fd=19 ACCEPT from IP=172.19.0.6:42606 (IP=0.0.0.0:389)
5fd8d93d conn=1867 op=0 EXT oid=1.3.6.1.4.1.1466.20037
5fd8d93d conn=1867 op=0 STARTTLS
5fd8d93d conn=1867 op=0 RESULT oid= err=0 text=
TLS: gnutls_certificate_verify_peers2 failed -49
5fd8d93d conn=1867 fd=19 TLS established tls_ssf=256 ssf=256
5fd8d93d conn=1867 op=1 BIND dn="cn=bot ldap,ou=users,dc=mydom" method=128
5fd8d93d conn=1867 op=1 BIND dn="cn=bot ldap,ou=users,dc=mydom" mech=SIMPLE ssf=0
5fd8d93d conn=1867 op=1 RESULT tag=97 err=0 text=
5fd8d93d conn=1867 op=2 SRCH base="ou=users,dc=mydom" scope=2 deref=0 filter="(&(objectClass=inetOrgPerson)(|(uid=*firstname*)(cn=*firstname*)(mail=*firstname*)))"
5fd8d93d conn=1867 op=2 SRCH attr=uid mail telephonenumber cn sn
5fd8d93d <= mdb_substring_candidates: (uid) not indexed
5fd8d93d <= mdb_substring_candidates: (cn) not indexed
5fd8d93d <= mdb_substring_candidates: (mail) not indexed
5fd8d93d conn=1867 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
5fd8d93d conn=1868 fd=20 ACCEPT from IP=172.19.0.6:42608 (IP=0.0.0.0:389)
5fd8d93d conn=1868 op=0 EXT oid=1.3.6.1.4.1.1466.20037
5fd8d93d conn=1868 op=0 STARTTLS
5fd8d93d conn=1868 op=0 RESULT oid= err=0 text=
TLS: gnutls_certificate_verify_peers2 failed -49
5fd8d93d conn=1868 fd=20 TLS established tls_ssf=256 ssf=256
5fd8d93d conn=1868 op=1 BIND dn="cn=bot ldap,ou=users,dc=mydom" method=128
5fd8d93d conn=1868 op=1 BIND dn="cn=bot ldap,ou=users,dc=mydom" mech=SIMPLE ssf=0
5fd8d93d conn=1868 op=1 RESULT tag=97 err=0 text=
5fd8d93d conn=1867 op=3 UNBIND
5fd8d93d conn=1867 fd=19 closed
5fd8d93d conn=1868 op=2 SRCH base="cn=firstname name,ou=users,dc=mydom" scope=0 deref=0 filter="(objectClass=inetOrgPerson)"
5fd8d93d conn=1868 op=2 SRCH attr=uid givenname sn title businesscategory employeenumber employeetype mail gosamailquota telephonenumber mobile facsimiletelephonenumber postaladdress street postalcode l st ou o pwdchangedtime pwdreset pwdaccountlockedtime pwdfailuretime 1.1 authtimestamp createtimestamp modifytimestamp cn pwdPolicySubentry
5fd8d93d conn=1868 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
5fd8d93d conn=1868 op=3 SRCH base="cn=default,ou=ppolicies,dc=mydom" scope=0 deref=0 filter="(objectClass=pwdPolicy)"
5fd8d93d conn=1868 op=3 SRCH attr=pwdMaxAge pwdLockoutDuration
5fd8d93d conn=1868 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
5fd8d93d conn=1868 op=4 UNBIND
5fd8d93d conn=1868 fd=20 closed

SSP logs when submitting a request (the logformat is slighly different but that's not relevant here):

[Tue Dec 15 16:44:59.606621 2020] [php7:warn] [pid 24] [client 192.168.5.52:0] PHP Warning:  ldap_start_tls(): Unable to start TLS: Connect error in /usr/share/self-service-password/htdocs/change.php on line 74, referer: https://ssp.mydom.com/
[Tue Dec 15 16:44:59.606667 2020] [php7:notice] [pid 24] [client 192.168.5.52:0] LDAP - Unable to use StartTLS, referer: https://ssp.mydom.com/
[Tue Dec 15 16:44:59.613930 2020] [php7:notice] [pid 24] [client 192.168.5.52:0] PHP Notice:  Undefined index: msg_changehelpextramessage in /usr/share/self-service-password/templates_c/f6b50b13b91599a6d59a20cb1147ad5af3c8d817_2.file.change.tpl.php on line 42, referer: https://ssp.mydom.com/
[Tue Dec 15 16:44:59.613967 2020] [php7:notice] [pid 24] [client 192.168.5.52:0] PHP Notice:  Trying to get property 'value' of non-object in /usr/share/self-service-password/templates_c/f6b50b13b91599a6d59a20cb1147ad5af3c8d817_2.file.change.tpl.php on line 42, referer: https://ssp.mydom.com/
192.168.5.52 - - [15/Dec/2020:16:44:59 +0100] "POST / HTTP/1.1" 200 1747 "https://ssp.mydom.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0" 1547 212883 0 24 ssp.mydom.com:80
vhost_combined

openldap logs for ssp request:

5fd8d9fb conn=1873 fd=19 ACCEPT from IP=172.19.0.7:52364 (IP=0.0.0.0:389)
5fd8d9fb conn=1873 op=0 EXT oid=1.3.6.1.4.1.1466.20037
5fd8d9fb conn=1873 op=0 STARTTLS
5fd8d9fb conn=1873 op=0 RESULT oid= err=0 text=
TLS: gnutls_certificate_verify_peers2 failed -49
5fd8d9fb conn=1873 fd=19 TLS established tls_ssf=256 ssf=256
5fd8d9fb conn=1873 fd=19 closed (connection lost)

I'm only noticing that the TLS: gnutls_certificate_verify_peers2 failed -49 error seems to be everywhere so it was not relevant from me to point it out previously, sorry about that.

Will try to send the tcpdump asap

OpenLDAP logs seems indeed the same for all, so the difference should be on SSP side. Do you the same LDAP URL in all applications?

Yes indeed, here are the differents configurations :

I'm using a different user for white-pages as it does not require write permissions

White-pages:

$ldap_url = "ldap://ldap.mydom.com";
$ldap_starttls = true;
$ldap_binddn = "cn=readonly,dc=mydom";
$ldap_bindpw = "readonlyPwd";
$ldap_base = "dc=mydom";
$ldap_user_base = "ou=users,".$ldap_base;
$ldap_user_filter = "(objectClass=inetOrgPerson)";
$ldap_group_base = "ou=groups,".$ldap_base;
$ldap_group_filter = "(|(objectClass=groupOfNames)(objectClass=groupOfUniqueNames))";
$ldap_size_limit = 100;

Service-Desk:

$ldap_url = "ldap://ldap.mydom.com";
$ldap_starttls = true;
$ldap_binddn = "cn=ldap_user,ou=users,dc=mydom";
$ldap_bindpw = "userPwd";
$ldap_base = "dc=mydom";
$ldap_user_base = "ou=users,".$ldap_base;
$ldap_user_filter = "(objectClass=inetOrgPerson)";
$ldap_group_filter = 
$ldap_size_limit = 100;
$ldap_default_ppolicy = "cn=default,ou=ppolicies,dc=mydom";

SSP :

$ldap_url = "ldap://ldap.mydom.com";
$ldap_starttls = true;
$ldap_binddn = "cn=ldap_user,ou=users,dc=mydom";
$ldap_bindpw = "userPwd";
$ldap_base = "dc=mydom";
$ldap_login_attribute = "uid";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))";
$ldap_use_exop_passwd = false;

Could you try to add this before calling ldap_start_tls in SSP source code?

ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);

Here it is :

ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/ldap/ldap.conf
ldap_init: using /etc/ldap/ldap.conf
ldap_init: HOME env is NULL
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
ldap_create
ldap_url_parse_ext(ldap://ldap.mydom.com)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.mydom.com:389
ldap_new_socket: 11
ldap_prepare_socket: 11
ldap_connect_to_host: Trying 172.19.0.5:389
ldap_pvt_connect: fd: 11 tm: -1 async: 0
attempting to connect: 
connect success
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x201d7b0 msgid 1
wait4msg ld 0x201d7b0 msgid 1 (infinite timeout)
wait4msg continue ld 0x201d7b0 msgid 1 all 1
** ld 0x201d7b0 Connections:
* host: ldap.mydom.com  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Dec 15 17:42:53 2020

** ld 0x201d7b0 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x201d7b0 request count 1 (abandoned 0)
** ld 0x201d7b0 Response Queue:
   Empty
  ld 0x201d7b0 response count 0
ldap_chkResponseList ld 0x201d7b0 msgid 1 all 1
ldap_chkResponseList returns ld 0x201d7b0 NULL
ldap_int_select
read1msg: ld 0x201d7b0 msgid 1 all 1
read1msg: ld 0x201d7b0 msgid 1 message type extended-result
read1msg: ld 0x201d7b0 0 new referrals
read1msg:  mark request completed, ld 0x201d7b0 msgid 1
request done: ld 0x201d7b0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ldap_parse_result
ldap_msgfree
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
[Tue Dec 15 17:42:53.723014 2020] [php7:warn] [pid 21] [client 192.168.5.52:0] PHP Warning:  ldap_start_tls(): Unable to start TLS: Connect error in /usr/share/self-service-password/htdocs/change.php on line 74, referer: https://ssp.mydom.com/
[Tue Dec 15 17:42:53.723090 2020] [php7:notice] [pid 21] [client 192.168.5.52:0] LDAP - Unable to use StartTLS, referer: https://ssp.mydom.com/
[Tue Dec 15 17:42:53.725596 2020] [php7:notice] [pid 21] [client 192.168.5.52:0] PHP Notice:  Undefined index: msg_changehelpextramessage in /usr/share/self-service-password/templates_c/f6b50b13b91599a6d59a20cb1147ad5af3c8d817_2.file.change.tpl.php on line 42, referer: https://ssp.mydom.com/
[Tue Dec 15 17:42:53.725634 2020] [php7:notice] [pid 21] [client 192.168.5.52:0] PHP Notice:  Trying to get property 'value' of non-object in /usr/share/self-service-password/templates_c/f6b50b13b91599a6d59a20cb1147ad5af3c8d817_2.file.change.tpl.php on line 42, referer: https://ssp.mydom.com/
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
192.168.5.52 - - [15/Dec/2020:17:42:53 +0100] "POST / HTTP/1.1" 200 1747 "https://ssp.mydom.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0" 1547 217808 0 21 ssp.mydom.com:80
vhost_combined
192.168.5.52 - - [15/Dec/2020:17:42:54 +0100] "GET /vendor/bootstrap/css/bootstrap-theme.min.css HTTP/1.1" 200 2515 "https://ssp.mydom.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0" 2230 1505 0 22 ssp.mydom.com:80
vhost_combined
192.168.5.52 - - [15/Dec/2020:17:42:54 +0100] "GET /vendor/font-awesome/css/font-awesome.min.css HTTP/1.1" 200 7338 "https://ssp.mydom.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0" 7053 4118 0 20 ssp.mydom.com:80
vhost_combined
192.168.5.52 - - [15/Dec/2020:17:42:54 +0100] "GET /vendor/bootstrap/js/bootstrap.min.js HTTP/1.1" 200 8834 "https://ssp.mydom.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0" 8535 4120 0 24 ssp.mydom.com:80
vhost_combined
192.168.5.52 - - [15/Dec/2020:17:42:54 +0100] "GET /js/self-service-password.js HTTP/1.1" 200 486 "https://ssp.mydom.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0" 190 739 0 24 ssp.mydom.com:80
vhost_combined
192.168.5.52 - - [15/Dec/2020:17:42:54 +0100] "GET /images/ltb-logo.png HTTP/1.1" 304 129 "https://ssp.mydom.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0" - 521 0 21 ssp.mydom.com:80
vhost_combined
192.168.5.52 - - [15/Dec/2020:17:42:54 +0100] "GET /vendor/bootstrap/css/bootstrap.min.css HTTP/1.1" 200 18428 "https://ssp.mydom.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0" 18141 11822 0 23 ssp.mydom.com:80
vhost_combined
192.168.5.52 - - [15/Dec/2020:17:42:54 +0100] "GET /css/self-service-password.css HTTP/1.1" 200 731 "https://ssp.mydom.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0" 448 1739 0 20 ssp.mydom.com:80
vhost_combined
192.168.5.52 - - [15/Dec/2020:17:42:54 +0100] "GET /vendor/jquery/js/jquery-3.5.1.min.js HTTP/1.1" 200 31211 "https://ssp.mydom.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0" 30910 20150 0 22 ssp.mydom.com:80
vhost_combined
192.168.5.52 - - [15/Dec/2020:17:42:54 +0100] "GET /images/unsplash-space.jpeg HTTP/1.1" 304 130 "https://ssp.mydom.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0" - 1075 0 31 ssp.mydom.com:80
vhost_combined

Interresting

TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).

To compare, here is the same from White-Pages :

ldap_create
ldap_url_parse_ext(ldap://ldap.mydom.com)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.mydom.com:389
ldap_new_socket: 12
ldap_prepare_socket: 12
ldap_connect_to_host: Trying 172.19.0.5:389
ldap_pvt_connect: fd: 12 tm: -1 async: 0
attempting to connect: 
connect success
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0xb16a70 msgid 1
wait4msg ld 0xb16a70 msgid 1 (infinite timeout)
wait4msg continue ld 0xb16a70 msgid 1 all 1
** ld 0xb16a70 Connections:
* host: ldap.mydom.com  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Dec 15 17:49:01 2020

** ld 0xb16a70 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0xb16a70 request count 1 (abandoned 0)
** ld 0xb16a70 Response Queue:
   Empty
  ld 0xb16a70 response count 0
ldap_chkResponseList ld 0xb16a70 msgid 1 all 1
ldap_chkResponseList returns ld 0xb16a70 NULL
ldap_int_select
read1msg: ld 0xb16a70 msgid 1 all 1
read1msg: ld 0xb16a70 msgid 1 message type extended-result
read1msg: ld 0xb16a70 0 new referrals
read1msg:  mark request completed, ld 0xb16a70 msgid 1
request done: ld 0xb16a70 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ldap_parse_result
ldap_msgfree
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 0xb16a70 msgid 2
wait4msg ld 0xb16a70 msgid 2 (infinite timeout)
wait4msg continue ld 0xb16a70 msgid 2 all 1
** ld 0xb16a70 Connections:
* host: ldap.mydom.com  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Dec 15 17:49:01 2020

** ld 0xb16a70 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0xb16a70 request count 1 (abandoned 0)
** ld 0xb16a70 Response Queue:
   Empty
  ld 0xb16a70 response count 0
ldap_chkResponseList ld 0xb16a70 msgid 2 all 1
ldap_chkResponseList returns ld 0xb16a70 NULL
ldap_int_select
read1msg: ld 0xb16a70 msgid 2 all 1
read1msg: ld 0xb16a70 msgid 2 message type bind
read1msg: ld 0xb16a70 0 new referrals
read1msg:  mark request completed, ld 0xb16a70 msgid 2
request done: ld 0xb16a70 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ldap_msgfree
ldap_search_ext
put_filter: "(&(objectClass=inetOrgPerson)(|(uid=*firstname*)(cn=*firstname*)(mail=*firstname*)(postalcode=*firstname*)(organization=*firstname*)))"
put_filter: AND
put_filter_list "(objectClass=inetOrgPerson)(|(uid=*firstname*)(cn=*firstname*)(mail=*firstname*)(postalcode=*firstname*)(organization=*firstname*))"
put_filter: "(objectClass=inetOrgPerson)"
put_filter: simple
put_simple_filter: "objectClass=inetOrgPerson"
put_filter: "(|(uid=*firstname*)(cn=*firstname*)(mail=*firstname*)(postalcode=*firstname*)(organization=*firstname*))"
put_filter: OR
put_filter_list "(uid=*firstname*)(cn=*firstname*)(mail=*firstname*)(postalcode=*firstname*)(organization=*firstname*)"
put_filter: "(uid=*firstname*)"
put_filter: simple
put_simple_filter: "uid=*firstname*"
put_substring_filter "uid=*firstname*"
put_filter: "(cn=*firstname*)"
put_filter: simple
put_simple_filter: "cn=*firstname*"
put_substring_filter "cn=*firstname*"
put_filter: "(mail=*firstname*)"
put_filter: simple
put_simple_filter: "mail=*firstname*"
put_substring_filter "mail=*firstname*"
put_filter: "(postalcode=*firstname*)"
put_filter: simple
put_simple_filter: "postalcode=*firstname*"
put_substring_filter "postalcode=*firstname*"
put_filter: "(organization=*firstname*)"
put_filter: simple
put_simple_filter: "organization=*firstname*"
put_substring_filter "organization=*firstname*"
ldap_build_search_req ATTRS: mail o postalcode cn sn
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 0xb16a70 msgid 3
wait4msg ld 0xb16a70 msgid 3 (infinite timeout)
wait4msg continue ld 0xb16a70 msgid 3 all 1
** ld 0xb16a70 Connections:
* host: ldap.mydom.com  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Dec 15 17:49:01 2020

** ld 0xb16a70 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0xb16a70 request count 1 (abandoned 0)
** ld 0xb16a70 Response Queue:
   Empty
  ld 0xb16a70 response count 0
ldap_chkResponseList ld 0xb16a70 msgid 3 all 1
ldap_chkResponseList returns ld 0xb16a70 NULL
ldap_int_select
read1msg: ld 0xb16a70 msgid 3 all 1
read1msg: ld 0xb16a70 msgid 3 message type search-entry
wait4msg continue ld 0xb16a70 msgid 3 all 1
** ld 0xb16a70 Connections:
* host: ldap.mydom.com  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Dec 15 17:49:01 2020

** ld 0xb16a70 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0xb16a70 request count 1 (abandoned 0)
** ld 0xb16a70 Response Queue:
 * msgid 3,  type 100
  ld 0xb16a70 response count 1
ldap_chkResponseList ld 0xb16a70 msgid 3 all 1
ldap_chkResponseList returns ld 0xb16a70 NULL
ldap_int_select
read1msg: ld 0xb16a70 msgid 3 all 1
read1msg: ld 0xb16a70 msgid 3 message type search-result
read1msg: ld 0xb16a70 0 new referrals
read1msg:  mark request completed, ld 0xb16a70 msgid 3
request done: ld 0xb16a70 msgid 3
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 3, msgid 3)
adding response ld 0xb16a70 msgid 3 type 101:
ldap_parse_result
ldap_first_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_dn
ldap_create
ldap_url_parse_ext(ldap://ldap.mydom.com)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.mydom.com:389
ldap_new_socket: 13
ldap_prepare_socket: 13
ldap_connect_to_host: Trying 172.19.0.5:389
ldap_pvt_connect: fd: 13 tm: -1 async: 0
attempting to connect: 
connect success
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0xb146a0 msgid 1
wait4msg ld 0xb146a0 msgid 1 (infinite timeout)
wait4msg continue ld 0xb146a0 msgid 1 all 1
** ld 0xb146a0 Connections:
* host: ldap.mydom.com  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Dec 15 17:49:01 2020

** ld 0xb146a0 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0xb146a0 request count 1 (abandoned 0)
** ld 0xb146a0 Response Queue:
   Empty
  ld 0xb146a0 response count 0
ldap_chkResponseList ld 0xb146a0 msgid 1 all 1
ldap_chkResponseList returns ld 0xb146a0 NULL
ldap_int_select
read1msg: ld 0xb146a0 msgid 1 all 1
read1msg: ld 0xb146a0 msgid 1 message type extended-result
read1msg: ld 0xb146a0 0 new referrals
read1msg:  mark request completed, ld 0xb146a0 msgid 1
request done: ld 0xb146a0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ldap_parse_result
ldap_msgfree
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 0xb146a0 msgid 2
wait4msg ld 0xb146a0 msgid 2 (infinite timeout)
wait4msg continue ld 0xb146a0 msgid 2 all 1
** ld 0xb146a0 Connections:
* host: ldap.mydom.com  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Dec 15 17:49:02 2020

** ld 0xb146a0 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0xb146a0 request count 1 (abandoned 0)
** ld 0xb146a0 Response Queue:
   Empty
  ld 0xb146a0 response count 0
ldap_chkResponseList ld 0xb146a0 msgid 2 all 1
ldap_chkResponseList returns ld 0xb146a0 NULL
ldap_int_select
read1msg: ld 0xb146a0 msgid 2 all 1
read1msg: ld 0xb146a0 msgid 2 message type bind
read1msg: ld 0xb146a0 0 new referrals
read1msg:  mark request completed, ld 0xb146a0 msgid 2
request done: ld 0xb146a0 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
ldap_search_ext
put_filter: "(objectClass=inetOrgPerson)"
put_filter: simple
put_simple_filter: "objectClass=inetOrgPerson"
ldap_build_search_req ATTRS: givenname sn title businesscategory employeenumber employeetype mail gosamailquota telephonenumber mobile facsimiletelephonenumber postaladdress street postalcode l st manager secretary ou o description memberof cn
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 0xb146a0 msgid 3
wait4msg ld 0xb146a0 msgid 3 (infinite timeout)
wait4msg continue ld 0xb146a0 msgid 3 all 1
** ld 0xb146a0 Connections:
* host: ldap.mydom.com  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Dec 15 17:49:02 2020

** ld 0xb146a0 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0xb146a0 request count 1 (abandoned 0)
** ld 0xb146a0 Response Queue:
   Empty
  ld 0xb146a0 response count 0
ldap_chkResponseList ld 0xb146a0 msgid 3 all 1
ldap_chkResponseList returns ld 0xb146a0 NULL
ldap_int_select
read1msg: ld 0xb146a0 msgid 3 all 1
read1msg: ld 0xb146a0 msgid 3 message type search-entry
wait4msg continue ld 0xb146a0 msgid 3 all 1
** ld 0xb146a0 Connections:
* host: ldap.mydom.com  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Dec 15 17:49:02 2020

** ld 0xb146a0 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0xb146a0 request count 1 (abandoned 0)
** ld 0xb146a0 Response Queue:
 * msgid 3,  type 100
  ld 0xb146a0 response count 1
ldap_chkResponseList ld 0xb146a0 msgid 3 all 1
ldap_chkResponseList returns ld 0xb146a0 NULL
ldap_int_select
read1msg: ld 0xb146a0 msgid 3 all 1
read1msg: ld 0xb146a0 msgid 3 message type search-result
read1msg: ld 0xb146a0 0 new referrals
read1msg:  mark request completed, ld 0xb146a0 msgid 3
request done: ld 0xb146a0 msgid 3
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 3, msgid 3)
adding response ld 0xb146a0 msgid 3 type 101:
ldap_parse_result
ldap_msgfree
ldap_first_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_dn
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
172.20.0.8 - firstname.name [15/Dec/2020:17:49:01 +0100] "POST /index.php?page=search HTTP/1.1" 200 2691 "https://wp.mydom.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0" 2491 412043 0 20 wp.mydom.com:80
vhost_combined
[Tue Dec 15 17:49:02.558496 2020] [php7:notice] [pid 24] [client 172.20.0.8:32830] PHP Notice:  Undefined variable: ldap_network_timeout in /usr/share/white-pages/htdocs/photo.php on line 29, referer: https://wp.mydom.com/index.php?page=search
[Tue Dec 15 17:49:02.741109 2020] [php7:notice] [pid 24] [client 172.20.0.8:32830] PHP Notice:  Undefined variable: photo_local_ldap_attribute in /usr/share/white-pages/htdocs/photo.php on line 60, referer: https://wp.mydom.com/index.php?page=search
[Tue Dec 15 17:49:02.741209 2020] [php7:error] [pid 24] [client 172.20.0.8:32830] PHP Fatal error:  Uncaught Error: Call to undefined function imagecreatefromjpeg() in /usr/share/white-pages/htdocs/photo.php:77\nStack trace:\n#0 {main}\n  thrown in /usr/share/white-pages/htdocs/photo.php on line 77, referer: https://wp.mydom.com/index.php?page=search
172.20.0.8 - firstname.name [15/Dec/2020:17:49:02 +0100] "GET /photo.php?dn=cn%3Dfirstname%20name%2Cou%3Dusers%2Cdc%3Dmydom HTTP/1.1" 500 169 "https://wp.mydom.com/index.php?page=search" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0" - 198904 0 24 wp.mydom.com:80
vhost_combined

I don't see any TLS: peer cert untrusted or revoked (0x42) for WP, it looks like SSP does not receive/use the ca_cert provided by OpenLDAP from TLS_CACERT /path/to/my/ca.cert parameter

Indeed, I get the same conclusion, but cannot explain it. We use the same PHP LDAP operations in all products. I don't understand the issue.

I just tried to mount the ca cert in the docker volume and add TLS_CACERT /path/to/my/ca.cert in /etc/ldap/ldap.conf on the client side.

The generated logs seems to be different, but I can't grasp anything from it, maybe you can :

ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/ldap/ldap.conf
ldap_init: using /etc/ldap/ldap.conf
ldap_init: HOME env is NULL
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
ldap_create
ldap_url_parse_ext(ldap://ldap.mydom.com)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.mydom.com:389
ldap_new_socket: 11
ldap_prepare_socket: 11
ldap_connect_to_host: Trying 172.19.0.5:389
ldap_pvt_connect: fd: 11 tm: -1 async: 0
attempting to connect: 
connect success
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x841878 msgid 1
wait4msg ld 0x841878 msgid 1 (infinite timeout)
wait4msg continue ld 0x841878 msgid 1 all 1
** ld 0x841878 Connections:
* host: ldap.mydom.com  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Dec 15 18:34:38 2020

** ld 0x841878 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x841878 request count 1 (abandoned 0)
** ld 0x841878 Response Queue:
   Empty
  ld 0x841878 response count 0
ldap_chkResponseList ld 0x841878 msgid 1 all 1
ldap_chkResponseList returns ld 0x841878 NULL
ldap_int_select
read1msg: ld 0x841878 msgid 1 all 1
read1msg: ld 0x841878 msgid 1 message type extended-result
read1msg: ld 0x841878 0 new referrals
read1msg:  mark request completed, ld 0x841878 msgid 1
request done: ld 0x841878 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ldap_parse_result
ldap_msgfree
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 0x841878 msgid 2
wait4msg ld 0x841878 msgid 2 (infinite timeout)
wait4msg continue ld 0x841878 msgid 2 all 1
** ld 0x841878 Connections:
* host: ldap.mydom.com  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Dec 15 18:34:38 2020

** ld 0x841878 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x841878 request count 1 (abandoned 0)
** ld 0x841878 Response Queue:
   Empty
  ld 0x841878 response count 0
ldap_chkResponseList ld 0x841878 msgid 2 all 1
ldap_chkResponseList returns ld 0x841878 NULL
ldap_int_select
read1msg: ld 0x841878 msgid 2 all 1
read1msg: ld 0x841878 msgid 2 message type bind
read1msg: ld 0x841878 0 new referrals
read1msg:  mark request completed, ld 0x841878 msgid 2
request done: ld 0x841878 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ldap_msgfree
ldap_search_ext
put_filter: "(&(objectClass=person)(uid=firstname.name))"
put_filter: AND
put_filter_list "(objectClass=person)(uid=firstname.name)"
put_filter: "(objectClass=person)"
put_filter: simple
put_simple_filter: "objectClass=person"
put_filter: "(uid=firstname.name)"
put_filter: simple
put_simple_filter: "uid=firstname.name"
ldap_build_search_req ATTRS: *
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 0x841878 msgid 3
wait4msg ld 0x841878 msgid 3 (infinite timeout)
wait4msg continue ld 0x841878 msgid 3 all 1
** ld 0x841878 Connections:
* host: ldap.mydom.com  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Dec 15 18:34:38 2020

** ld 0x841878 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x841878 request count 1 (abandoned 0)
** ld 0x841878 Response Queue:
   Empty
  ld 0x841878 response count 0
ldap_chkResponseList ld 0x841878 msgid 3 all 1
ldap_chkResponseList returns ld 0x841878 NULL
ldap_int_select
read1msg: ld 0x841878 msgid 3 all 1
read1msg: ld 0x841878 msgid 3 message type search-result
read1msg: ld 0x841878 0 new referrals
read1msg:  mark request completed, ld 0x841878 msgid 3
request done: ld 0x841878 msgid 3
res_errno: 32, res_error: <>, res_matched: <>
ldap_free_request (origid 3, msgid 3)
ldap_parse_result
ldap_msgfree
ldap_err2string
[Tue Dec 15 18:34:38.873821 2020] [php7:warn] [pid 20] [client 192.168.5.52:0] PHP Warning:  ldap_search(): Search: No such object in /usr/share/self-service-password/htdocs/change.php on line 96, referer: https://ssp.mydom.com/
ldap_err2string
[Tue Dec 15 18:34:38.874628 2020] [php7:notice] [pid 20] [client 192.168.5.52:0] LDAP - Search error 32  (No such object), referer: https://ssp.mydom.com/
[Tue Dec 15 18:34:38.899602 2020] [php7:notice] [pid 20] [client 192.168.5.52:0] PHP Notice:  Undefined index: msg_changehelpextramessage in /usr/share/self-service-password/templates_c/f6b50b13b91599a6d59a20cb1147ad5af3c8d817_2.file.change.tpl.php on line 42, referer: https://ssp.mydom.com/
[Tue Dec 15 18:34:38.899643 2020] [php7:notice] [pid 20] [client 192.168.5.52:0] PHP Notice:  Trying to get property 'value' of non-object in /usr/share/self-service-password/templates_c/f6b50b13b91599a6d59a20cb1147ad5af3c8d817_2.file.change.tpl.php on line 42, referer: https://ssp.mydom.com/
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed

There is no more starTLS error but a simple LDAP error:

LDAP - Search error 32  (No such object)

Check OpenLDAP ACL for the bind user.

Indeed my service user was not enough privileged, I may have switched from cn=admin to the service user without testing SSP, only Service-Desk >:(

I replaced my BINDDN with my cn=admin, and it did works.

I removed TLS_CACERT from /etc/ldap/ldap.conf (client side), and it's not working anymore.

I'm still not understanding why I should need TLS_CACERT client side for SSP, I'm missing something

You need CA certificate so your client can validate the server certificate. The question would be why does it work without CA certificate on other images?

The image is exactly the same, https://github.com/NoxInmortus/docker-ldap-tool-box

I just build 3 differents tags (service-desk,white-pages,self-service-password), and I git clone the corresponding app in /usr/share

from a sysadmin point of view I dont see how the issue would be from the image itself Can't dig any deeper into the app code as i'm not enough competent

Things working with the ca client side is sufficient for my need, but it bothers me to not understand the root cause

I would also like to understand :)

Hello @maxr786 maybe you could better analyse your case with all of what we previously wrote

Do you reproduce the same kind of issue that I described ?

A 2nd case may help us understand

Hello back @coudot , I have some news.

I digged for the past two days, and I may have found the answer.

For the context, my OpenLDAP uses a certificat signed by my own Intermediate CA, itself issued from my own root CA (root_ca > intermediate_ca > openldap_cert).

On the OpenLDAP server, the TLS_CACERT parameter in ldap.conf uses the intermediate CA. And in the ldap.conf of the client (SSP host), I told TLS_CACERT to uses the root CA (and then it worked).

What I did not realize as I was too dumb/too sure of myself, is that my host needed the full chain (intermediate CA send by the OpenLDAP, and something to authenticate this intermediate CA > the root CA). And the worst of it, I was making things works unconsciously by using the root CA on the client side, but I did not get the spark of understanding at the time.

That was a first issue that led me somewhere else. Indeed, my WP and SD hosts were working fine, but why ?

The ONLY difference and detail that I never mentioned here, is that I have an authentication managed by apache2 in front of WP and SD (into the docker image), and the thing is using LDAPTrustedGlobalCert with the root CA !! And this configuration is disabled for SSP.

And I just tried to enable this configuration, and after I authenticated... it worked. Incredibly, it worked.

And that's because I never catched the fact that LDAPTrustedGlobalCert is exactly the same thing that TLS_CACERT in ldap.conf but managed differently !!

I feel dumb. But I clearly learnt a lot of things in those last few days. My deepest apologies for making you lose some of your time @coudot , thanks you for trying to help me debug this, once again, I was too sure of myself.

ltb-project / self-service-password

Self Service Password Unable to access LDAP server Php7.2 ldap_start_tls(): Unable to start TLS #312