ERROR 500 When savin LDAP CONF

[GamerClassN7]

Can anybody help me with this issue ?

[GamerClassN7]

i tracked it to this line https://github.com/osTicket/osTicket-plugins/blob/develop/lib/pear-pear.php.net/net_ldap2/Net/LDAP2.php#L701 maybe maybe @JediKev can share some light :)

[GamerClassN7]

Can anyone prowide some idea why is this happeninge ?

[GamerClassN7]

@protich sorry for mention but we are really despered to get it working, and you already managed to fix one of bad downsides of OST the oauth when basic authentication was droped on ms site.

Would you be able please to take a look on to this issue ?

[JediKev]

@GamerClassN7

Have you tried using this build of the plugin?

• https://forum.osticket.com/d/102536-active-directory-user-authentication-doesnt-work-agents-do/74

Cheers.

[GamerClassN7]

@GamerClassN7

Have you tried using this build of the plugin?

• https://forum.osticket.com/d/102536-active-directory-user-authentication-doesnt-work-agents-do/74

Cheers.

Hi i already, tryed that :( unforchunatelly, in test enviroment when i try LDAP ove standart port and everithhing is correct, but in production with LDAPS each time i try to save the setting i get 500 error

[JediKev]

@GamerClassN7

Then it sounds like it truly can’t connect. Have you checked your firewall, ports, SSL cert, etc.? Have you tried an LDAPS connection from the webserver to see if it can connect properly?

Cheers.

[GamerClassN7]

yes i tryed ldaps Conection ower Powershell and native win server app both are working i even writed simple php test using same library and its also worked

[JediKev]

@GamerClassN7

Post a screenshot of Admin Panel > Dashboard > Information.

Cheers.

[GamerClassN7]

@JediKev

[JediKev]

@GamerClassN7

The only thing out of place here is the message about no longer being supported. Looks like you are having some DNS issues for that. However, I don't think that has any effect on this issue.

At this point the best course of action will be to track your connection logs and see at what point it fails. We'd just be guessing without more detailed errors/information.

Cheers.

[GamerClassN7]

Yes you are right server is deployed in same ENV as My dev server both are high sec enviroments. if you can guid me threw i can get you logs if you want :).

Yes you are right server is deployed in same ENV as My dev server both are high sec. enviroments. if you can guid me threw i can get you logs if you want :).

[GamerClassN7]

but i guss from waht i see incorect variable is pushed in to the ldap_close() fuction as i posted in initial message, prehaps it si some edge cases when plugin configuration validation fail ? judst guessing since if validation fails nothing can be closed if conection is not established right ?

[JediKev]

@GamerClassN7

I am not a windows/IIS guy so I'm not going to be too helpful here. I did some quick googling and saw that the Windows Event Viewer can log LDAP/LDAPS connections/authentication attempts. You may need to go in and enable it though.

It basically can't close a connection as the connection is false meaning it didn't connect properly.

Cheers.

[GamerClassN7]

@JediKev I checked EVENT LOG already nothing suspicious here. PHP log and IIS log are also empty. unforchunatelly

I even runned tests over powershell and telnet to server over port 636 and it get threw :(

[GamerClassN7]

if anyone interested there is simple ps LDAP and LDAPS tester https://evotec.xyz/testing-ldap-and-ldaps-connectivity-with-powershell/

[JediKev]

@GamerClassN7

I was able to replicate this exact error when enabling TLS in the plugin config when I don't have TLS configured on the LDAP server. It does seem like the LDAPS connection is failing so ldap_close() is failing as a result (as there was no successful connection). You need to figure out why it's not able to connect to LDAPS but can to LDAP. In my case I simply don't have TLS configured.

Also, what port are you using in your plugin config for LDAPS? Also, did you enable the TLS option in the plugin config?

Cheers.

[GamerClassN7]

@JediKev I use standard port 636 and tryed it with tls enabled and disabled same outcome, hoewer wierd thing is that from powershell and telnet from same server i am able to use ldaps

[JediKev]

@GamerClassN7

I believe here is where the _link is being set to false if the TLS connection fails:

• https://github.com/osTicket/osTicket-plugins/blob/develop/lib/pear-pear.php.net/net_ldap2/Net/LDAP2.php#L441-L450

This seems to be happening in your case. Let's setup an unpacked plugin so you can add debug statements.

First, simply unpack the plugin:

cd /path/to/osTicket/include/plugins/
php -r '$phar = new Phar("auth-ldap.phar"); $phar->extractTo("./auth-ldap");'

Now you must update the database:

• Navigate to ost_plugin table
• Find the record for the LDAP plugin
• Set isphar to 0
• Set the install_path to plugins/auth-ldap

Once you do this you may need to restart the webserver. Now, you can edit the raw plugin files and add debug statements.

From here you can edit the /path/to/osticket/include/plugins/auth-ldap/include/Net2/LDAP2.php file, go to line 446, and add var_dump($current_error);die; making the entire statement look like:

            // If we're supposed to use TLS, do so before we try to bind,
            // as some strict servers only allow binding via secure connections
            if ($this->_config["starttls"] === true) {
                if (self::isError($msg = $this->startTLS())) {
                    $current_error           = $msg;
                    var_dump($current_error);die;
                    $this->_link             = false;
                    $this->_down_host_list[] = $host;
                    continue;
                }    
            }

Now when you go to save it should hopefully dump the full PEAR error which should be more detailed.

Cheers.

[GamerClassN7]

hmm i am getting some wier error

[JediKev]

@GamerClassN7

Windows is horrible for this kind of thing lol Try switching the quotes around (ie. replace single with double and double with single).

Cheers.

[GamerClassN7]

you were right correct syntax is

how ever now i get this

[JediKev]

@GamerClassN7

Continue on to my other steps.

Cheers.

[GamerClassN7]

i done them already

[GamerClassN7]

ou stupid my sql client i had changes pending

still getting same error so that mean error happen before the dump

[GamerClassN7]

oh /path/to/osticket/include/plugins/auth-ldap/include/Net/LDAP2.php is loadet not net2

[GamerClassN7]

Now i get big chunk of data mostly dump of configuration in DB

[GamerClassN7]

how ever on start of string there is something interesting indeed

[GamerClassN7]

I think maybe are we abel to check whitch tls wersion is PHPO using we have mandatory 1.2 and up

[GamerClassN7]

I am done to day if you will have any sugestions let me know :), i will test them tomorow :)

[GamerClassN7]

Hi, @JediKev i vas just thinking isng bad vesion of library includet in plugin ? shoudent there be version from folder Net2 ? I verified everything else, and tested ldaps drom server it self and it is working correctly.

So i am guessing bad version of TLS is used

[GamerClassN7]

Also i noticed that underliing code in plugin is always prefixing url with ldap:// not ldaps:// if you input ldaps conection.

[GamerClassN7]

Additional test with ldp.exe is also working with same values so i guess somethin bad is with in the Underliing library :(

[GamerClassN7]

Hi, any idea what cna be done next ?

[GamerClassN7]

Hello, Any news ? @JediKev

Thanks for any info

[JediKev]

@GamerClassN7

Upgrade to v1.17.4 or v1.18, install the latest build of the LDAP plugin (relevant to the osTicket version you will be upgrading to), and retest.

Cheers.

[GamerClassN7]

@GamerClassN7

Upgrade to v1.17.4 or v1.18, install the latest build of the LDAP plugin (relevant to the osTicket version you will be upgrading to), and retest.

Cheers.

Hello @JediKev, after update to latest version both OST and Plugins i am getting this error instead of 500

i tryed addressed both in IP DNS names formats with and without ldaps:// Normal LDAP is working properly

But will be depreciated when i try to test LDAPS strait from server where IIS is hosted with testing utility it works like a charm just not from OST.

Any suggested next steps ?

[JediKev]

@GamerClassN7

People have reported issues with LDAPS protocol specifically. For now, use normal LDAP and enable TLS.

Cheers.

[GamerClassN7]

@JediKev as i described previously this is not possible LDAP will be switched of by our Sec. Department on all domain controllers :(

[JediKev]

@GamerClassN7

You can always review your AD logs to see why LDAPS is failing. We do not have the time to look into this at the moment but the code is open source allowing you to review the code and make any needed changes to get it working.

Cheers.

[GamerClassN7]

hello @JediKev, that is the problem LDAPS request from OST never arrive to AD so there is nothin to analyze, And since OST is persistently striping ldaps:// from addres. could cause the issue since, i saw it in some discussion requarding underlining lib... Newer mind should be mentioned somewhere that AD LDAPS is not supported on Windows AD even that OST supports MS AD scheme. to save someone vesting theirs times :)

[JediKev]

@GamerClassN7

I think I do see an issue with the regex. It seems it does have potential to strip the prepended ldaps from the hostname. I will add this to the list to look into.

Cheers.

[JediKev]

@GamerClassN7

I have a pull that fixes the REGEX and should allow ldap:// and ldaps:// to be type-hinted in the hostname string.

• https://github.com/osTicket/osTicket-plugins/pull/279

Cheers.

[GamerClassN7]

Thanks any ATA on it ?

[JediKev]

@GamerClassN7

Like always, there is no set date, however we do plan on making a release relatively soon. So please stay tuned!

Cheers.

[GamerClassN7]

Related: https://github.com/osTicket/osTicket-plugins/issues/276

[GamerClassN7]

Any estimated ATA ? @JediKev

[JediKev]

@GamerClassN7

Look at the pull, it has been merged and is included in the latest build of the plugin.

Cheers.