- edited description
LDAPS auth against AD not working
Issue #930
resolved
We recently switched from OpenLDAP to a Samba Active Directory. Samba AD requires TLS encryption per default when doing simple LDAP bind, but that doesn't work with piler , when setting the server to ldaps://... as suggested in another issue.
This settings in config-site.php:
$config['ENABLE_LDAP_AUTH'] = 1; $config['LDAP_HOST'] = 'ldaps://dc2.my.lan'; $config['LDAP_HELPER_DN'] = 'cn=ldapbind,cn=Users,dc=my,dc=lan'; $config['LDAP_HELPER_PASSWORD'] = 'secret'; $config['LDAP_MAIL_ATTR'] = 'mail'; $config['LDAP_BASE_DN'] = 'CN=Users,DC=my,DC=lan'; $config['LDAP_ACCOUNT_OBJECTCLASS'] = 'user';
are leading to this error in mail.log
cannot bind to 'ldaps://dc2.my.lan' as 'cn=ldapbind,cn=Users,dc=my,dc=lan'
Same when using ldaps://dc2.my.lan:636
However, I found out that forcing samba to allow unencrypted simble bind using
ldap server require strong auth = no
in /etc/samba/smb.conf on the DC and setting
$config['LDAP_HOST'] = 'dc2.my.lan';
in config-site.php DO work.
As using unencrypted simple bind is highly discouraged it would be nice, if LDAPS would be supported.
Comments (5)
-
reporter
-
reporter
- edited description
-
repo owner
I believe that it's a php/ldap configuration issue. Assuming that it works properly without encryption, please check if /etc/ldap/ldap.conf has
TLS_REQCERT never -
reporter
You're right. This was it, thank you very much.
-
reporter
- changed status to resolved
- Log in to comment
