LDAPS auth against AD not working

Issue #930 resolved
Henry Jensen created an issue

We recently switched from OpenLDAP to a Samba Active Directory. Samba AD requires TLS encryption per default when doing simple LDAP bind, but that doesn't work with piler , when setting the server to ldaps://... as suggested in another issue.

This settings in config-site.php:

$config['ENABLE_LDAP_AUTH'] = 1;
$config['LDAP_HOST'] = 'ldaps://dc2.my.lan';
$config['LDAP_HELPER_DN'] = 'cn=ldapbind,cn=Users,dc=my,dc=lan';
$config['LDAP_HELPER_PASSWORD'] = 'secret';
$config['LDAP_MAIL_ATTR'] = 'mail';
$config['LDAP_BASE_DN'] = 'CN=Users,DC=my,DC=lan';
$config['LDAP_ACCOUNT_OBJECTCLASS'] = 'user';

are leading to this error in mail.log

cannot bind to 'ldaps://dc2.my.lan' as 'cn=ldapbind,cn=Users,dc=my,dc=lan'

Same when using ldaps://dc2.my.lan:636

However, I found out that forcing samba to allow unencrypted simble bind using

 ldap server require strong auth = no

in /etc/samba/smb.conf on the DC and setting

$config['LDAP_HOST'] = 'dc2.my.lan';

in config-site.php DO work.

As using unencrypted simple bind is highly discouraged it would be nice, if LDAPS would be supported.

Comments (5)

  1. Janos SUTO repo owner

    I believe that it's a php/ldap configuration issue. Assuming that it works properly without encryption, please check if /etc/ldap/ldap.conf has

    TLS_REQCERT never
  2. Log in to comment