The LDAP server settings are exactly similar to what we have in use on our production environment (that works) which is currently hosted by MoodleRooms. The development environment is internal to us and hence it is within the firewall and can ping/connect to our LDAP Server.
What's strange is that I can connect to the LDAP server outside of the Moodle application from this very box/environment. By that I mean - I used openldap's "ldapsearch" utility from the development box and supply the exact same settings (as in -
ldapsearch -D "CN=ldap User,OU=***,OU=***,OU=***,DC=***,DC=***,DC=***" -b "DC=***,DC=***,DC=***" -h ***.***.*** -p 389 -W -). The command returns information. So its not that the bind information is wrong nor is the server information.
I have been debugging the process and it seems like "ldap_bind" function returns FALSE in <moodle_source>/lib/ldaplib.php script in the ldap_connect_moodle function.
$bindresult = ldap_bind($connresult, $bind_dn, $bind_pw);
Given that $bind_dn, $bind_pw are both accurate (on account of the test I conducted outside of Moodle via ldapsearch) - it must be because of the value/state of $connresult (which I understand is a resource of type 'ldap link' returned by ldap_connect() earlier on). Based on PHP documentation ldap_connect()
Returns a positive LDAP link identifier when the provided hostname/port combination or LDAP URI seems plausible. It's a syntactic check of the provided parameters but the server(s) will not be contacted! If the syntactic check fails it returns FALSE. When OpenLDAP 2.x.x is used, ldap_connect() will always return a resource as it does not actually connect but just initializes the connecting parameters. The actual connect happens with the next calls to ldap_* funcs, usually with ldap_bind().
There is really not much to that host name - and since it connects outside of moodle application I am at a loss as to what is causing this failure. Is there something underlying?
Here's some information about my env ..
. LDAP - Microsoft Active Directory on a windows environment
. Development environment is a CentOS7 with PHP Version 7.1.19 (ldap and ldaps) enabled. Moodle version is 3.4.2 (Build 20180515)
. Moodle is served over https so we have SSL certificates configured on this box .. Additionally I have verified some of the things on this posting/page http://php.net/manual/en/function.ldap-connect.php mentioned in the second comment by user Andrew (a.whyte at cqu.edu.au).
Appreciate any help/pointers anyone can provide - I have been at this for quite a while and a fresh perspective would be great. Let me know if you need any more information.
I figured out what was causing this issue.
I used Wireshark to determine if a call to the LDAP server was even going out in the first place and it turned out that it wasn't. It was if I was using openldap's ldapsearch utility. Which indicated that Moodle's call to the LDAP server wasn't going through.
I then checked any outgoing firewall rules on this box (using firewall-cmd) and that indicated there were none that would block it.
The last thing left to check was SELinux and sure enough it was running and it had a restriction that prevented the outgoing LDAP request. I proved it by temporarily disabling SELinux (setenforce Permissive). The LDAP request went through and and authentication worked!
I am in the process of determining the exact SELinux rule to open up for such requests to go through.
Hopefully this helps others.