Issue with setting up LDAPS

Issue with setting up LDAPS

by Luka Vrbancic -
Number of replies: 13

Hi, 

I am met with an issue where Moodle authentication doesn't work via STARTTLS. The same connection works via LDAP, but I have to set up secure connection.

In /etc/openldap/ldap.conf I have put the required info about TLS_CACERT and the value of TLS_REQCERT is set on always. (I also tried never, but that didn't help).

TLS_REQCERT always
TLS_CACERT path/ldap.crt

I have set the following settings:
HOST URL: ldap://szgdc3.biz.dom
Version: 3
Use TLS: Yes

I am connecting to MS ActiveDirectory server which by what I read on forums should work on port 389. However when I try to test the connection I get the following response: 

Warning: ldap_start_tls(): Unable to start TLS: Connect error in /var/www/html/moodle/lib/ldaplib.php on line 211
LDAP-module cannot connect to any servers: Server: 'ldap://szgdc3.biz.dom', Connection: 'Resource id #621', STARTTLS failed.

I tried testing it with ldapsearch and connection is successful.

ldapsearch  -x -ZZ -h "servername" -p 389 -D user -w 'password' -b 'BASE' -s sub "(objectclass=*)"


It could be the issue where the certificate doesn't have subject name which violates RFC5280   - https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6


- Certificate[0] info: - no subject,issuer

Can someone assist me with the following as I can't find what would be the issue that prevents me from making the connection. I have anonymized all of the information as much as I could.

Average of ratings: -
In reply to Luka Vrbancic

Re: Issue with setting up LDAPS

by Leon Stringer -
Picture of Core developers Picture of Particularly helpful Moodlers

Is TLS_REQCERT always a valid setting? On my system the manpage says TLS_REQCERT can be never, allow, try, or demand (or hard). I always set this to allow because the certificate that AD uses won't be signed by public CA.

LDAP with StartTLS is not the same as LDAPS. They both add security but as I understand it LDAPS is deprecated in favour of StartTLS. One key difference is that LDAPS uses port 636, whereas StartTLS uses the standard LDAP port.

Moodle uses PHP's LDAP extension, and this uses the server's OpenLDAP installation. So using ldapsearch is a good test of whether OpenLDAP is able to connect. The next thing I normally do is write a small PHP script to see if that can connect to the LDAP server. ldap_test.php is such a script, you can use the settings from Moodle by adding these to the define()s in lines 44 to 49, for example:

define('HOST_URL', 'szgdc3.biz.dom'); 
define('BIND_DN', 'user@szgdc3.biz.dom'); 
define('BIND_PW', 'password'); 
define('CONTEXTS', 'cn=Users,dc=szgdc3,dc=biz,dc=dom'); 
define('FILTERS', '(objectClass=user)'); 
define('ATTRIBUTES', 'sAMAccountName, givenName, sn, mail');

You may just get the same error but maybe it may help determine why Moodle is failing to connect. If the PHP script won't connect then Moodle won't be able to either.

Average of ratings: -
In reply to Leon Stringer

Re: Issue with setting up LDAPS

by Luka Vrbancic -
Hi,

Thanks for prompt response.

I created ldap_test.php with following information:

define('HOST_URL', 'szgdc3.biz.dom');
define('BIND_DN', 'user'); - one that works on LDAP connection
define('BIND_PW', 'password'); - one that works on LDAP connection
define('CONTEXTS', 'Context'); - one that works on LDAP connection
// define('FILTERS', '(objectClass=person)'); - this is set empty
define('ATTRIBUTES', 'sAMAccountName');

Your ldap_test.php script gives me the following response: Error calling ldap_start_tls()
Average of ratings: -
In reply to Luka Vrbancic

Re: Issue with setting up LDAPS

by Leon Stringer -
Picture of Core developers Picture of Particularly helpful Moodlers

Try passing -d error_reporting=E_ALL to PHP when running the script:

$ php -d error_reporting=E_ALL ldap_test.php

Does that provide any additional details?

Average of ratings: -
In reply to Leon Stringer

Re: Issue with setting up LDAPS

by Luka Vrbancic -
Hi,

I got an error which actually said that I should use 'FILTERS'.

So I uncommented define('FILTERS', '(objectClass=user)'); and when I run the following command, I got the output.

php -d error_reporting=E_ALL ldap_test.php

php -d error_reporting=E_ALL ldap_test.php
PHP Warning: ldap_search(): Partial search results returned: Sizelimit exceeded in ldap_test.php on line 86
samaccountname: user1
samaccountname: user2
etc.

Other than that, it listed out 2000 users.

When accessing through browser on moodle/admin/ldap_test.php it still gives out the same message: 'Error calling ldap_start_tls()'
Average of ratings: -
In reply to Luka Vrbancic

Re: Issue with setting up LDAPS

by Leon Stringer -
Picture of Core developers Picture of Particularly helpful Moodlers

If ldap_test.php can connect using StartTLS but Moodle cannot that suggests that there's either 1) something the web server user account cannot access, or 2) something the web server process cannot access.

For 1) this can be easily tested by running ldap_test.php as the web server user. You need to know the user account the web server software runs Moodle's PHP as. On Linux this is typically either apache, www-data or php-fpm. Once you've determined the correct user, run the script, for example if it's www-data then run the following as root:

sudo -u www-data php -d error_reporting=E_ALL ldap_test.php

And see if it works. If you're having trouble identifying the correct user, the ownership of files in moodledata/filedir may reveal this.

For 2) this is normally something like SELinux or a chroot jail restricting access. I think both of these are unlikely if Moodle can connect to the LDAP server without StartTLS.

Average of ratings: -
In reply to Leon Stringer

Re: Issue with setting up LDAPS

by Luka Vrbancic -
Hi,

I am a bit confused. All of the files in moodledata/filedir have privileges of apache user.

Also when i run ps-aux i see apache running moodle's php:
apache 900 0.0 2.0 477080 77228 ? S Sep01 0:03 php-fpm: pool

However, when i run the following command I get the following answer
[root@moodle html]# sudo -u apache php -d error_reporting=E_ALL ldap_test.php
PHP Warning: ldap_start_tls(): Unable to start TLS: Connect error in ldap_test.php on line 75
Error calling ldap_start_tls()

However, when I run it as root it works.
Average of ratings: -
In reply to Luka Vrbancic

Re: Issue with setting up LDAPS

by Leon Stringer -
Picture of Core developers Picture of Particularly helpful Moodlers

Have you still got TLS_CACERT path/ldap.crt in ldap.conf? Can user apache read file path/ldap.crt (for example sudo -u apache cat path/ldap.crt). Because if apache cannot connect but root can then it could be a file permission issue. I have used strace (for example sudo -u apache strace php ldap_test.php) to find which file-open call was being blocked by filesystem permissions. strace produces a lot of output but unless you can work out what apache cannot access (but that root can) then you might need to use this.

Average of ratings: -
In reply to Leon Stringer

Re: Issue with setting up LDAPS

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

Also, in addition to what Leon said about file permissions, if this is a Linux distribution that enables SELinux and configures it in enforcing mode (RHEL, CentOS, Fedora, and some others), make sure the SELinux policies allows the apache use to connect to LDAPS. If the Linux distribution is using AppArmor instead of SELinux, you need to check its policies instead.

Saludos.

Iñaki.

Average of ratings: -
In reply to Leon Stringer

Re: Issue with setting up LDAPS

by Luka Vrbancic -
Hi,

I moved the certificate to a folder that can be read by apache and now sudo -u apache php -d error_reporting=E_ALL ldap_test.php is giving me successful connection.

However, still when I try to connect it via GUI (after setting the value of Use TLS to "Yes" ) the response that I get is following:
Warning: ldap_start_tls(): Unable to start TLS: Connect error in path/moodle/lib/ldaplib.php on line 211
×LDAP-module cannot connect to any servers: Server: 'ldap://szgdc3.biz.dom:389', Connection: 'Resource id #621', STARTTLS failed.

Should I try and produce the output with strace? I did but I don't know which part out of it would be useful to help with troubleshooting.
Average of ratings: -
In reply to Luka Vrbancic

Re: Issue with setting up LDAPS

by Leon Stringer -
Picture of Core developers Picture of Particularly helpful Moodlers

Try restarting the Apache and PHP-FPM services in case there's some change they haven't picked up.

As Iñaki asks: is SELinux enforcing or AppArmor enabled on this server? Because it's starting to sound like that kind of issue.

Average of ratings: -
In reply to Leon Stringer

Re: Issue with setting up LDAPS

by Luka Vrbancic -
Hi,

I restarted the apache and php-fpm services.

Afterwards I successfully connected to LDAP via port 389 via enabled TLS.

So ultimately it was due to certificate permissions and had to restart services.

Thank you for your help.
Average of ratings: -
In reply to Luka Vrbancic

Re: Issue with setting up LDAPS

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers
Did you update the address to ldaps? Above reads ldap not ldaps...
Average of ratings: -
In reply to Emma Richardson

Re: Issue with setting up LDAPS

by Luka Vrbancic -
Hi,

ye I named the thread incorrectly. I was setting up LDAP via TLS. The issue was due to certificate permissions.
Average of ratings: -