ldaps ssl and shared hosting environments
-
Hello,
I’m having a hard time configuring the Active Directory Integration plugin via SSL or TLS. Unsecured LDAP works fine. LDAPS either via SSL or TLS will not work.
According to documentation (which seems to stop abruptly after “have in mind, that”)
“Can I use LDAPS instead of TLS?
Yes, you can. Just put “ldaps://” in front of the server in the option labeled “Domain Controller” (e.g. “ldaps://dc.domain.tld”), enter 636 as port and deactivate the option “Use TLS”. But have in mind, that”I have done the following:
-
*configured my plugin this way, with ldaps://mydomaincontroller.fqdn.here,
*I’ve opened 636,
*I’ve configured the port on the connector to 636
*I’ve confirmed internal LDAPS is working by using the ldp command and connecting to 636 and confirming that it sees the user I’m logged in as.
*I’ve also applied a valid 3rd party SSL certificate and imported it into the certificates store on the DC.
*Viewing the cert on the DC shows it has a valid SSL certificate chain, and it enabled for “Server Authentication”.Upon using the test tool from my WP instance, I get the following, with identifiable text redacted:
openLDAP installed
[INFO] method authenticate() called
[INFO] ——————————————
PHP version: 5.3.2-1
WP version: 4.0.1
ADI version: 1.1.5dev
OS Info : Linux pod-3188 3.0.18 #2 SMP Sun Jan 29 15:38:02 UTC 2012 i686
Web Server : apache2handler
adLDAP ver.: 3.3.2 EXTENDED (201302271401)
——————————————
[INFO] LDAP paging: not available
[NOTICE] username: xxx
[NOTICE] password: **not shown**
[INFO] Options for adLDAP connection:
– account_suffix: @domain.name.here
– base_dn: xxx
– domain_controllers: xxx;
– ad_port: 636
– use_tls: 0
– network timeout: 30
[NOTICE] adLDAP object created.
[INFO] max_login_attempts: 500
[INFO] users failed logins: 0
[NOTICE] trying account suffix “@xxx”
[ERROR] Authentication failed
[WARN] storing failed login for user “xxx”This link from 2014 had the same problem: https://www.ads-software.com/support/topic/ldaps-failed?replies=6
The recommended fix was to add “ldap_set_option($this->_conn, LDAP_OPT_REFERRALS, 0);” to the ad_ldap\adLDAP.php file.
I checked there and it seems the author has already added that line of code
// Set some ldap options for talking to AD ldap_set_option($this->_conn, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($this->_conn, LDAP_OPT_REFERRALS, 0);
Another reply in that thread mentions to:
“just edit /etc/openldap/ldap.conf and add
TLS_REQCERT never
to the bottom and restart apache.
Which I guess is the first FAQ so, uh, you probably already know that…”However in some shared hosting environments this is not possible.
So my question is, how can I get LDAPS to work in this situation? I’ve tried injecting putenv(‘LDAPTLS_REQCERT=never’); and putenv(“TLS_REQCERT=never”); into the adLDAP.php file, but that did not work either.
Am I up the creek with this on a hosted environment where we are not allowed to modify ldap.conf?
https://www.ads-software.com/plugins/active-directory-integration/
- The topic ‘ldaps ssl and shared hosting environments’ is closed to new replies.