WP Engine + ldaps Failures

  • Resolved pullmanj

    (@pullmanj)


    1 year, 3 months ago

    Good day,

    I am working on a migration from a standalone (VPS) Linux environment to a hosted WP Engine one. We use Authorizer to log our users in, with a backing LDAP service via OpenLDAP/slapd.

    Both the standalone Linux and the WP Engine are not local to the LDAP server, so TLS is in place on the LDAP. The certificate is valid and signed by a well known public authority.

    On the standalone Linux environment it is configured via an ldaps:// URL, and everything works.

    On the WP Engine environment it does not. It fails at the connect stage, and I am reasonably confident it is a TLS issue specific to the WP Engine environment. I have gone back and forth for weeks with them with no forward motion, and now they are asking me to open this ticket.

    I have added extra diagnostic logging, per other tickets on this forum, but the only error at the PHP level is:

    “Can’t contact LDAP server”

    Unfortunately this does not reveal the ‘why’ – what the actual underlying error is.

    TCP / firewall is not the issue. I can see logs on the slapd side for the connection. The slapd logs show the connection immediately terminates, before the ‘bind’ step.

    On the standalone environment I see the connection and then the ‘bind’ and then the lookup.

    I believe the plugin itself to be working because I have tested with TLS disabled in the WP Engine environment.

    I believe the slapd server to be working because I have tested with TLS enabled from multiple non-WP Engine environments, as well as using other tools like openssl s_client and Apache Directory Studio.

    Do you have any suggestions that could provide more diagnostic logging at the connection level?

    Thank you

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Paul Ryan

    (@figureone)

    Thanks for the detailed investigation. Normally I would assume a firewall (or selinux) blocking ports, but since you saw the connection attempt in slapd, I’m not sure.

    https://stackoverflow.com/questions/5309372/php-warning-ldap-bind-unable-to-bind-to-server-cant-contact-ldap-server

    I’m not sure what type of shell access WP Engine provides, but if you can try to do a verbose ldapsearch from the WP Engine server directly via ssh, that may give us more to go on. Example:

    ldapsearch -v -H 'ldaps://ldap.example.com' -x -D 'cn=your-bind-user,dc=example,dc=com' -y /your/bind/user/password.txt -b 'ou=people,dc=example,dc=com' '(uid=validuserid)' cn

    In Debian/Ubuntu, ldapsearch is provided by the ldap-utils apt package. Not sure on other distros.

    You can also check if there’s more details provided in Authorizer Settings > External Service > LDAP test connection (it attempts the LDAP auth as that user and gives notes on each step). But based on your notes you may have done this already.

    If still no progress we can try to get WP Engine to set up a test server for me, or give me access to yours and I can help test. But let’s start with the above and see what we can find!

    Thread Starter pullmanj

    (@pullmanj)

    Hello Paul and thank you so much for the prompt reply.

    WP Engine does not provide direct shell access to the “true” environment where the instance runs.

    They do provide a containerized shell with a PHP CLI environment, and some kind of storage access to the individual WordPress instance to the file system of that shell environment.

    The good news there is that this means I can tweak the plugin code easily through a shell environment. That’s how I was able to do the extra logging, by adding extra bits to the running plugin. The extra logging and the “Test” both provide the same error message:

    “Can’t contact LDAP server”

    Unfortunately, this CLI environment is missing the LDAP PHP library, I can’t actually run bespoke LDAP PHP troubleshooting code from the CLI. This also unfortunately confirms that the actual executing environment of the “live” application is not the same environment as this shell backend.

    I have been able to confirm TCP connectivity from the WP Engine shell, and I have been able to confirm TLS negotiation on that same shell via openssl s_client.

    Given that the shell environment is able to TLS to the slapd server, that should mean the Linux environment itself is happy with the TLS.

    I will provide this dialog to WP Engine and see if they will take you up on the testing instance.

    Thank you!

    Plugin Author pkarjala

    (@pkarjala)

    Hi, following up if you received any response from WP Engine? Please let us know!

    Plugin Author pkarjala

    (@pkarjala)

    Hi, we have not received any follow up on this issue, so we are marking it resolved. If you still need assistance, please either respond to this thread, or create a new support thread and reference this one.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘WP Engine + ldaps Failures’ is closed to new replies.