AD LDAPS

Get help from the community here.

Moderator: Developers

DanielMalmgren
Posts: 167
Joined: Fri Oct 28, 2011 6:24 pm
Location: Kisa, Sweden

AD LDAPS

Postby DanielMalmgren » Tue Dec 03, 2013 8:39 am

Hi.
I'm trying to get our GroupOffice to talk ldaps with our active directory without any success, hope anyone here can tell me what I'm doing wrong. I've been reading at https://www.group-office.com/wiki/IMAP_ ... entication and I've changed config.ini accordingly (with ldap_port 636 and ldap_tls true). I've also created a ldapauth.config.php and put 'username' => 'samaccountname' in it. I know that I can reach the active directory on ldaps on port 636 from the web host. Still when I try to log in I get the following in my error log. Any clues what could be wrong?

Code: Select all

[20131203 08:20:18] PHP Warning: ldap_start_tls(): Unable to start TLS: Can't contact LDAP server in /san/www5_0_25/go/base/ldap/Connection.php on line 62
User: notloggedin Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 IP: x.x.x.x
Query: r=auth/login&security_token=GOP7I2eXW6uCmqF1svRK
Backtrace:
global::ldap_start_tls in file /san/www5_0_25/go/base/ldap/Connection.php on line 62
GO_Base_Ldap_Connection::connect in file /san/www5_0_25/go/base/ldap/Connection.php on line 88
GO_Base_Ldap_Connection::bind in file /san/www5_0_25/go/base/ldap/Connection.php on line 37
GO_Base_Ldap_Connection::getDefault in file /san/www5_0_25/modules/ldapauth/Authenticator.php on line 80
GO_Ldapauth_Authenticator::authenticate in file /san/www5_0_25/modules/ldapauth/LdapauthModule.php on line 14
GO_Ldapauth_LdapauthModule::beforeLogin in file unknown on line unknown
global::call_user_func_array in file /san/www5_0_25/go/base/Observable.php on line 155
GO_Base_Observable::fireEvent in file /san/www5_0_25/go/base/Session.php on line 229
GO_Base_Session::login in file /san/www5_0_25/controller/AuthController.php on line 143
GO_Core_Controller_Auth::actionLogin in file /san/www5_0_25/go/base/controller/AbstractController.php on line 509
GO_Base_Controller_AbstractController::callActionMethod in file /san/www5_0_25/go/base/controller/AbstractController.php on line 418
GO_Base_Controller_AbstractController::run in file /san/www5_0_25/go/base/Router.php on line 153
GO_Base_Router::runController in file /san/www5_0_25/index.php on line 73
One suspicion that I have is that this could have with our internal pki to do, that our root certificate needs to be imported somewhere. I don't really know though where to do that?

/Daniel

edit: I've now fiddled around with the ldapsearch command. At first I got "TLS: peer cert untrusted or revoked (0x42)" but I got it to work by putting "TLS_REQCERT NEVER" into my ldap.conf, which kinda reinforces my suspicion that this has with GO not trusting our PKI. So now I only need to know how to fix that...

edit2: Got it kinda working. Changed ldap_tls to false and instead added ldaps:// to ldap_host. Seems I have to read up on the difference between ldaps and ldap with starttls. Anyway, now GO actually talks to my active directory and finds the correct user. Problem now is that it says "User xxx is disabled" no matter which account I use. Struggling on...
DanielMalmgren
Posts: 167
Joined: Fri Oct 28, 2011 6:24 pm
Location: Kisa, Sweden

Re: AD LDAPS

Postby DanielMalmgren » Wed Dec 04, 2013 11:12 am

DanielMalmgren wrote:Hi.
I'm trying to get our GroupOffice to talk ldaps with our active directory without any success, hope anyone here can tell me what I'm doing wrong. I've been reading at https://www.group-office.com/wiki/IMAP_ ... entication and I've changed config.ini accordingly (with ldap_port 636 and ldap_tls true). I've also created a ldapauth.config.php and put 'username' => 'samaccountname' in it. I know that I can reach the active directory on ldaps on port 636 from the web host. Still when I try to log in I get the following in my error log. Any clues what could be wrong?

Code: Select all

[20131203 08:20:18] PHP Warning: ldap_start_tls(): Unable to start TLS: Can't contact LDAP server in /san/www5_0_25/go/base/ldap/Connection.php on line 62
User: notloggedin Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 IP: x.x.x.x
Query: r=auth/login&security_token=GOP7I2eXW6uCmqF1svRK
Backtrace:
global::ldap_start_tls in file /san/www5_0_25/go/base/ldap/Connection.php on line 62
GO_Base_Ldap_Connection::connect in file /san/www5_0_25/go/base/ldap/Connection.php on line 88
GO_Base_Ldap_Connection::bind in file /san/www5_0_25/go/base/ldap/Connection.php on line 37
GO_Base_Ldap_Connection::getDefault in file /san/www5_0_25/modules/ldapauth/Authenticator.php on line 80
GO_Ldapauth_Authenticator::authenticate in file /san/www5_0_25/modules/ldapauth/LdapauthModule.php on line 14
GO_Ldapauth_LdapauthModule::beforeLogin in file unknown on line unknown
global::call_user_func_array in file /san/www5_0_25/go/base/Observable.php on line 155
GO_Base_Observable::fireEvent in file /san/www5_0_25/go/base/Session.php on line 229
GO_Base_Session::login in file /san/www5_0_25/controller/AuthController.php on line 143
GO_Core_Controller_Auth::actionLogin in file /san/www5_0_25/go/base/controller/AbstractController.php on line 509
GO_Base_Controller_AbstractController::callActionMethod in file /san/www5_0_25/go/base/controller/AbstractController.php on line 418
GO_Base_Controller_AbstractController::run in file /san/www5_0_25/go/base/Router.php on line 153
GO_Base_Router::runController in file /san/www5_0_25/index.php on line 73
One suspicion that I have is that this could have with our internal pki to do, that our root certificate needs to be imported somewhere. I don't really know though where to do that?

/Daniel

edit: I've now fiddled around with the ldapsearch command. At first I got "TLS: peer cert untrusted or revoked (0x42)" but I got it to work by putting "TLS_REQCERT NEVER" into my ldap.conf, which kinda reinforces my suspicion that this has with GO not trusting our PKI. So now I only need to know how to fix that...

edit2: Got it kinda working. Changed ldap_tls to false and instead added ldaps:// to ldap_host. Seems I have to read up on the difference between ldaps and ldap with starttls. Anyway, now GO actually talks to my active directory and finds the correct user. Problem now is that it says "User xxx is disabled" no matter which account I use. Struggling on...
edit3: Ok. What it does is that it simply deactivates the GO user. The user is active, then the user tries to log in and GO deactivates it. Why would it do that?

edit4: It works! I can log in! Last problem was caused by me just copying and pasting from the wiki, apparently there is no custom function named custom_ldap_mapping_function_enabled :D
mschering
Site Admin
Site Admin
Posts: 8354
Joined: Tue Apr 20, 2004 1:06 pm
Location: The Netherlands - Den Bosch
Contact:

Re: AD LDAPS

Postby mschering » Wed Dec 04, 2013 4:15 pm

Am I right that you solved all your own problems now ;) ?
Best regards,

Merijn Schering
Intermesh
DanielMalmgren
Posts: 167
Joined: Fri Oct 28, 2011 6:24 pm
Location: Kisa, Sweden

Re: AD LDAPS

Postby DanielMalmgren » Wed Dec 04, 2013 4:33 pm

mschering wrote:Am I right that you solved all your own problems now ;) ?
Yep. It works now.

I hope that my little monologue above will help others stumbling on the same problems as me :wink:

/Daniel

Who is online

Users browsing this forum: No registered users and 4 guests