Debug LDAP via TLS

Yesterday I had to do some debugging to find out why an LDAPS connection didn’t work.

The main trouble was that the authLdap plugin for WordPress didn’t work for someone. After a bit of back and forth we figured out that it worked for other applications but not for PHPs LDAP-extension.

The error they got was the usual cryptic Can't contact LDAP server which says nothing at all as that can mean so many different things.

The usual first check was whether the LDAP-servers port was actually reachable. To test that we used netcat to check whether a connection to the other side is possible

Make sure to execute that on the environment that has the issues. So when php is running within docker, make sure to run that – and all other commands I’ll be talking about – from within your docker container to make sure that no networkstack in between causes trouble.

That was not the issue. The port was open and we could connect to it.

SO the next step was to actually try to connect to the port with some other tool to eliminate that PHP is the actual problem. My first choice is always to use ldapsearch (which is part of the ldap-utils package on ubuntu/debian based systems). Worst case is you will need to install that into the container to then be able to run

The cool thing with that command is that it uses the same functionality that the LDAP-extension uses and the -s "base" -b "" -LLL "+" should allow retrieval of information from the LDAP-Server without any authentication. The -d1 adds some basic debugging information to the output so that we get a bit more info than the default ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

So the above command returned this output:

Ah! Here we go! TLS: peer cert untrusted or revoked

So it seems to be a certificate issue. Let’s have a look at that certificate and it’s chain.

So the chain looks OKish and it’s signed by Let’s Encrypt so that should work out of the box. No self signed certificate so that is already a good one. But why is it failing?

Let’s check the installed CA authorities:

Odd. There is no certificate available. Which seems to be why the verification doesn’t work.

The easiest way to solve this now was to download the ISRG certificate that Let’s encrypt uses for their Chain of trust and add that as our main CA-Cert. The file can be downloaded from https://letsencrypt.org/certificates/ (The location will differ for other CAs) via

and can then be added to our LDAP-config like this:

Let’s test again whether everything works:

And suddenly we get a lot more of output which means we are ready to go. And now also the ldap-extension in PHP works and so we can use the authLdap plugin for wordpress with a certificate chain that somehow didn’t work before.

šŸŽ‰