Yesterday I had to do some debugging to find out why an LDAPS connection didn’t work.
The main trouble was that the authLdap plugin for WordPress didn’t work for someone. After a bit of back and forth we figured out that it worked for other applications but not for PHPs LDAP-extension.
The error they got was the usual cryptic Can't contact LDAP server which says nothing at all as that can mean so many different things.
The usual first check was whether the LDAP-servers port was actually reachable. To test that we used netcat to check whether a connection to the other side is possible
nc -zv ldap.example.org 636Make sure to execute that on the environment that has the issues. So when php is running within docker, make sure to run that – and all other commands I’ll be talking about – from within your docker container to make sure that no networkstack in between causes trouble.
That was not the issue. The port was open and we could connect to it.
SO the next step was to actually try to connect to the port with some other tool to eliminate that PHP is the actual problem. My first choice is always to use ldapsearch (which is part of the ldap-utils package on ubuntu/debian based systems). Worst case is you will need to install that into the container to then be able to run
ldapsearch -H ldaps://ldap.example.org/ -x -s "base" -b "" -LLL "+" -d1The cool thing with that command is that it uses the same functionality that the LDAP-extension uses and the -s "base" -b "" -LLL "+" should allow retrieval of information from the LDAP-Server without any authentication. The -d1 adds some basic debugging information to the output so that we get a bit more info than the default ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
So the above command returned this output:
ldap_url_parse_ext(ldaps://ldap.example.org/)
ldap_create
ldap_url_parse_ext(ldaps://ldap.example.org:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.example.org.org:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 93.184.216.34:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)Ah! Here we go! TLS: peer cert untrusted or revoked
So it seems to be a certificate issue. Let’s have a look at that certificate and it’s chain.
openssl s_client -connect ldap.example.com:636
...
---
Certificate chain
0 s:CN = example.org
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
...So the chain looks OKish and it’s signed by Let’s Encrypt so that should work out of the box. No self signed certificate so that is already a good one. But why is it failing?
Let’s check the installed CA authorities:
openssl crl2pkcs7 -nocrl -certfile /etc/ssl/certs/ca-certificates.crt | openssl pkcs7 -print_certs -noouz | grep -i DSTOdd. There is no certificate available. Which seems to be why the verification doesn’t work.
The easiest way to solve this now was to download the ISRG certificate that Let’s encrypt uses for their Chain of trust and add that as our main CA-Cert. The file can be downloaded from https://letsencrypt.org/certificates/ (The location will differ for other CAs) via
curl -o /path/to/ca-cert.pem https://letsencrypt.org/certs/isrgrootx1.pemand can then be added to our LDAP-config like this:
echo "TLS_CACERT /path/to/ca-cert.pem" > /etc/ldap/ldap.confLet’s test again whether everything works:
# ldapsearch -H ldaps://ldap.example.org/ -x -s "base" -b "" -LLL "+" -d1And suddenly we get a lot more of output which means we are ready to go. And now also the ldap-extension in PHP works and so we can use the authLdap plugin for wordpress with a certificate chain that somehow didn’t work before.
🎉