LDAP, AD, and TLS

I am experiencing the same problem with the developmental version

but i can get the Start-TLS to work with the 6.x-1.0-alpha2 version

as a side note, which may or may not be related, i cannot connect purly secure (ie port 636. start TLS unchecked) in the alpha2 or the development version

also i cannot connect to our university loadbalancer for the 5 ldap servers we have but i will work this issue out with out IT department. i think it has to to with certificates.

my setup
OS: Redhat 5.2
Web server: Apache2
PHP ver: 5.1.6
drupal ver: 6.13 very clean install (only module loaded is this on and the defaults)

LDAP servers: 5x MS Active Directory running on windows 2003 RC2
the same errors/successes apply to all 5 servers.

I had the same problem and found the source of it in LDAPInterface.inc

The section of code that starts TLS (lines 140 to 158) checks that the installed LDAP protocol version supports TLS and exits if it does not. This calls LDAPInterface::getOption('version'), which uses $this->connection to check the version. However, at this point $this->connection is still null because $con is assigned to it after the TLS section (line 159).

This accounts for the error on line 82, which is where it attempts to get the LDAP version using $this->connection.

Then the error on 167 is due to $this->connection not having been set since initConnection() returned before assigning the connection.

I changed the TLS section to check for LDAP version using $con rather than calling getOption('version'). That worked for me. Moving '$this->connection = $con' up before the TLS block also worked, but it didn't seem right to assign the connection before TLS had been successfully initiated.

Patch attached - hope it's OK - my first one :-)

Oops, just changing the issue status for the patch - hope I'm doing the right thing here!

There was an error in the above patch, here is the corrected version.

Hi, after applying patch 4

Message:
* warning: ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Connect error in Z:\home\portal\www\modules\!Others\ldap_integration-6.x-1.x-dev\includes\LDAPInterface.inc on line 155.
* warning: ldap_errno(): supplied argument is not a valid ldap link resource in Z:\home\portal\www\modules\!Others\ldap_integration-6.x-1.x-dev\includes\LDAPInterface.inc on line 168.
* warning: ldap_error(): supplied argument is not a valid ldap link resource in Z:\home\portal\www\modules\!Others\ldap_integration-6.x-1.x-dev\includes\LDAPInterface.inc on line 168.

I think this means there is a problem with the TLS connection itself. You might need to configure a certificate or something like that. Have you tried directly querying AD over TLS with another client? That might give you more information on the error.

tnx) will try

Marked #878508: LDAP not connecting to AD when the Start-TLS as duplicate of this issue.

Same problem for me: I tried -dev version and I had the error; replaced with the 6.x-1.0-beta2 version, and it works perfectly. Indeed: in the -dev version there is an old version of LDAPInterface.inc (1.6 in the the 1-beta2 version, v 1.1.2.3 in the -dev one).

Is this going to get fixed in the dev releases?

I committed this to head. It does fix the start tls issue I had. I'm leaving as needs review.

I installed the latest dev version and am not able to connect at all via Start-TLS. The connection test fails on the ldap connection config screen and trying to log into the site fails. Here's what gets logged during the connection test:

-------
ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Connect error in /var/www/html/drupal/sites/all/modules/ldap_integration/includes/LDAPInterface.inc on line 153.

Could not start TLS. (Error -11: Connect error).

ldap_errno() expects parameter 1 to be resource, null given in /var/www/html/drupal/sites/all/modules/ldap_integration/includes/LDAPInterface.inc on line 166.

ldap_error() expects parameter 1 to be resource, null given in /var/www/html/drupal/sites/all/modules/ldap_integration/includes/LDAPInterface.inc on line 166.

LDAP Bind failure for user LDAPStaff@snf.example.local. Error :

-------

If I uncheck the Start-TLS box and just use regular ol' LDAP by itself, I am able to log into the site fine with no errors logged and going back and running the connection test succeeds. Checking the Start-TLS box and attempting to log in and do the test again both fail. So I've temporarily left it unchecked...

The bad error messages are fixed in head. So these should go away. The patch is attached.

I believe the TLS error (below) is correct.

See http://drupal.org/node/1065900
and http://drupal.org/node/118092

ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Connect error in /var/www/html/drupal/sites/all/modules/ldap_integration/includes/LDAPInterface.inc on line 153.

Could not start TLS. (Error -11: Connect error).

is correct. I'm closing this because the bug part is fixed. Open a new support issue to continue if you need additional help.

I deleted my ldap_integration module and updated it to the latest dev release. The patch appears to already be present in the latest dev release. However, I am still getting the exact same results so it doesn't seem to me that the bugs are worked out yet (thus why reopening issue)?

With Start-TLS enabled, when I click to do a connection test I get all of this logged:
------------------------------------------------
ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Connect error in /var/www/html/drupal_test/sites/all/modules/ldap_integration/includes/LDAPInterface.inc on line 153.

ldap_errno() expects parameter 1 to be resource, null given in /var/www/html/drupal_test/sites/all/modules/ldap_integration/includes/LDAPInterface.inc on line 154.

ldap_error() expects parameter 1 to be resource, null given in /var/www/html/drupal_test/sites/all/modules/ldap_integration/includes/LDAPInterface.inc on line 154.

Could not start TLS. (Error : ).

LDAP Bind failure for user LDAPStaff@snf.example.local. Error -1: Can't contact LDAP server
------------------------------------------------
Yet it all works perfectly fine when Start-TLS is unchecked.

I see the problem. I've fixed this in head. Here is the diff:

http://drupalcode.org/project/ldap_integration.git/commitdiff/19d0778b82...

It was using the wrong connection variable to produce the error.

You should get a better error message now.

Thanks, making the changes that are in your diff made the extra errors go away.