Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.I'm receiving the following error when attempting to test my LDAP server using StartTLS:
Warning: ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Connect error in LdapServer->connect() (line 179 of /var/www/html/drupal_test/sites/all/modules/ldap/ldap_servers/LdapServer.class.php).
Connection Info
Binding with DN for non-anonymous search (cn=ldapstaff,cn=Users,dc=snf,dc=clatsopcc,dc=local). Using password stored in configuration
Binding with DN for non-anonymous search (cn=ldapstaff,cn=Users,dc=snf,dc=clatsopcc,dc=local). Using password stored in configuration
Failed to connect to LDAP server. See watchdog error logs for details.
In watchdog:
Could not start TLS. (Error -11: Connect error).
Warning: ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Connect error in LdapServer->connect() (line 179 of /var/www/html/drupal_test/sites/all/modules/ldap/ldap_servers/LdapServer.class.php).
When Start-TLS is unchecked, I am able to connect perfectly fine with the test option. So I know my credentials are correct. Attached is the Issue Report information.
| Comment | File | Size | Author |
|---|---|---|---|
| Issue Reporting.html_.txt | 8.57 KB | jlea9378 |
Comments
Comment #1
geste CreditAttribution: geste commentedSome time ago I opened a ticket on the same issue. Thread here:
http://drupal.org/node/1292786
John didn't find a bug and I didn't find a workaround other than to forego TLS on this one (localhost for the time being) config.
It would be interesting to know the details of your setup. LDAP-wise. You might also adapt the test script in the earlier thread to see if it succeeds or fails. And maybe these threads can be merged??
Jim
Comment #2
jlea9378 CreditAttribution: jlea9378 commentedYour setup is quite different, so I didn't think they were the same. I'm using Active Directory (2003).
Comment #3
jlea9378 CreditAttribution: jlea9378 commentedAnyone know how to get TLS working?
Comment #4
jlea9378 CreditAttribution: jlea9378 commentedAnyone?
Comment #5
Homotechsual CreditAttribution: Homotechsual commentedI'll post a guide on this later today. I'll link it when I'm done!
Comment #6
Homotechsual CreditAttribution: Homotechsual commentedComment #7
Homotechsual CreditAttribution: Homotechsual commentedThis guide applies to a Windows 2003/2008 based Active Directory domain with a debian-style Linux webserver
Okay, here goes nothing:
Export Your Certificate
If you don't know how to do this, there is a guide here: http://support.microsoft.com/kb/555252
Export your certificate to a file named: CACert.cer for ease of reference.
Copy The Certificate
Copy the certificate created above to your webserver. (Assuming Debian based linux for this guide, use google to find steps for your OS.
You'll want to place the certificate in the /etc/ssl/certs/ directory.
Run "c_rehash"
Edit Your LDAP.conf
The most common location for this file on linux is here: /etc/ldap/ldap.conf
Add the following under the "Certificates" section:
TLS_CACERT /etc/ssl/certs/CACert.cer
TLS_CACERTDIR /etc/ssl/certs
#TLS_REQCERT never
I make no guarantees that this will fix your issues, but it fixed mine! You can uncomment the last line in the section above if you still have issues
Comment #8
jlea9378 CreditAttribution: jlea9378 commentedFix in #7 worked for me, except I couldn't run that command you mentioned, and I didn't comment out that TLS_REQCERT never line.
Comment #9
Homotechsual CreditAttribution: Homotechsual commentedThe "c_rehash" command isn't necessary on all setups, and using the TLS_REQCERT never line again makes a difference on some configs and not on others. Glad it's fixed though!
Comment #10
johnbarclay CreditAttribution: johnbarclay commentedI'm opening this back up. This question comes up over and over and appears to have an element of suffering and pain associated with it. I'm leaving this open and changing it to documentation until someones integrates this into the documentation at http://drupal.org/node/1065900 with a reference to it from http://drupal.org/node/1023900.
Comment #11
Homotechsual CreditAttribution: Homotechsual commentedI'll take a look at integrating this into the documentation tomorrow.
Comment #12
johnbarclay CreditAttribution: johnbarclay commentedComment #13
pipepiper CreditAttribution: pipepiper commentedBuild 7.x-2.0-beta4.
I am getting this warning even with TLS unchecked (local machine, XAMPP) :
Warning: ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Can't contact LDAP server in LdapServer->connect() (line 270 of <snip>\modules\ldap\ldap_servers\LdapServer.class.php)..Its positively a bug as it should never get inside the routine if TLS is unchecked.
Please suggest remedy.. Thanks
UPDATE:
Problem stopped after disabling "AD Common Use Cases" module.
Comment #14
johnbarclay CreditAttribution: johnbarclay commentedAll the documentation tasks should be normal, though I understand the lack of people stepping up to do documentation overall is a major problem with this module. Can you give me the url of the AD Common Use Cases module? I'd like to see how it affects TLS.
Comment #15
pipepiper CreditAttribution: pipepiper commentedI don't have a url as the module was installed with the default ldap module. I spent nearly the entire day sorting out the tls isuue and posted when I was pretty flustered.
Anyway, this is what seems to be happening:
I was testing with blog.stuartlewis.com/2008/07/07/test-ldap-service/ which provides a test ldap with no tls support. I had disabled tls and got it to work after a few attempts but the warning msg wouldn't disappear. The site doesn't provide groups so I started exploring the AD Common Use Cases module, which was no help so I disabled it and the tls issue disappeared!
On enabling the module, it sets up some "hogwarts" server with tls enabled. I went back to the settings and checked that I had stuartlewis as the default and not hogwarts. Looks that the routine still checks hogwarts despite the fact that it is not supposed to be checked at all.
I am not sure as of now what the issue is, but would like to say that the core ldap module works well and is reasonably fast. With the hogwarts setting enabled, it was taking 3~4 minutes to authenticate and had the tls issue. With the module disabled, it authenticates in under couple of seconds. Btw, the AD Common Use Cases module installs hogwarts server with tls enabled which causes the problem. With the module still in place, I disabled tls and, logically, the tls warning stopped.
Do let me know if you need any further info.
Comment #16
johnbarclay CreditAttribution: johnbarclay commentedOk. I removed the example Feature's module features. Thanks for pointing out the reference LDAP; I've been looking for one for some time. If you have a basic setup without groups that works against it can you export it as a feature and I can add it to the ldap help module. That would save people a lot of pain/time setting up authentication.
Comment #17
pipepiper CreditAttribution: pipepiper commentedApologies, as I have been busy and couldn't respond.
I am happy to export the settings. I guess I will need to install the Features module?
I can also upload a basic php file to test settings before launching the module. It would ensure a user can track down issues. If you could suggest best place (or relevant) thread to post it.
Comment #18
johnbarclay CreditAttribution: johnbarclay commentedThe best issue is #1856688: Reference LDAP Implementations for testing, user debugging, and documentation. The settings export are best done with Features module, but if you just want to outline them I can put them into a Feature. Both the exported feature and basic php file are probably best as child pages to http://drupal.org/node/1141764