LDAPS issue, Unable to bind to LDAP server about glpi HOT 4 CLOSED

Enterprise policy does not allow Anonymous Logon so chosing 'No' to Use Bind is not working in my case.

Did you try to set this option to No ? It will still trigger a certificate binding, so it may not be considered as anonymous logon.

from glpi.

This issue has been closed as we only track bugs here.

You can get community support on forums or you can consider taking a subscription to get professional support.
You can also contact GLPI editor team directly.

from glpi.

Enterprise policy does not allow Anonymous Logon so chosing 'No' to Use Bind is not working in my case.

Did you try to set this option to No ? It will still trigger a certificate binding, so it may not be considered as anonymous logon.

@cedric-anne If I try to set to No, the Test menu return Success Test but I don't see any traffic on wireshark, I wonder what is the test ?

In my knowledge, LDAP binding, for most solutions, is used to authenticate against AD.
The S in LDAPS is when it encrypts the channel so it will not send the password in plain text. It is independant from binding.
If I use No to Binding, it will just try to bind/authenticate without any credentials, meaning Anonymous logon/binding.

I will use LDAP with Starttls... as I can bind with credentials.

Another thing, I just tested (on the GLPI server) with the basic function in php and it is working, why GLPI php return failed when I chose Bind Yes ?

In my opinion, it look like AuthLDAP need a review because LDAPS + binding (user+password) is not working.

<?php

// using ldap bind
$ldaprdn  = 'ro_glpi';     // ldap rdn or dn
$ldappass = 'password';  // associated password

// connect to ldap server
$ldapconn = ldap_connect("ldaps://srvad.enterprise.it.paris.lan")
    or die("Could not connect to LDAP server.");

if ($ldapconn) {

    // binding to ldap server
    $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);

    // verify binding
    if ($ldapbind) {
        echo "LDAP bind successful...";
    } else {
        echo "LDAP bind failed...";
    }

}

?>

php test.php
LDAP Bind successful

from glpi.

@cedric-anne Hello, I found the problem.

• Not working LDAPS configuration

• Working LDAPS configuration

It was written from the start on the GLPI documentation but my eyes did not see it

GLPI can connect to an LDAP directory through an LDAPS connection. To enable this, prefix your server field with ldaps:// and change the port to the LDAPS one of your LDAP directory (default 636).

Why do we have to specify the protocol ldaps:// in the server field when we are already setting port field with 636.
Then why we don't need to specify ldap:// when it is by default the port 389.

I propose different fixes:

• Add a condition in the code that checks if the user configures port 636 but did not write ldaps:// in the server field, then a detailed error log informs the user.

• Change the field description Server to something like this

• Edit LDAP configuration interface:
  • replace the port field with an LDAP / LDAPS selection button
  • (depending on the choice, it will pre-fill the server field with ldaps:// and port 636 or the default ldap and 389)

from glpi.