How to make LAMP LDAPS authentication work?

Question

We have been struggling for months trying to enable the LDAS connection with our LAMP application. Its an internal server and we don´t need any special cypher but just accessing to LDAPS port.

lampstack-7.2.26-0

Apache/2.4.6 (CentOS)

PHP 5.4.16

OpenSSL 1.0.2k-fips

Current .htaccess config that works ok with LDAP:

AuthType               Basic
AuthName               "Login with your Company ID"
AuthBasicProvider      ldap
AuthLDAPURL            "ldap://xxx/DC=xx,DC=x,DC=grp?sAMAccountName"
AuthLDAPBindDN         "svc-apache-ldap-auth"
AuthLDAPBindPassword   "<password>"
AuthLDAPCompareAsUser  on
LDAPReferrals          off

Require ldap-group CN=sxx,OU=xx,OU=Services,OU=Groups,OU=Enterprise,DC=xx,DC=x,DC=xx

From the client we can successfully do the ldapsearch test from root user with both LDAP and LDAPs

as root user:

ldapsearch -ZZ  --> OK

ldapsearch (unsecured) --> OK

with domain user:

ldapsearch -ZZ  --> ldap_start_tls: Connect error (-11)

ldapsearch (unsecured) --> OK

One possible issue could be a permissions one? LAMP uses the "daemon" especial user to run the services.

We have tried many things. The most obvious is to add the "s" to

AuthLDAPURL "ldap://xxx/DC=xx,DC=x,DC=grp?sAMAccountName"

Like this

AuthLDAPURL "ldaps://xxx/DC=xx,DC=x,DC=grp?sAMAccountName"

When we try that, we get a 500 error at the webpage and this message in the logs

AH01695: auth_ldap authenticate: user XXX authentication failed; URI / [LDAP: ldap_set_option failed.Could not set LDAP_OPT_X_TLS to LDAP_OPT_X_TLS_HARD][Can't contact LDAP server]

We also try adding

TLS_CRLCHECK none

TLS_REQCERT never

to the ldap.conf files but the same error appears.

Other things have been tried but I have just put the most relevant ones. Not sure what else to try to get working LDAPS

Thanks for the help

Answer 1

SOLVED: It was finally fixed by using a different Lamp Stack version 7.4.30-1 Seems that version 7.2.26-0 had this bug that LDAPS was not working.