Discussion:
[Ltb-users] Self Service Password - Can't contact LDAP server
Nicolas Pecheux
2016-07-24 14:03:34 UTC
Permalink
Hi Clement,

I've been trying to use SSP (version 0.9) on a CentOS Linux release
7.2.1511 (Core), without success.
I've read the forums and done some troubleshooting on my install but I
can't figure out what is wrong. Many values have been tested out, but here
is the current config (AD credentials are right, it is working with other
servers/softwares):

*config.inc.php*

# LDAP
$ldap_url = "ldap://192.168.60.60:389";
$ldap_starttls = false;
$ldap_binddn = "CN=Administrator,CN=Users,DC=obs,DC=lab";
$ldap_bindpw = "XXXXX";
$ldap_base = "DC=obs,DC=lab";
$ldap_login_attribute = "sAMAccountName";
#$ldap_login_attribute = "uid";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))";
#$ldap_filter = "(&(objectClass=person)(uid={login}))";

# Active Directory mode
# true: use unicodePwd as password field
# false: LDAPv3 standard behavior
$ad_mode = true;
# Force account unlock when password is changed
$ad_options['force_unlock'] = true;
# Force user change password at next login
$ad_options['force_pwd_change'] = false;
# Allow user with expired password to change password
$ad_options['change_expired_password'] = true;


*cat /var/log/apache2/ssp_error.log*

[Sun Jul 24 14:41:46.459734 2016] [:error] [pid 2590] [client
192.168.101.100:20497] PHP Warning: ldap_bind(): Unable to bind to server:
Can't contact LDAP server in
/usr/local/self-service-password/ltb-project-self-service-password-0.9/pages/change.php
on line 93, referer: http://192.168.60.62/index.php
[Sun Jul 24 14:41:46.459848 2016] [:error] [pid 2590] [client
192.168.101.100:20497] LDAP - Bind error -1 (Can't contact LDAP server),
referer: http://192.168.60.62/index.php

*change.php*

# Check old password
#==============================================================================
if ( $result === "" ) {

# Connect to LDAP
$ldap = ldap_connect($ldap_url);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
if ( $ldap_starttls && !ldap_start_tls($ldap) ) {
$result = "ldaperror";
error_log("LDAP - Unable to use StartTLS");
} else {

# Bind
if ( isset($ldap_binddn) && isset($ldap_bindpw) ) {
LINE93--> $bind = ldap_bind($ldap, $ldap_binddn, $ldap_bindpw);
} else {
$bind = ldap_bind($ldap);
}

Any idea what I am doing wrong? If you could help that'd be great!

Many thanks,
Nicolas.
Clément OUDOT
2016-07-24 17:34:15 UTC
Permalink
Post by Nicolas Pecheux
Hi Clement,
Hi Nicolas,

first, your mail was moderated because you did not regsiter to the
list. Please register here:
http://lists.ltb-project.org/listinfo/ltb-users
Post by Nicolas Pecheux
I've been trying to use SSP (version 0.9) on a CentOS Linux release 7.2.1511
(Core), without success.
I've read the forums and done some troubleshooting on my install but I can't
figure out what is wrong. Many values have been tested out, but here is the
current config (AD credentials are right, it is working with other
config.inc.php
# LDAP
$ldap_url = "ldap://192.168.60.60:389";
$ldap_starttls = false;
$ldap_binddn = "CN=Administrator,CN=Users,DC=obs,DC=lab";
$ldap_bindpw = "XXXXX";
$ldap_base = "DC=obs,DC=lab";
$ldap_login_attribute = "sAMAccountName";
#$ldap_login_attribute = "uid";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))";
#$ldap_filter = "(&(objectClass=person)(uid={login}))";
# Active Directory mode
# true: use unicodePwd as password field
# false: LDAPv3 standard behavior
$ad_mode = true;
# Force account unlock when password is changed
$ad_options['force_unlock'] = true;
# Force user change password at next login
$ad_options['force_pwd_change'] = false;
# Allow user with expired password to change password
$ad_options['change_expired_password'] = true;
cat /var/log/apache2/ssp_error.log
[Sun Jul 24 14:41:46.459734 2016] [:error] [pid 2590] [client
Can't contact LDAP server in
/usr/local/self-service-password/ltb-project-self-service-password-0.9/pages/change.php
on line 93, referer: http://192.168.60.62/index.php
[Sun Jul 24 14:41:46.459848 2016] [:error] [pid 2590] [client
192.168.101.100:20497] LDAP - Bind error -1 (Can't contact LDAP server),
referer: http://192.168.60.62/index.php
change.php
# Check old password
#==============================================================================
if ( $result === "" ) {
# Connect to LDAP
$ldap = ldap_connect($ldap_url);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
if ( $ldap_starttls && !ldap_start_tls($ldap) ) {
$result = "ldaperror";
error_log("LDAP - Unable to use StartTLS");
} else {
# Bind
if ( isset($ldap_binddn) && isset($ldap_bindpw) ) {
LINE93--> $bind = ldap_bind($ldap, $ldap_binddn, $ldap_bindpw);
} else {
$bind = ldap_bind($ldap);
}
Any idea what I am doing wrong? If you could help that'd be great!
First, be sure you don't have any firewall rule between your server
and AD. Try to connect with ldapsearch for example. Then check that
SELinux is not preventing Apache to contact LDAP server.


Clément.

Continue reading on narkive:
Loading...