Ldap authentication error

[s31t0n]

Hi,
i managed to install and configure kloudspeaker on my Mac,
MAC OSX 10.12.3
LADPv3
KloudSpeaker latest version
based on the informations from this link,
BackEnd Configuration

tried to configure the LDAP authentication,
following my configuration.php file

        "authentication_methods" => ["pw", "ldap"],
        "ldap_use_starttls" => true,
        "ldap_server" => "ad-test.lab.local",
        "ldap_conn_string" => "@ad-test.lab.local",

following the error i'm getting
class:KloudspeakerBackend, type:->, args:{0:Request}}}RESPONSE error {0:107, 1:Authentication failed, 2:403}
Could you please check this out on how can i fix it?
I guess i'm missing some configuration.
And the error is not related to the credentials as i can login to the ldap server with other utilities.

Thanks in advanced.

[sjarvela]

First, your authentication methods indicate password is the default, so have you explicitly changed the user auth method to LDAP?

Then based on LDAP configuration, you are using authenticated binding, is this correct? Ie your user should be able to authenticate with his own credentials to the LDAP server?

[aplum]

Hi @s31t0n, I'm assuming this is related to what we were discussing regarding certificates over at #187. Now that I've replicated my setup on macOS, maybe I can help you out. Are you using the built-in version of apache/php/etc.? I'm using AMPPS, so the location of my configuration files may be different than yours.

Relevant files in AMPPS:
/Applications/AMPPS/php-7.1/etc/php.ini
/Applications/AMPPS/extra/etc/openldap/ldap.conf
/Applications/AMPPS/extra/etc/openssl/certs/my-cacert.pem (this file doesn't exist by default; I created it using the steps given below.)

In php.ini:

• Ensure you have extension=openssl.so uncommented (or add this line if necessary, assuming you have that openssl.so file in the directory configured by extension_dir in php.ini)
• Add the following two lines at the bottom of php.ini, and change the path to point to wherever you're going to store your my-cacert.pem file:

[openssl]
openssl.cafile=/Applications/AMPPS/extra/etc/openssl/certs/my-cacert.pem

In ldap.conf, add the following two lines (again, update the path):

TLS_REQCERT demand
TLS_CACERT /Applications/AMPPS/extra/etc/openssl/certs/my-cacert.pem

To create the my-cacert.pem file:
(Note that including the System Roots certificates here is not necessary to just get it working with your AD server, but will allow you to use php to connect to other servers with certs issued by these Certificate Authorities.)

1. Open "Keychain Access.app"
2. On the left, click on "System Roots" at the top, and "Certificates" at the bottom.
3. Select all the certificates displayed, right-click, export.
4. Ensure you have .pem selected for "File Format", save as my-cacert.pem
5. Now, find the certificate that was either used to sign your AD server's cert (i.e. your AD CA's certificate), or maybe you can just use the certificate your server is using for LDAP (I haven't tested using this, I've only used the CA cert).
   • If you don't have this certificate in Keychain Access, find it and import it so that we can export it in the correct format. You can delete it from Keychain Access afterwards if you'd like.
6. Export the AD cert as adcert.pem
7. Navigate to the folder with your .pem files in Terminal, then execute cat adcert.pem >> my-cacert.pem (this appends adcert.pem to my-cacert.pem).
8. Delete adcert.pem
9. Move your my-cacert.pem file to the appropriate folder, then restart apache.

Hopefully this works for you. Let me know if you need any more help or clarification.