LDAP setup fails / Invalid Credentials

Infos:

  • Used Zammad version: 3.5.x
  • Used Zammad installation source: production docker
  • Operating system: Debian 10
  • Browser + version: Any

Expected behavior:

  • Adding a valid LDAP url starts “Wizard” where i can enter LDAP credentials

Actual behavior:

  • Enable LDAP integration. Add your LDAP Server
  • Wizard does not appear. Zammad complains (rightfully so) about wrong credentials, which i never had the chance to enter.
  • Error messages pops up: “Can’t connect to ‘ldap.example.com’ on port ‘636’, Can’t bind to ‘ldap.example.com’, 49, Invalid Credentials”

Steps to reproduce the behavior:

  • Enable LDAP integration. Add your LDAP Server
  • Can’t connect to ‘ldap.example.com’ on port ‘636’, Can’t bind to ‘ldap.example.com’, 49, Invalid Credentials

There are several apps authenticating to the same LDAP server. Also i confirmed its working and reachable using ldapsearch from the CLI.

LOG from zammad railsserver docker

` E, [2020-11-10T07:26:29.106421 #1-47062671263960] ERROR -- : Can't connect to 'ldap.example.com' on port '636', Can't bind to 'ldap.example.com', 49, Invalid Credentials (Exceptions::UnprocessableEntity) /opt/zammad/lib/ldap.rb:142:in `rescue in binded_connection' /opt/zammad/lib/ldap.rb:127:in `binded_connection' /opt/zammad/lib/ldap.rb:121:in `connection' /opt/zammad/lib/ldap.rb:39:in `initialize' /opt/zammad/app/controllers/integration/ldap_controller.rb:14:in `new' /opt/zammad/app/controllers/integration/ldap_controller.rb:14:in `block in discover' /opt/zammad/app/controllers/concerns/integration/import_job_base.rb:43:in `answer_with' /opt/zammad/app/controllers/integration/ldap_controller.rb:12:in `discover' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal/basic_implicit_render.rb:6:in `send_action' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/abstract_controller/base.rb:194:in `process_action' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal/rendering.rb:30:in `process_action' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/abstract_controller/callbacks.rb:42:in `block in process_action' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:109:in `block in run_callbacks' /opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:18:in `block (4 levels) in ' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/notifications.rb:180:in `subscribed' /opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:17:in `block (3 levels) in ' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/notifications.rb:180:in `subscribed' /opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:16:in `block (2 levels) in ' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:118:in `instance_exec' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:118:in `block in run_callbacks' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:136:in `run_callbacks' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/abstract_controller/callbacks.rb:41:in `process_action' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal/rescue.rb:22:in `process_action' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal/instrumentation.rb:34:in `block in process_action' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/notifications.rb:168:in `block in instrument' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/notifications/instrumenter.rb:23:in `instrument' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/notifications.rb:168:in `instrument' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal/instrumentation.rb:32:in `process_action' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal/params_wrapper.rb:256:in `process_action' /usr/local/bundle/gems/activerecord-5.2.4.4/lib/active_record/railties/controller_runtime.rb:24:in `process_action' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/abstract_controller/base.rb:134:in `process' /usr/local/bundle/gems/actionview-5.2.4.4/lib/action_view/rendering.rb:32:in `process' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal.rb:191:in `dispatch' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal.rb:252:in `dispatch' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/route_set.rb:52:in `dispatch' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/route_set.rb:34:in `serve' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/journey/router.rb:52:in `block in serve' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/journey/router.rb:35:in `each' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/journey/router.rb:35:in `serve' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/route_set.rb:840:in `call' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:420:in `call_app!' /usr/local/bundle/gems/omniauth-saml-1.10.1/lib/omniauth/strategies/saml.rb:89:in `other_phase' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:190:in `call!' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:169:in `call' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:192:in `call!' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:169:in `call' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:192:in `call!' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:169:in `call' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:192:in `call!' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:169:in `call' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:192:in `call!' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:169:in `call' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:192:in `call!' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:169:in `call' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:192:in `call!' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:169:in `call' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:192:in `call!' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:169:in `call' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:192:in `call!' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:169:in `call' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:192:in `call!' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:169:in `call' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/builder.rb:64:in `call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/tempfile_reaper.rb:15:in `call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/etag.rb:27:in `call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/conditional_get.rb:40:in `call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/head.rb:12:in `call' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/http/content_security_policy.rb:18:in `call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:266:in `context' /usr/local/bundle/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:260:in `call' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/cookies.rb:670:in `call' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/callbacks.rb:28:in `block in call' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:98:in `run_callbacks' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/callbacks.rb:26:in `call' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/debug_exceptions.rb:61:in `call' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/show_exceptions.rb:33:in `call' /usr/local/bundle/gems/railties-5.2.4.4/lib/rails/rack/logger.rb:38:in `call_app' /usr/local/bundle/gems/railties-5.2.4.4/lib/rails/rack/logger.rb:28:in `call' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/remote_ip.rb:81:in `call' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/request_id.rb:27:in `call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/method_override.rb:24:in `call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/runtime.rb:22:in `call' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/executor.rb:14:in `call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/sendfile.rb:110:in `call' /usr/local/bundle/gems/railties-5.2.4.4/lib/rails/engine.rb:524:in `call' /usr/local/bundle/gems/puma-3.12.6/lib/puma/configuration.rb:227:in `call' /usr/local/bundle/gems/puma-3.12.6/lib/puma/server.rb:706:in `handle_request' /usr/local/bundle/gems/puma-3.12.6/lib/puma/server.rb:476:in `process_client' /usr/local/bundle/gems/puma-3.12.6/lib/puma/server.rb:334:in `block in run' /usr/local/bundle/gems/puma-3.12.6/lib/puma/thread_pool.rb:135:in `block in spawn_thread' /usr/local/bundle/gems/logging-2.2.2/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context' I, [2020-11-10T07:26:29.109096 #1-47062671263960] INFO -- : Completed 200 OK in 128ms (Views: 0.2ms | ActiveRecord: 13.6ms) I, [2020-11-10T07:26:29.735038 #1-47062671264440] INFO -- : Started GET "/api/v1/integration/ldap/job_start?_=1604964372325" for 192.168.1.1 at 2020-11-10 07:26:29 +0000 I, [2020-11-10T07:26:29.742125 #1-47062671264440] INFO -- : Processing by Integration::LdapController#job_start_index as JSON I, [2020-11-10T07:26:29.742220 #1-47062671264440] INFO -- : Parameters: {"_"=>"1604964372325"} I, [2020-11-10T07:26:29.757503 #1-47062671264440] INFO -- : Completed 200 OK in 15ms (Views: 0.2ms | ActiveRecord: 6.2ms) I, [2020-11-10T07:26:34.664872 #1-47062671263740] INFO -- : Started GET "/api/v1/http_logs/ldap?limit=50&_=1604964372326" for 192.168.1.1 at 2020-11-10 07:26:34 +0000 I, [2020-11-10T07:26:34.672842 #1-47062671263740] INFO -- : Processing by HttpLogsController#index as JSON I, [2020-11-10T07:26:34.672950 #1-47062671263740] INFO -- : Parameters: {"limit"=>"50", "_"=>"1604964372326", "facility"=>"ldap"} I, [2020-11-10T07:26:34.688943 #1-47062671263740] INFO -- : Completed 200 OK in 16ms (Views: 0.8ms | ActiveRecord: 5.3ms) I, [2020-11-10T07:26:34.772524 #1-47062671264180] INFO -- : Started GET "/api/v1/integration/ldap/job_start?_=1604964372327" for 192.168.1.1 at 2020-11-10 07:26:34 +0000 I, [2020-11-10T07:26:34.776558 #1-47062671264180] INFO -- : Processing by Integration::LdapController#job_start_index as JSON I, [2020-11-10T07:26:34.776625 #1-47062671264180] INFO -- : Parameters: {"_"=>"1604964372327"} I, [2020-11-10T07:26:34.807953 #1-47062671264180] INFO -- : Completed 200 OK in 31ms (Views: 0.3ms | ActiveRecord: 3.7ms) I, [2020-11-10T07:26:39.821579 #1-47062671264660] INFO -- : Started GET "/api/v1/integration/ldap/job_start?_=1604964372328" for 192.168.1.1 at 2020-11-10 07:26:39 +0000 I, [2020-11-10T07:26:39.825712 #1-47062671264660] INFO -- : Processing by Integration::LdapController#job_start_index as JSON I, [2020-11-10T07:26:39.825768 #1-47062671264660] INFO -- : Parameters: {"_"=>"1604964372328"} I, [2020-11-10T07:26:39.836942 #1-47062671264660] INFO -- : Completed 200 OK in 11ms (Views: 0.2ms | ActiveRecord: 3.7ms) I, [2020-11-10T07:26:44.858579 #1-47062671263960] INFO -- : Started GET "/api/v1/integration/ldap/job_start?_=1604964372329" for 192.168.1.1 at 2020-11-10 07:26:44 +0000 I, [2020-11-10T07:26:44.865180 #1-47062671263960] INFO -- : Processing by Integration::LdapController#job_start_index as JSON I, [2020-11-10T07:26:44.865258 #1-47062671263960] INFO -- : Parameters: {"_"=>"1604964372329"} I, [2020-11-10T07:26:44.879850 #1-47062671263960] INFO -- : Completed 200 OK in 14ms (Views: 0.3ms | ActiveRecord: 3.8ms) I, [2020-11-10T07:26:45.223471 #1-47062671264440] INFO -- : Started GET "/api/v1/cti/log?_=1604964372330" for 192.168.1.1 at 2020-11-10 07:26:45 +0000 I, [2020-11-10T07:26:45.230530 #1-47062671264440] INFO -- : Processing by CtiController#index as JSON I, [2020-11-10T07:26:45.230800 #1-47062671264440] INFO -- : Parameters: {"_"=>"1604964372330"} I, [2020-11-10T07:26:45.236979 #1-47062671263740] INFO -- : Started GET "/api/v1/tickets/21?all=true&_=1604964372331" for 192.168.1.1 at 2020-11-10 07:26:45 +0000 I, [2020-11-10T07:26:45.239919 #1-47062671264180] INFO -- : Started GET "/api/v1/tickets/20?all=true&_=1604964372332" for 192.168.1.1 at 2020-11-10 07:26:45 +0000 I, [2020-11-10T07:26:45.243890 #1-47062671263740] INFO -- : Processing by TicketsController#show as JSON I, [2020-11-10T07:26:45.243983 #1-47062671263740] INFO -- : Parameters: {"all"=>"true", "_"=>"1604964372331", "id"=>"21"} I, [2020-11-10T07:26:45.247236 #1-47062671264180] INFO -- : Processing by TicketsController#show as JSON I, [2020-11-10T07:26:45.248319 #1-47062671264180] INFO -- : Parameters: {"all"=>"true", "_"=>"1604964372332", "id"=>"20"} I, [2020-11-10T07:26:45.270973 #1-47062671264440] INFO -- : Completed 200 OK in 40ms (Views: 4.0ms | ActiveRecord: 17.2ms) I, [2020-11-10T07:26:45.426648 #1-47062671264180] INFO -- : Completed 200 OK in 177ms (Views: 4.2ms | ActiveRecord: 42.8ms) I, [2020-11-10T07:26:45.436901 #1-47062671263740] INFO -- : Completed 200 OK in 193ms (Views: 4.1ms | ActiveRecord: 78.8ms) I, [2020-11-10T07:26:48.415848 #1-47062671264660] INFO -- : Started GET "/api/v1/online_notifications/?full=true&_=1604964372333" for 192.168.1.1 at 2020-11-10 07:26:48 +0000 I, [2020-11-10T07:26:48.424311 #1-47062671264660] INFO -- : Processing by OnlineNotificationsController#index as JSON I, [2020-11-10T07:26:48.424422 #1-47062671264660] INFO -- : Parameters: {"full"=>"true", "_"=>"1604964372333"} I, [2020-11-10T07:26:48.453718 #1-47062671264660] INFO -- : Completed 200 OK in 29ms (Views: 5.2ms | ActiveRecord: 3.2ms) I, [2020-11-10T07:26:49.902921 #1-47062671263960] INFO -- : Started GET "/api/v1/integration/ldap/job_start?_=1604964372334" for 192.168.1.1 at 2020-11-10 07:26:49 +0000 I, [2020-11-10T07:26:49.910724 #1-47062671263960] INFO -- : Processing by Integration::LdapController#job_start_index as JSON I, [2020-11-10T07:26:49.910817 #1-47062671263960] INFO -- : Parameters: {"_"=>"1604964372334"} I, [2020-11-10T07:26:49.924187 #1-47062671263960] INFO -- : Completed 200 OK in 13ms (Views: 0.3ms | ActiveRecord: 5.0ms) I, [2020-11-10T07:26:54.711817 #1-47062671264440] INFO -- : Started GET "/api/v1/http_logs/ldap?limit=50&_=1604964372335" for 192.168.1.1 at 2020-11-10 07:26:54 +0000 I, [2020-11-10T07:26:54.719288 #1-47062671264440] INFO -- : Processing by HttpLogsController#index as JSON I, [2020-11-10T07:26:54.719395 #1-47062671264440] INFO -- : Parameters: {"limit"=>"50", "_"=>"1604964372335", "facility"=>"ldap"} I, [2020-11-10T07:26:54.732130 #1-47062671264440] INFO -- : Completed 200 OK in 13ms (Views: 0.4ms | ActiveRecord: 4.7ms) I, [2020-11-10T07:26:54.945950 #1-47062671264180] INFO -- : Started GET "/api/v1/integration/ldap/job_start?_=1604964372336" for 192.168.1.1 at 2020-11-10 07:26:54 +0000 I, [2020-11-10T07:26:54.950197 #1-47062671264180] INFO -- : Processing by Integration::LdapController#job_start_index as JSON I, [2020-11-10T07:26:54.950258 #1-47062671264180] INFO -- : Parameters: {"_"=>"1604964372336"} I, [2020-11-10T07:26:54.960146 #1-47062671264180] INFO -- : Completed 200 OK in 10ms (Views: 0.3ms | ActiveRecord: 2.7ms) I, [2020-11-10T07:26:59.975791 #1-47062671263740] INFO -- : Started GET "/api/v1/integration/ldap/job_start?_=1604964372337" for 192.168.1.1 at 2020-11-10 07:26:59 +0000 I, [2020-11-10T07:26:59.983301 #1-47062671263740] INFO -- : Processing by Integration::LdapController#job_start_index as JSON I, [2020-11-10T07:26:59.983442 #1-47062671263740] INFO -- : Parameters: {"_"=>"1604964372337"} I, [2020-11-10T07:26:59.996624 #1-47062671263740] INFO -- : Completed 200 OK in 13ms (Views: 0.2ms | ActiveRecord: 3.1ms) I, [2020-11-10T07:27:05.017519 #1-47062671264660] INFO -- : Started GET "/api/v1/integration/ldap/job_start?_=1604964372338" for 192.168.1.1 at 2020-11-10 07:27:05 +0000 I, [2020-11-10T07:27:05.025083 #1-47062671264660] INFO -- : Processing by Integration::LdapController#job_start_index as JSON I, [2020-11-10T07:27:05.025179 #1-47062671264660] INFO -- : Parameters: {"_"=>"1604964372338"} I, [2020-11-10T07:27:05.039206 #1-47062671264660] INFO -- : Completed 200 OK in 14ms (Views: 0.2ms | ActiveRecord: 4.4ms) I, [2020-11-10T07:27:10.058358 #1-47062671263960] INFO -- : Started GET "/api/v1/integration/ldap/job_start?_=1604964372339" for 192.168.1.1 at 2020-11-10 07:27:10 +0000 I, [2020-11-10T07:27:10.064926 #1-47062671263960] INFO -- : Processing by Integration::LdapController#job_start_index as JSON I, [2020-11-10T07:27:10.065004 #1-47062671263960] INFO -- : Parameters: {"_"=>"1604964372339"} I, [2020-11-10T07:27:10.083627 #1-47062671263960] INFO -- : Completed 200 OK in 19ms (Views: 0.3ms | ActiveRecord: 8.8ms) I, [2020-11-10T07:27:14.757515 #1-47062671264440] INFO -- : Started GET "/api/v1/http_logs/ldap?limit=50&_=1604964372340" for 192.168.1.1 at 2020-11-10 07:27:14 +0000 I, [2020-11-10T07:27:14.764395 #1-47062671264440] INFO -- : Processing by HttpLogsController#index as JSON I, [2020-11-10T07:27:14.764479 #1-47062671264440] INFO -- : Parameters: {"limit"=>"50", "_"=>"1604964372340", "facility"=>"ldap"} I, [2020-11-10T07:27:14.777137 #1-47062671264440] INFO -- : Completed 200 OK in 13ms (Views: 0.5ms | ActiveRecord: 3.1ms) I, [2020-11-10T07:27:15.100115 #1-47062671264180] INFO -- : Started GET "/api/v1/integration/ldap/job_start?_=1604964372341" for 192.168.1.1 at 2020-11-10 07:27:15 +0000 I, [2020-11-10T07:27:15.104148 #1-47062671264180] INFO -- : Processing by Integration::LdapController#job_start_index as JSON I, [2020-11-10T07:27:15.104207 #1-47062671264180] INFO -- : Parameters: {"_"=>"1604964372341"} I, [2020-11-10T07:27:15.114061 #1-47062671264180] INFO -- : Completed 200 OK in 10ms (Views: 0.3ms | ActiveRecord: 2.8ms) I, [2020-11-10T07:27:20.130546 #1-47062671263740] INFO -- : Started GET "/api/v1/integration/ldap/job_start?_=1604964372342" for 192.168.1.1 at 2020-11-10 07:27:20 +0000 I, [2020-11-10T07:27:20.136704 #1-47062671263740] INFO -- : Processing by Integration::LdapController#job_start_index as JSON I, [2020-11-10T07:27:20.136788 #1-47062671263740] INFO -- : Parameters: {"_"=>"1604964372342"} I, [2020-11-10T07:27:20.152003 #1-47062671263740] INFO -- : Completed 200 OK in 15ms (Views: 0.5ms | ActiveRecord: 4.4ms) `

Hi there!

this does not seem like a Zammad problem but a network problem…
Your Zammad server cannot reach your LDAP server.
Are there any firewalls inbetween? If so, please check your rules…
After Zammad checks that the LDAP server is reachable, it will ask you for LDAP credentials to bind th the server.
LDAP integration works flawlessly, believe me.

Best,
Martin

Hi there,

This really does seem like a server-related issue.

Please try the following:

Replace ldap.example.com with your own LDAP server and run openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect ldap.example.com:636

Also, try to run nc -vz ldap.example.com 636.

Please let me know the results.

openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect ldap.mydomain.de:636
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = ldap.mydomain.de
verify return:1
---
Certificate chain
 0 s:CN = ldap.mydomain.de
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFTzCCBDegAwIBAgISBFyAtEAX/yHRAYnQmvGsqJ3VOrfSOhGBYJO5TEJfQ9Fx
NQYSrkLIcUt1Nd5mhbc6BsEg3kwLaieO++POyRktqk9DU+e9m2XLM9sTV5oZ/CI/
4EuYG+FuVi1SsimIloO1aCKW8A==
-----END CERTIFICATE-----
subject=CN = ldap.mydomain.de

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3051 bytes and written 430 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 6D6361F90E59D2C851DCE27FCADC833F9FEA36581ADB9EC7100A638187FF1F9F
    Session-ID-ctx:
    Master-Key: 9910F2B659AE0D0F4F910C5E5DAE55053B0A71B7D5CCDA22723F62DE27F522D7532840E6CF8BC8B365322C613FC801A4
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1605127027
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

nc -vz ldap.mydomain.de 636
Connection to ldap.mydomain.de 636 port [tcp/ldaps] succeeded!

Like i wrote, i have several other services successfully authenticating to that LDAP server.

So, i reconfigured the docker containers to be in the same user defined network so i can reach the LDAP docker locally from the zammad docker, the result is the same, no wizard.

Can’t connect to ‘ldap_ldap_1’ on port ‘389’, Can’t bind to ‘ldap_ldap_1’, 49, Invalid Credentials

Just to be absolutely sure, i moved my Nextcloud docker into the same user defined Network, and configured NC to use the local alias for the LDAP docker: Works perfectly.

Its just Zammad that says that it cannot connect to the LDAP server, but is also quite vague about whats the problem. i mean it should be either / or “Can’t connect to ‘ldap_ldap_1’ on port ‘389’, Can’t bind to ‘ldap_ldap_1’, 49, Invalid Credentials” either it cant connect or it has incorrect credentials.

A friend pointed me to this github issue:

and although from 2017, it still seems to be a valid catch22: i cannot enter LDAP authentication data in the Wizard unless i enable “Anonymous Bind” in my LDAP server. It should be the other way around though: If Anonymouse Bind is disabled, the Wizard should ask me for credentials, i cannot believe that all the LDAP users here run their servers with anonymous bind enabled??

Our LDAP server most certainly doesn’t accept Anonymous Bind and I don’t experience any issues. Maybe the impact is limited to Docker, but honestly, I don’t think that this is a bug - I believe there would have been more reports about that.

Could you try to temporarily enable Anonymous Bind on your LDAP server and then try to add it to Zammad?

After spending almost two days debugging this issue, including installing ldap-utils in the docker, running ldapsearch to my ldap server from the zammad docker bash etc. pp. i am very sure that this is either a bug in zammad OR an lets phrase it friendly “unusual” design, thats not very well documented.

You will not experience or find out about this behaviour unless you try to first setup the LDAP integration, you wont encounter problems with exisiting configs, since you have your credentials already saved. The behaviour is this:

  1. Connect to a LDAP server with anonymous bind disabled: error message, no chance to manually enter credentials
  2. Connect to a LDAP server with anonymous bind enabled: the wizard pops up and you CAN enter credentials.

I did try it with both scenarios and i even asked a friend to double check this, he had the same results.
My guess is that this is either a regression to a bug that existed in ~2017 (there you WILL find people reporting the same errors), or it is a Docker related issue, thus so little reports.

What i am very sure of, is that it exists. Try it yourself, spin up the Zammad Docker stack and try to connect from a scratch install to your LDAP server that has anonymous bind disabled. I strongly doubt it will work.

Yeah, that really seems like a bug. I suppose it’s related to docker then, because like I said, it works for me.

I think it may be version specific. Maybe it was just (re-) introduced in 3.5 and people that had better luck already setup their LDAP credentials with an earlier version.