LDAP setup fails / Invalid Credentials

tilllt · November 10, 2020, 7:24am

Infos:

Used Zammad version: 3.5.x
Used Zammad installation source: production docker
Operating system: Debian 10
Browser + version: Any

Expected behavior:

Adding a valid LDAP url starts “Wizard” where i can enter LDAP credentials

Actual behavior:

Enable LDAP integration. Add your LDAP Server
Wizard does not appear. Zammad complains (rightfully so) about wrong credentials, which i never had the chance to enter.
Error messages pops up: “Can’t connect to ‘ldap.example.com’ on port ‘636’, Can’t bind to ‘ldap.example.com’, 49, Invalid Credentials”

Steps to reproduce the behavior:

Enable LDAP integration. Add your LDAP Server
Can’t connect to ‘ldap.example.com’ on port ‘636’, Can’t bind to ‘ldap.example.com’, 49, Invalid Credentials

There are several apps authenticating to the same LDAP server. Also i confirmed its working and reachable using ldapsearch from the CLI.

LOG from zammad railsserver docker

` E, [2020-11-10T07:26:29.106421 #1-47062671263960] ERROR -- : Can't connect to 'ldap.example.com' on port '636', Can't bind to 'ldap.example.com', 49, Invalid Credentials (Exceptions::UnprocessableEntity) /opt/zammad/lib/ldap.rb:142:in `rescue in binded_connection' /opt/zammad/lib/ldap.rb:127:in `binded_connection' /opt/zammad/lib/ldap.rb:121:in `connection' /opt/zammad/lib/ldap.rb:39:in `initialize' /opt/zammad/app/controllers/integration/ldap_controller.rb:14:in `new' /opt/zammad/app/controllers/integration/ldap_controller.rb:14:in `block in discover' /opt/zammad/app/controllers/concerns/integration/import_job_base.rb:43:in `answer_with' /opt/zammad/app/controllers/integration/ldap_controller.rb:12:in `discover' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal/basic_implicit_render.rb:6:in `send_action' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/abstract_controller/base.rb:194:in `process_action' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal/rendering.rb:30:in `process_action' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/abstract_controller/callbacks.rb:42:in `block in process_action' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:109:in `block in run_callbacks' /opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:18:in `block (4 levels) in ' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/notifications.rb:180:in `subscribed' /opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:17:in `block (3 levels) in ' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/notifications.rb:180:in `subscribed' /opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:16:in `block (2 levels) in ' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:118:in `instance_exec' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:118:in `block in run_callbacks' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:136:in `run_callbacks' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/abstract_controller/callbacks.rb:41:in `process_action' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal/rescue.rb:22:in `process_action' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal/instrumentation.rb:34:in `block in process_action' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/notifications.rb:168:in `block in instrument' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/notifications/instrumenter.rb:23:in `instrument' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/notifications.rb:168:in `instrument' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal/instrumentation.rb:32:in `process_action' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal/params_wrapper.rb:256:in `process_action' /usr/local/bundle/gems/activerecord-5.2.4.4/lib/active_record/railties/controller_runtime.rb:24:in `process_action' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/abstract_controller/base.rb:134:in `process' /usr/local/bundle/gems/actionview-5.2.4.4/lib/action_view/rendering.rb:32:in `process' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal.rb:191:in `dispatch' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal.rb:252:in `dispatch' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/route_set.rb:52:in `dispatch' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/route_set.rb:34:in `serve' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/journey/router.rb:52:in `block in serve' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/journey/router.rb:35:in `each' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/journey/router.rb:35:in `serve' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/route_set.rb:840:in `call' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:420:in `call_app!' /usr/local/bundle/gems/omniauth-saml-1.10.1/lib/omniauth/strategies/saml.rb:89:in `other_phase' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:190:in `call!' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:169:in `call' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:192:in `call!' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:169:in `call' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:192:in `call!' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:169:in `call' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:192:in `call!' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:169:in `call' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:192:in `call!' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:169:in `call' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:192:in `call!' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:169:in `call' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:192:in `call!' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:169:in `call' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:192:in `call!' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:169:in `call' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:192:in `call!' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:169:in `call' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:192:in `call!' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:169:in `call' /usr/local/bundle/gems/omniauth-1.9.0/lib/omniauth/builder.rb:64:in `call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/tempfile_reaper.rb:15:in `call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/etag.rb:27:in `call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/conditional_get.rb:40:in `call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/head.rb:12:in `call' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/http/content_security_policy.rb:18:in `call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:266:in `context' /usr/local/bundle/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:260:in `call' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/cookies.rb:670:in `call' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/callbacks.rb:28:in `block in call' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:98:in `run_callbacks' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/callbacks.rb:26:in `call' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/debug_exceptions.rb:61:in `call' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/show_exceptions.rb:33:in `call' /usr/local/bundle/gems/railties-5.2.4.4/lib/rails/rack/logger.rb:38:in `call_app' /usr/local/bundle/gems/railties-5.2.4.4/lib/rails/rack/logger.rb:28:in `call' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/remote_ip.rb:81:in `call' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/request_id.rb:27:in `call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/method_override.rb:24:in `call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/runtime.rb:22:in `call' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/executor.rb:14:in `call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/sendfile.rb:110:in `call' /usr/local/bundle/gems/railties-5.2.4.4/lib/rails/engine.rb:524:in `call' /usr/local/bundle/gems/puma-3.12.6/lib/puma/configuration.rb:227:in `call' /usr/local/bundle/gems/puma-3.12.6/lib/puma/server.rb:706:in `handle_request' /usr/local/bundle/gems/puma-3.12.6/lib/puma/server.rb:476:in `process_client' /usr/local/bundle/gems/puma-3.12.6/lib/puma/server.rb:334:in `block in run' /usr/local/bundle/gems/puma-3.12.6/lib/puma/thread_pool.rb:135:in `block in spawn_thread' /usr/local/bundle/gems/logging-2.2.2/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context' I, [2020-11-10T07:26:29.109096 #1-47062671263960] INFO -- : Completed 200 OK in 128ms (Views: 0.2ms | ActiveRecord: 13.6ms) I, [2020-11-10T07:26:29.735038 #1-47062671264440] INFO -- : Started GET "/api/v1/integration/ldap/job_start?_=1604964372325" for 192.168.1.1 at 2020-11-10 07:26:29 +0000 I, [2020-11-10T07:26:29.742125 #1-47062671264440] INFO -- : Processing by Integration::LdapController#job_start_index as JSON I, [2020-11-10T07:26:29.742220 #1-47062671264440] INFO -- : Parameters: {"_"=>"1604964372325"} I, [2020-11-10T07:26:29.757503 #1-47062671264440] INFO -- : Completed 200 OK in 15ms (Views: 0.2ms | ActiveRecord: 6.2ms) I, [2020-11-10T07:26:34.664872 #1-47062671263740] INFO -- : Started GET "/api/v1/http_logs/ldap?limit=50&_=1604964372326" for 192.168.1.1 at 2020-11-10 07:26:34 +0000 I, [2020-11-10T07:26:34.672842 #1-47062671263740] INFO -- : Processing by HttpLogsController#index as JSON I, [2020-11-10T07:26:34.672950 #1-47062671263740] INFO -- : Parameters: {"limit"=>"50", "_"=>"1604964372326", "facility"=>"ldap"} I, [2020-11-10T07:26:34.688943 #1-47062671263740] INFO -- : Completed 200 OK in 16ms (Views: 0.8ms | ActiveRecord: 5.3ms) I, [2020-11-10T07:26:34.772524 #1-47062671264180] INFO -- : Started GET "/api/v1/integration/ldap/job_start?_=1604964372327" for 192.168.1.1 at 2020-11-10 07:26:34 +0000 I, [2020-11-10T07:26:34.776558 #1-47062671264180] INFO -- : Processing by Integration::LdapController#job_start_index as JSON I, [2020-11-10T07:26:34.776625 #1-47062671264180] INFO -- : Parameters: {"_"=>"1604964372327"} I, [2020-11-10T07:26:34.807953 #1-47062671264180] INFO -- : Completed 200 OK in 31ms (Views: 0.3ms | ActiveRecord: 3.7ms) I, [2020-11-10T07:26:39.821579 #1-47062671264660] INFO -- : Started GET "/api/v1/integration/ldap/job_start?_=1604964372328" for 192.168.1.1 at 2020-11-10 07:26:39 +0000 I, [2020-11-10T07:26:39.825712 #1-47062671264660] INFO -- : Processing by Integration::LdapController#job_start_index as JSON I, [2020-11-10T07:26:39.825768 #1-47062671264660] INFO -- : Parameters: {"_"=>"1604964372328"} I, [2020-11-10T07:26:39.836942 #1-47062671264660] INFO -- : Completed 200 OK in 11ms (Views: 0.2ms | ActiveRecord: 3.7ms) I, [2020-11-10T07:26:44.858579 #1-47062671263960] INFO -- : Started GET "/api/v1/integration/ldap/job_start?_=1604964372329" for 192.168.1.1 at 2020-11-10 07:26:44 +0000 I, [2020-11-10T07:26:44.865180 #1-47062671263960] INFO -- : Processing by Integration::LdapController#job_start_index as JSON I, [2020-11-10T07:26:44.865258 #1-47062671263960] INFO -- : Parameters: {"_"=>"1604964372329"} I, [2020-11-10T07:26:44.879850 #1-47062671263960] INFO -- : Completed 200 OK in 14ms (Views: 0.3ms | ActiveRecord: 3.8ms) I, [2020-11-10T07:26:45.223471 #1-47062671264440] INFO -- : Started GET "/api/v1/cti/log?_=1604964372330" for 192.168.1.1 at 2020-11-10 07:26:45 +0000 I, [2020-11-10T07:26:45.230530 #1-47062671264440] INFO -- : Processing by CtiController#index as JSON I, [2020-11-10T07:26:45.230800 #1-47062671264440] INFO -- : Parameters: {"_"=>"1604964372330"} I, [2020-11-10T07:26:45.236979 #1-47062671263740] INFO -- : Started GET "/api/v1/tickets/21?all=true&_=1604964372331" for 192.168.1.1 at 2020-11-10 07:26:45 +0000 I, [2020-11-10T07:26:45.239919 #1-47062671264180] INFO -- : Started GET "/api/v1/tickets/20?all=true&_=1604964372332" for 192.168.1.1 at 2020-11-10 07:26:45 +0000 I, [2020-11-10T07:26:45.243890 #1-47062671263740] INFO -- : Processing by TicketsController#show as JSON I, [2020-11-10T07:26:45.243983 #1-47062671263740] INFO -- : Parameters: {"all"=>"true", "_"=>"1604964372331", "id"=>"21"} I, [2020-11-10T07:26:45.247236 #1-47062671264180] INFO -- : Processing by TicketsController#show as JSON I, [2020-11-10T07:26:45.248319 #1-47062671264180] INFO -- : Parameters: {"all"=>"true", "_"=>"1604964372332", "id"=>"20"} I, [2020-11-10T07:26:45.270973 #1-47062671264440] INFO -- : Completed 200 OK in 40ms (Views: 4.0ms | ActiveRecord: 17.2ms) I, [2020-11-10T07:26:45.426648 #1-47062671264180] INFO -- : Completed 200 OK in 177ms (Views: 4.2ms | ActiveRecord: 42.8ms) I, [2020-11-10T07:26:45.436901 #1-47062671263740] INFO -- : Completed 200 OK in 193ms (Views: 4.1ms | ActiveRecord: 78.8ms) I, [2020-11-10T07:26:48.415848 #1-47062671264660] INFO -- : Started GET "/api/v1/online_notifications/?full=true&_=1604964372333" for 192.168.1.1 at 2020-11-10 07:26:48 +0000 I, [2020-11-10T07:26:48.424311 #1-47062671264660] INFO -- : Processing by OnlineNotificationsController#index as JSON I, [2020-11-10T07:26:48.424422 #1-47062671264660] INFO -- : Parameters: {"full"=>"true", "_"=>"1604964372333"} I, [2020-11-10T07:26:48.453718 #1-47062671264660] INFO -- : Completed 200 OK in 29ms (Views: 5.2ms | ActiveRecord: 3.2ms) I, [2020-11-10T07:26:49.902921 #1-47062671263960] INFO -- : Started GET "/api/v1/integration/ldap/job_start?_=1604964372334" for 192.168.1.1 at 2020-11-10 07:26:49 +0000 I, [2020-11-10T07:26:49.910724 #1-47062671263960] INFO -- : Processing by Integration::LdapController#job_start_index as JSON I, [2020-11-10T07:26:49.910817 #1-47062671263960] INFO -- : Parameters: {"_"=>"1604964372334"} I, [2020-11-10T07:26:49.924187 #1-47062671263960] INFO -- : Completed 200 OK in 13ms (Views: 0.3ms | ActiveRecord: 5.0ms) I, [2020-11-10T07:26:54.711817 #1-47062671264440] INFO -- : Started GET "/api/v1/http_logs/ldap?limit=50&_=1604964372335" for 192.168.1.1 at 2020-11-10 07:26:54 +0000 I, [2020-11-10T07:26:54.719288 #1-47062671264440] INFO -- : Processing by HttpLogsController#index as JSON I, [2020-11-10T07:26:54.719395 #1-47062671264440] INFO -- : Parameters: {"limit"=>"50", "_"=>"1604964372335", "facility"=>"ldap"} I, [2020-11-10T07:26:54.732130 #1-47062671264440] INFO -- : Completed 200 OK in 13ms (Views: 0.4ms | ActiveRecord: 4.7ms) I, [2020-11-10T07:26:54.945950 #1-47062671264180] INFO -- : Started GET "/api/v1/integration/ldap/job_start?_=1604964372336" for 192.168.1.1 at 2020-11-10 07:26:54 +0000 I, [2020-11-10T07:26:54.950197 #1-47062671264180] INFO -- : Processing by Integration::LdapController#job_start_index as JSON I, [2020-11-10T07:26:54.950258 #1-47062671264180] INFO -- : Parameters: {"_"=>"1604964372336"} I, [2020-11-10T07:26:54.960146 #1-47062671264180] INFO -- : Completed 200 OK in 10ms (Views: 0.3ms | ActiveRecord: 2.7ms) I, [2020-11-10T07:26:59.975791 #1-47062671263740] INFO -- : Started GET "/api/v1/integration/ldap/job_start?_=1604964372337" for 192.168.1.1 at 2020-11-10 07:26:59 +0000 I, [2020-11-10T07:26:59.983301 #1-47062671263740] INFO -- : Processing by Integration::LdapController#job_start_index as JSON I, [2020-11-10T07:26:59.983442 #1-47062671263740] INFO -- : Parameters: {"_"=>"1604964372337"} I, [2020-11-10T07:26:59.996624 #1-47062671263740] INFO -- : Completed 200 OK in 13ms (Views: 0.2ms | ActiveRecord: 3.1ms) I, [2020-11-10T07:27:05.017519 #1-47062671264660] INFO -- : Started GET "/api/v1/integration/ldap/job_start?_=1604964372338" for 192.168.1.1 at 2020-11-10 07:27:05 +0000 I, [2020-11-10T07:27:05.025083 #1-47062671264660] INFO -- : Processing by Integration::LdapController#job_start_index as JSON I, [2020-11-10T07:27:05.025179 #1-47062671264660] INFO -- : Parameters: {"_"=>"1604964372338"} I, [2020-11-10T07:27:05.039206 #1-47062671264660] INFO -- : Completed 200 OK in 14ms (Views: 0.2ms | ActiveRecord: 4.4ms) I, [2020-11-10T07:27:10.058358 #1-47062671263960] INFO -- : Started GET "/api/v1/integration/ldap/job_start?_=1604964372339" for 192.168.1.1 at 2020-11-10 07:27:10 +0000 I, [2020-11-10T07:27:10.064926 #1-47062671263960] INFO -- : Processing by Integration::LdapController#job_start_index as JSON I, [2020-11-10T07:27:10.065004 #1-47062671263960] INFO -- : Parameters: {"_"=>"1604964372339"} I, [2020-11-10T07:27:10.083627 #1-47062671263960] INFO -- : Completed 200 OK in 19ms (Views: 0.3ms | ActiveRecord: 8.8ms) I, [2020-11-10T07:27:14.757515 #1-47062671264440] INFO -- : Started GET "/api/v1/http_logs/ldap?limit=50&_=1604964372340" for 192.168.1.1 at 2020-11-10 07:27:14 +0000 I, [2020-11-10T07:27:14.764395 #1-47062671264440] INFO -- : Processing by HttpLogsController#index as JSON I, [2020-11-10T07:27:14.764479 #1-47062671264440] INFO -- : Parameters: {"limit"=>"50", "_"=>"1604964372340", "facility"=>"ldap"} I, [2020-11-10T07:27:14.777137 #1-47062671264440] INFO -- : Completed 200 OK in 13ms (Views: 0.5ms | ActiveRecord: 3.1ms) I, [2020-11-10T07:27:15.100115 #1-47062671264180] INFO -- : Started GET "/api/v1/integration/ldap/job_start?_=1604964372341" for 192.168.1.1 at 2020-11-10 07:27:15 +0000 I, [2020-11-10T07:27:15.104148 #1-47062671264180] INFO -- : Processing by Integration::LdapController#job_start_index as JSON I, [2020-11-10T07:27:15.104207 #1-47062671264180] INFO -- : Parameters: {"_"=>"1604964372341"} I, [2020-11-10T07:27:15.114061 #1-47062671264180] INFO -- : Completed 200 OK in 10ms (Views: 0.3ms | ActiveRecord: 2.8ms) I, [2020-11-10T07:27:20.130546 #1-47062671263740] INFO -- : Started GET "/api/v1/integration/ldap/job_start?_=1604964372342" for 192.168.1.1 at 2020-11-10 07:27:20 +0000 I, [2020-11-10T07:27:20.136704 #1-47062671263740] INFO -- : Processing by Integration::LdapController#job_start_index as JSON I, [2020-11-10T07:27:20.136788 #1-47062671263740] INFO -- : Parameters: {"_"=>"1604964372342"} I, [2020-11-10T07:27:20.152003 #1-47062671263740] INFO -- : Completed 200 OK in 15ms (Views: 0.5ms | ActiveRecord: 4.4ms) `

rsysadmin · November 11, 2020, 6:18pm

Hi there!

this does not seem like a Zammad problem but a network problem…
Your Zammad server cannot reach your LDAP server.
Are there any firewalls inbetween? If so, please check your rules…
After Zammad checks that the LDAP server is reachable, it will ask you for LDAP credentials to bind th the server.
LDAP integration works flawlessly, believe me.

Best,
Martin

benmo · November 11, 2020, 7:21pm

Hi there,

This really does seem like a server-related issue.

Please try the following:

Replace ldap.example.com with your own LDAP server and run openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect ldap.example.com:636

Also, try to run nc -vz ldap.example.com 636.

Please let me know the results.

tilllt · November 11, 2020, 8:38pm

openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect ldap.mydomain.de:636
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = ldap.mydomain.de
verify return:1
---
Certificate chain
 0 s:CN = ldap.mydomain.de
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFTzCCBDegAwIBAgISBFyAtEAX/yHRAYnQmvGsqJ3VOrfSOhGBYJO5TEJfQ9Fx
NQYSrkLIcUt1Nd5mhbc6BsEg3kwLaieO++POyRktqk9DU+e9m2XLM9sTV5oZ/CI/
4EuYG+FuVi1SsimIloO1aCKW8A==
-----END CERTIFICATE-----
subject=CN = ldap.mydomain.de

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3051 bytes and written 430 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 6D6361F90E59D2C851DCE27FCADC833F9FEA36581ADB9EC7100A638187FF1F9F
    Session-ID-ctx:
    Master-Key: 9910F2B659AE0D0F4F910C5E5DAE55053B0A71B7D5CCDA22723F62DE27F522D7532840E6CF8BC8B365322C613FC801A4
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1605127027
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

nc -vz ldap.mydomain.de 636
Connection to ldap.mydomain.de 636 port [tcp/ldaps] succeeded!

tilllt · November 11, 2020, 8:40pm

Like i wrote, i have several other services successfully authenticating to that LDAP server.

tilllt · November 11, 2020, 8:44pm

So, i reconfigured the docker containers to be in the same user defined network so i can reach the LDAP docker locally from the zammad docker, the result is the same, no wizard.

Can’t connect to ‘ldap_ldap_1’ on port ‘389’, Can’t bind to ‘ldap_ldap_1’, 49, Invalid Credentials

tilllt · November 11, 2020, 9:10pm

Just to be absolutely sure, i moved my Nextcloud docker into the same user defined Network, and configured NC to use the local alias for the LDAP docker: Works perfectly.

Its just Zammad that says that it cannot connect to the LDAP server, but is also quite vague about whats the problem. i mean it should be either / or “Can’t connect to ‘ldap_ldap_1’ on port ‘389’, Can’t bind to ‘ldap_ldap_1’, 49, Invalid Credentials” either it cant connect or it has incorrect credentials.

tilllt · November 18, 2020, 11:08am

A friend pointed me to this github issue:

github.com/zammad/zammad

Configuration of LDAP with disabled anonymous bind fails

opened 08:44AM - 18 May 17 UTC

closed 03:49PM - 01 Jun 17 UTC

nilsrb

bug

### Infos: * Used Zammad version: zammad-1.5.0-1494013569.412fbc4.centos7.x86_64 * Used Zammad installation source: rpm * Operating system: CentOS Linux release 7.3.1611 (Core) * Browser + version: Chrome (current version) ### Expected behavior: Enabling LDAP and being able to use with anonymous binding turned off. ### Actual behavior: Can't connect to 'ldapservername' on port '636', Can't bind to 'ldapservername', 48, Inappropriate Authentication On our ldap-servers we turned off anonymous bind and now i am looking for a way to connect to our servers. I can't get to the next page because the initial bind failed with the error above. On the ldap-server-log i can see the request failing with error: "text=anonymous bind disallowed"

and although from 2017, it still seems to be a valid catch22: i cannot enter LDAP authentication data in the Wizard unless i enable “Anonymous Bind” in my LDAP server. It should be the other way around though: If Anonymouse Bind is disabled, the Wizard should ask me for credentials, i cannot believe that all the LDAP users here run their servers with anonymous bind enabled??

tilllt · November 18, 2020, 12:28pm

github.com/zammad/zammad

LDAP without anonymous bind is not possible

opened 11:20AM - 18 Nov 20 UTC

closed 06:31PM - 02 May 23 UTC

rmalchow

duplicate

### Infos: * Used Zammad version: "latest" as of today (should be zammad-3.6.…0-1) * Installation method (source, package, ..): docker compose * Operating system: host is on fedora, docker 19.03 * Database + version: pgsql, as per docker compose /w version "-latest" * Elasticsearch version: as per docker compose /w version "-latest" * Browser + version: as per docker compose /w version "-latest" this has been reported before, but i still consider this a bug. i am trying to set up LDAP in zammad with anonymous bind disabled on the ldap server. my reasoning is that it is simply a matter of asking for bind user credentials one step earlier - but the result is that it breaks the entire LDAP integration. expection LDAP servers to allow anonymous binds is also not a reasonable assumption. ### Expected behavior: * if anonymous bind fails with authentication exception (>>>error 49), ask for credentials ### Actual behavior: * error message "cannot bind, error 49", wizard essentially breaks ### Steps to reproduce the behavior: * set up zammad as per docker compose instructions, then go to integrations -> LDAP -> configure and enter URL of an LDAP server that does not allow anonymous bind.

benmo · November 18, 2020, 7:55pm

Our LDAP server most certainly doesn’t accept Anonymous Bind and I don’t experience any issues. Maybe the impact is limited to Docker, but honestly, I don’t think that this is a bug - I believe there would have been more reports about that.

Could you try to temporarily enable Anonymous Bind on your LDAP server and then try to add it to Zammad?

tilllt · November 18, 2020, 8:18pm

After spending almost two days debugging this issue, including installing ldap-utils in the docker, running ldapsearch to my ldap server from the zammad docker bash etc. pp. i am very sure that this is either a bug in zammad OR an lets phrase it friendly “unusual” design, thats not very well documented.

You will not experience or find out about this behaviour unless you try to first setup the LDAP integration, you wont encounter problems with exisiting configs, since you have your credentials already saved. The behaviour is this:

Connect to a LDAP server with anonymous bind disabled: error message, no chance to manually enter credentials
Connect to a LDAP server with anonymous bind enabled: the wizard pops up and you CAN enter credentials.

I did try it with both scenarios and i even asked a friend to double check this, he had the same results.
My guess is that this is either a regression to a bug that existed in ~2017 (there you WILL find people reporting the same errors), or it is a Docker related issue, thus so little reports.

What i am very sure of, is that it exists. Try it yourself, spin up the Zammad Docker stack and try to connect from a scratch install to your LDAP server that has anonymous bind disabled. I strongly doubt it will work.

benmo · November 18, 2020, 8:31pm

Yeah, that really seems like a bug. I suppose it’s related to docker then, because like I said, it works for me.

tilllt · November 18, 2020, 8:33pm

I think it may be version specific. Maybe it was just (re-) introduced in 3.5 and people that had better luck already setup their LDAP credentials with an earlier version.

system · March 18, 2021, 8:34pm

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.