[horde] LDAP with TLS not working

Thu Sep 15 15:46:18 UTC 2011

Hi,

I have Horde 4.0.9 installed via pear, and I'm using LDAP for authentication and for Turba. Horde itself is on a FreeBSD 7.4 jail, and it connects to an OpenLDAP 2.4 server which is on the host. LDAP communication in Horde is working as long as I don't try to enable TLS. ldapsearch with "-ZZ" parameter also works from the jail Horde is in. Paths to OpenSSL binary and CAcert file are registered in Horde's configuration. The certificate is self-signed.

When I try to enable TLS for LDAP, the page displays an error:

A fatal error has occurred

TLS not started: Connect error

 1. Horde_Registry::appInit() /usr/local/www/horde/admin/config/index.php:15
 2. Horde_Registry->pushApp() /usr/local/share/pear/Horde/Registry.php:245
 3. Horde_Registry->checkExistingAuth() /usr/local/share/pear/Horde/Registry.php:1297
 4. Horde_Core_Factory_Auth->create() /usr/local/share/pear/Horde/Registry.php:2250
 5. Horde_Core_Factory_Auth->_create() /usr/local/share/pear/Horde/Core/Factory/Auth.php:61
 6. Horde_Core_Factory_Ldap->create() /usr/local/share/pear/Horde/Core/Factory/Auth.php:171
 7. Horde_Ldap->__construct() /usr/local/share/pear/Horde/Core/Factory/Ldap.php:71
 8. Horde_Ldap->bind() /usr/local/share/pear/Horde/Ldap.php:138
 9. Horde_Ldap->_connect() /usr/local/share/pear/Horde/Ldap.php:226
10. Horde_Ldap->startTLS() /usr/local/share/pear/Horde/Ldap.php:319
[...]

The OpneLDAP server's log shows several successful binds without TLS, and then two unsuccessful tries at the end (here's one):

[...]
Sep 15 12:18:26 myserverhost slapd[7526]: conn=1069 fd=14 ACCEPT from IP=192.168.1.12:50630 (IP=0.0.0.0:389)
Sep 15 12:18:26 myserverhost slapd[7526]: conn=1069 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Sep 15 12:18:26 myserverhost slapd[7526]: conn=1069 op=0 SRCH attr=vendorName vendorVersion namingContexts altServer supportedExtension supportedControl supportedSASLMechanisms supportedLDAPVersion subschemaSubentry
Sep 15 12:18:26 myserverhost slapd[7526]: conn=1069 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
Sep 15 12:18:26 myserverhost slapd[7526]: conn=1069 op=1 EXT oid=1.3.6.1.4.1.1466.20037
Sep 15 12:18:26 myserverhost slapd[7526]: conn=1069 op=1 STARTTLS
Sep 15 12:18:26 myserverhost slapd[7526]: conn=1069 op=1 RESULT oid= err=0 text=
Sep 15 12:18:26 myserverhost slapd[7526]: conn=1069 fd=14 closed (TLS negotiation failure)

The portion of Horde's log that mentions TLS:

Sep 15 12:02:32 myserverjail HORDE: TLS not started: Connect error [pid 85606 on line 510 of "/usr/local/share/pear/Horde/Ldap.php"]
Sep 15 12:02:32 myserverjail HORDE:  1. Horde_Registry::appInit() /usr/local/www/horde/admin/config/index.php:15  2. Horde_Registry->pushApp() /usr/local/share/pear/Horde/Registry.php:245  3. Horde_Registry->checkExistingAuth() /usr/local/share/pear/Horde/Registry.php:1297  4. Horde_Core_Factory_Auth->create() /usr/local/share/pear/Horde/Registry.php:2250  5. Horde_Core_Factory_Auth->_create() /usr/local/share/pear/Horde/Core/Factory/Auth.php:61  6. Horde_Core_Factory_Ldap->create() /usr/local/share/pear/Horde/Core/Factory/Auth.php:171  7. Horde_Ldap->__construct() /usr/local/share/pear/Horde/Core/Factory/Ldap.php:71  8. Horde_Ldap->bind() /usr/local/share/pear/Horde/Ldap.php:138  9. Horde_Ldap->_connect() /usr/local/share/pear/Horde/Ldap.php:226 10. Horde_Ldap->startTLS() /usr/local/share/pear/Horde/Ldap.php:319
Sep 15 12:02:32 myserverjail HORDE: Max memory usage: 8388608 bytes [pid 85606 on line 474 of "/usr/local/share/pear/Horde/Registry.php"]

Here's a part of my Horde's main conf.php:

$conf['vhosts'] = false;
$conf['debug_level'] = E_ALL & ~E_NOTICE;
$conf['max_exec_time'] = 0;
$conf['compress_pages'] = true;
$conf['secret_key'] = '4e55fbdf-348c-4b51-aad0-2c01c0a8070c';
$conf['umask'] = 077;
$conf['testdisable'] = true;
$conf['use_ssl'] = 1;
$conf['server']['name'] = $_SERVER['SERVER_NAME'];
$conf['urls']['token_lifetime'] = 30;
$conf['urls']['hmac_lifetime'] = 30;
$conf['urls']['pretty'] = false;
$conf['safe_ips'] = array();
$conf['session']['name'] = 'Horde';
$conf['session']['use_only_cookies'] = true;
$conf['session']['cache_limiter'] = 'nocache';
$conf['session']['timeout'] = 0;
$conf['cookie']['domain'] = $_SERVER['SERVER_NAME'];
$conf['cookie']['path'] = '/';
$conf['sql']['username'] = 'hordeuser';
$conf['sql']['password'] = 'hordesecret';
$conf['sql']['hostspec'] = 'localhost';
$conf['sql']['port'] = 3306;
$conf['sql']['protocol'] = 'tcp';
$conf['sql']['database'] = 'horde_db';
$conf['sql']['charset'] = 'utf-8';
$conf['sql']['ssl'] = false;
$conf['sql']['splitread'] = false;
$conf['sql']['phptype'] = 'mysqli';
$conf['ldap']['hostspec'] = '192.168.1.10';
$conf['ldap']['tls'] = true;
$conf['ldap']['version'] = 3;
$conf['ldap']['binddn'] = 'cn=horde,ou=DSA,dc=mycompany,dc=tld';
$conf['ldap']['bindpw'] = 'hordesecret';
$conf['ldap']['bindas'] = 'admin';
$conf['ldap']['useldap'] = true;
$conf['auth']['admins'] = array('Administrator', 'admin');
$conf['auth']['checkip'] = false;
$conf['auth']['checkbrowser'] = false;
$conf['auth']['alternate_login'] = false;
$conf['auth']['redirect_on_logout'] = false;
$conf['auth']['list_users'] = 'input';
$conf['auth']['params']['basedn'] = 'ou=users,ou=horde,dc=mycompany,dc=tld';
$conf['auth']['params']['scope'] = 'sub';
$conf['auth']['params']['ad'] = false;
$conf['auth']['params']['uid'] = 'uid';
$conf['auth']['params']['encryption'] = 'ssha';
$conf['auth']['params']['newuser_objectclass'] = array('shadowAccount', 'inetOrgPerson');
$conf['auth']['params']['filter'] = '(objectclass=shadowAccount)';
$conf['auth']['params']['password_expiration'] = 'no';
$conf['auth']['params']['driverconfig'] = 'horde';
$conf['auth']['driver'] = 'ldap';
$conf['auth']['params']['count_bad_logins'] = false;
$conf['auth']['params']['login_block'] = false;
$conf['auth']['params']['login_block_count'] = 5;
$conf['auth']['params']['login_block_time'] = 5;
$conf['signup']['allow'] = false;
$conf['log']['priority'] = 'DEBUG';
$conf['log']['ident'] = 'HORDE';
$conf['log']['name'] = LOG_USER;
$conf['log']['type'] = 'syslog';
$conf['log']['enabled'] = true;
$conf['log_accesskeys'] = true;
[...]

I also tried to google but didn't find a similar case.

Does anyone know how to trace or solve this?

Thanks