[horde] LDAP with TLS not working

Craig White craigwhite at azapple.com
Fri Sep 16 04:37:56 UTC 2011 

On Thu, 2011-09-15 at 11:46 -0400, Jeff Tipton wrote:
> Hi,
> 
> I have Horde 4.0.9 installed via pear, and I'm using LDAP for authentication and for Turba. Horde itself is on a FreeBSD 7.4 jail, and it connects to an OpenLDAP 2.4 server which is on the host. LDAP communication in Horde is working as long as I don't try to enable TLS. ldapsearch with "-ZZ" parameter also works from the jail Horde is in. Paths to OpenSSL binary and CAcert file are registered in Horde's configuration. The certificate is self-signed.
> 
> When I try to enable TLS for LDAP, the page displays an error:
> 
> A fatal error has occurred
> 
> TLS not started: Connect error
> 
>  1. Horde_Registry::appInit() /usr/local/www/horde/admin/config/index.php:15
>  2. Horde_Registry->pushApp() /usr/local/share/pear/Horde/Registry.php:245
>  3. Horde_Registry->checkExistingAuth() /usr/local/share/pear/Horde/Registry.php:1297
>  4. Horde_Core_Factory_Auth->create() /usr/local/share/pear/Horde/Registry.php:2250
>  5. Horde_Core_Factory_Auth->_create() /usr/local/share/pear/Horde/Core/Factory/Auth.php:61
>  6. Horde_Core_Factory_Ldap->create() /usr/local/share/pear/Horde/Core/Factory/Auth.php:171
>  7. Horde_Ldap->__construct() /usr/local/share/pear/Horde/Core/Factory/Ldap.php:71
>  8. Horde_Ldap->bind() /usr/local/share/pear/Horde/Ldap.php:138
>  9. Horde_Ldap->_connect() /usr/local/share/pear/Horde/Ldap.php:226
> 10. Horde_Ldap->startTLS() /usr/local/share/pear/Horde/Ldap.php:319
> [...]
> 
> The OpneLDAP server's log shows several successful binds without TLS, and then two unsuccessful tries at the end (here's one):
> 
> [...]
> Sep 15 12:18:26 myserverhost slapd[7526]: conn=1069 fd=14 ACCEPT from IP=192.168.1.12:50630 (IP=0.0.0.0:389)
> Sep 15 12:18:26 myserverhost slapd[7526]: conn=1069 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
> Sep 15 12:18:26 myserverhost slapd[7526]: conn=1069 op=0 SRCH attr=vendorName vendorVersion namingContexts altServer supportedExtension supportedControl supportedSASLMechanisms supportedLDAPVersion subschemaSubentry
> Sep 15 12:18:26 myserverhost slapd[7526]: conn=1069 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
> Sep 15 12:18:26 myserverhost slapd[7526]: conn=1069 op=1 EXT oid=1.3.6.1.4.1.1466.20037
> Sep 15 12:18:26 myserverhost slapd[7526]: conn=1069 op=1 STARTTLS
> Sep 15 12:18:26 myserverhost slapd[7526]: conn=1069 op=1 RESULT oid= err=0 text=
> Sep 15 12:18:26 myserverhost slapd[7526]: conn=1069 fd=14 closed (TLS negotiation failure)
> 
> The portion of Horde's log that mentions TLS:
> 
> Sep 15 12:02:32 myserverjail HORDE: TLS not started: Connect error [pid 85606 on line 510 of "/usr/local/share/pear/Horde/Ldap.php"]
> Sep 15 12:02:32 myserverjail HORDE:  1. Horde_Registry::appInit() /usr/local/www/horde/admin/config/index.php:15  2. Horde_Registry->pushApp() /usr/local/share/pear/Horde/Registry.php:245  3. Horde_Registry->checkExistingAuth() /usr/local/share/pear/Horde/Registry.php:1297  4. Horde_Core_Factory_Auth->create() /usr/local/share/pear/Horde/Registry.php:2250  5. Horde_Core_Factory_Auth->_create() /usr/local/share/pear/Horde/Core/Factory/Auth.php:61  6. Horde_Core_Factory_Ldap->create() /usr/local/share/pear/Horde/Core/Factory/Auth.php:171  7. Horde_Ldap->__construct() /usr/local/share/pear/Horde/Core/Factory/Ldap.php:71  8. Horde_Ldap->bind() /usr/local/share/pear/Horde/Ldap.php:138  9. Horde_Ldap->_connect() /usr/local/share/pear/Horde/Ldap.php:226 10. Horde_Ldap->startTLS() /usr/local/share/pear/Horde/Ldap.php:319
> Sep 15 12:02:32 myserverjail HORDE: Max memory usage: 8388608 bytes [pid 85606 on line 474 of "/usr/local/share/pear/Horde/Registry.php"]
>  
> 
> Here's a part of my Horde's main conf.php:
> 
> $conf['vhosts'] = false;
> $conf['debug_level'] = E_ALL & ~E_NOTICE;
> $conf['max_exec_time'] = 0;
> $conf['compress_pages'] = true;
> $conf['secret_key'] = '4e55fbdf-348c-4b51-aad0-2c01c0a8070c';
> $conf['umask'] = 077;
> $conf['testdisable'] = true;
> $conf['use_ssl'] = 1;
> $conf['server']['name'] = $_SERVER['SERVER_NAME'];
> $conf['urls']['token_lifetime'] = 30;
> $conf['urls']['hmac_lifetime'] = 30;
> $conf['urls']['pretty'] = false;
> $conf['safe_ips'] = array();
> $conf['session']['name'] = 'Horde';
> $conf['session']['use_only_cookies'] = true;
> $conf['session']['cache_limiter'] = 'nocache';
> $conf['session']['timeout'] = 0;
> $conf['cookie']['domain'] = $_SERVER['SERVER_NAME'];
> $conf['cookie']['path'] = '/';
> $conf['sql']['username'] = 'hordeuser';
> $conf['sql']['password'] = 'hordesecret';
> $conf['sql']['hostspec'] = 'localhost';
> $conf['sql']['port'] = 3306;
> $conf['sql']['protocol'] = 'tcp';
> $conf['sql']['database'] = 'horde_db';
> $conf['sql']['charset'] = 'utf-8';
> $conf['sql']['ssl'] = false;
> $conf['sql']['splitread'] = false;
> $conf['sql']['phptype'] = 'mysqli';
> $conf['ldap']['hostspec'] = '192.168.1.10';
> $conf['ldap']['tls'] = true;
> $conf['ldap']['version'] = 3;
> $conf['ldap']['binddn'] = 'cn=horde,ou=DSA,dc=mycompany,dc=tld';
> $conf['ldap']['bindpw'] = 'hordesecret';
> $conf['ldap']['bindas'] = 'admin';
> $conf['ldap']['useldap'] = true;
> $conf['auth']['admins'] = array('Administrator', 'admin');
> $conf['auth']['checkip'] = false;
> $conf['auth']['checkbrowser'] = false;
> $conf['auth']['alternate_login'] = false;
> $conf['auth']['redirect_on_logout'] = false;
> $conf['auth']['list_users'] = 'input';
> $conf['auth']['params']['basedn'] = 'ou=users,ou=horde,dc=mycompany,dc=tld';
> $conf['auth']['params']['scope'] = 'sub';
> $conf['auth']['params']['ad'] = false;
> $conf['auth']['params']['uid'] = 'uid';
> $conf['auth']['params']['encryption'] = 'ssha';
> $conf['auth']['params']['newuser_objectclass'] = array('shadowAccount', 'inetOrgPerson');
> $conf['auth']['params']['filter'] = '(objectclass=shadowAccount)';
> $conf['auth']['params']['password_expiration'] = 'no';
> $conf['auth']['params']['driverconfig'] = 'horde';
> $conf['auth']['driver'] = 'ldap';
> $conf['auth']['params']['count_bad_logins'] = false;
> $conf['auth']['params']['login_block'] = false;
> $conf['auth']['params']['login_block_count'] = 5;
> $conf['auth']['params']['login_block_time'] = 5;
> $conf['signup']['allow'] = false;
> $conf['log']['priority'] = 'DEBUG';
> $conf['log']['ident'] = 'HORDE';
> $conf['log']['name'] = LOG_USER;
> $conf['log']['type'] = 'syslog';
> $conf['log']['enabled'] = true;
> $conf['log_accesskeys'] = true;
> [...]
> 
> I also tried to google but didn't find a similar case.
> 
> Does anyone know how to trace or solve this?
----
I had my setup using TLS and it worked for a week but I got a couple of
infrequent TLS errors so I disabled it for the time being because I
didn't have time to troubleshoot. It did work however - but I got the
feeling not reliably.

bindas 'admin' ?

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the horde mailing list