5

I currently have a setup where users log in to a website using LDAP credentials. It's all internal so I don't really care a ton about certificates. So, in my /etc/openldap/ldap.conf file I have TLS_REQCERT never. Before adding that to the file I was always getting the error Error Binding to LDAP: TLS: hostname does not match CN in peer certificate. After adding that everything seemed to work fine. However now I'm finding that after some time, maybe a few hours to a day, the logins will fail again, and I'll start getting that error. If I restart apache everything works fine again for a while. Then the error pops up again. What could be causing this to keep happening? The server is a CentOS 6.5.

LoneWolfPR
  • 275
  • 1
  • 3
  • 17

2 Answers2

1

You must check the certificate validity, maybe the problem be related with this bug:

TLS_REQCERT=never ignored when the issuer certificate is expired

Summary:

Description of problem:

Setting TLS_REQCERT=never is ignored, when the server certificate is before/after validity period. In that moment, connection fails.

Version-Release number of selected component (if applicable):

openldap-2.4.23-15.el6
openldap-2.4.24-3.fc15

How reproducible:

Set up certificates in slapd to allow TLS/SSL. The certificate can be invalid (invalid issuer, invalid server name, etc.).

Run: LDAPTLS_REQCERT=never ldapsearch -x -ZZ ...

The execution will be successful, TLS will be used.

Change your system time out of the validity period of the certificate. Run the same command again. The command will fail this time.

Update:
You have disable certificate checking in the OpenLDAP ldap.conf (which should apply to php-ldap too).
Add in your PHP code, before the ldap_connect, put the following:

putenv('LDAPTLS_REQCERT=never');

Need help ignoring server certificate while binding to LDAP server using PHP

How do I solve ldap_start_tls() “Unable to start TLS: Connect error” in PHP?

Update 2:

Another problem may be that the apache server is not taking the ldap.conf configuration file correctly, take a look in this links where the problem is described:

http://php.net/manual/en/function.ldap-connect.php#36156

I hope this helps

Community
  • 1
Federico Sierra
  • 3,499
  • 1
  • 18
  • 24
  • I thought that might be the problem. However the certificate isn't expired. It is a self-signed certificate. However I have two other servers running the same versions of everything and the same configuration settings in ldap.conf and they don't have this trouble. – LoneWolfPR Oct 13 '14 at 14:27
  • I've tried running an ldapsearch directly from commandline and it works just fine. It just seems to be an issue when connecting through PHP/Apache – LoneWolfPR Oct 13 '14 at 14:51
  • @LoneWolfPR I updated the answer, check if it helps you. – Federico Sierra Oct 13 '14 at 16:23
  • That last thing you added is only for PHP on Windows machines it appears. Mine are running on CentOS while trying to connect to Windows Active Directory. There are some other suggestions in those articles though. I'll look into them. – LoneWolfPR Oct 13 '14 at 17:05
  • @LoneWolfPR you can use `LDAPTLS_REQCERT=never` also on linux , for client side connection – Federico Sierra Oct 13 '14 at 18:46
  • @LoneWolfPR look this http://php.net/manual/en/function.ldap-connect.php#36156 – Federico Sierra Oct 13 '14 at 19:11
0

This is a wild shot in the dark, so if it's wrong, I apologize for leading you in the wrong direction. Maybe your ldap service is running out of available file descriptors (each network connection consumes one FD). On my ldap servers, I upped the default limits:

OVZ-CentOS65[root@ldap1 ~]# more /etc/security/limits.d/ldap.conf 
@ldap           soft    nofile          100000
@ldap           hard    nofile          200000

Try adding this (or adjusting whatever file might currently be there controlling user, group, or process limits for ldap) and restart your ldap service. See if the symptoms with apache persist.

Todd Lyons
  • 2,006
  • 16
  • 12
  • I'm not sure how to go about this. It's not a regular LDAP server. The client machine trying to make the connection is a CentOS box, but the machine it's connecting to for log in purposes is a Windows Active Directory box. So I don't know how that all works with that. – LoneWolfPR Oct 17 '14 at 14:04
  • Ok, no application to you at all. It woudl be worth mentioning in your original post that you're auth'ing against a Windows AD server. I'm going to delete this answer because it has no bearing on your particular issue. – Todd Lyons Oct 17 '14 at 15:16