Hello
@hbouma
Crazy, how things like this happen one minute it is working and the next tweak breaks it. If only we can figure out what changed.
Looking at line 641 in 'src/adLDAP.php' the following:
if ($this->useTLS) {
641 ldap_start_tls($this->ldapConnection);
642 }
Looking back through the support forum posts and I see that we had flipped and flopped configs in '/etc/ldap/ldap.conf' to the point I am not sure what worked? In the previous post you stated that you had things functioning with the following quote:
@hbouma said; Ok, got it fixed. The issue appears to be entirely related to some FIPS fun and a new verison of openldap on RHEL 8 vs RHEL 7.
These are the steps I had to run to fix it.
edit the /etc/openldap/ldap.conf to uncomment the following line:
Looking at others that had similar issues they referenced permissions:
workaround, try editing /etc/ldap/ldap.conf and/or /etc/openldap/ldap.confand and add the line:
Also
i changed the owner of the directory "/etc/openldap/certs" from root:root to apache:nagios. After this change when i add the root-certificate of our CA through the Web-GUI two new files where generated in the directory "/etc/openldap/certs", one pem-file and one crt-file. This new files are owned by "apache", so User "apache" needs write-access to directory "/etc/openldap/certs". i removed the workaround "TLS_REQCERT never" from /etc/openldap/ldap.conf to test the change. Our AD-Users can now login as expected with no errors.
/etc/openldap/cacerts. Check the permissions:
and set:
Code: Select all
chown apache:nagios /etc/openldap/cacerts
chmod 775 /etc/openldap/cacerts
#TLS_CACERTDIR /etc/openldap/certs
TLS_CACERTDIR /cacerts
Also in a previous post we had you uncomment the following:
/etc/openldap/ldap.conf adding:
We also updated the TLS_CACERT line which means we need to confirm the cert.pem is correct in your /etc/openldap/ldap.conf:
#TLS_CACERT /etc/pki/tls/cert.pem
So it looks like this:
CODE: SELECT ALL
TLS_CACERT /etc/pki/tls/cert.pem
Then restart apache/php-fpm and test again and see if that resolves the issue.
You made a comment in the previous post regarding FIPS, and circling back we looked at the following:
systemctl restart httpd php-fpm
Previously we had you pull the crypto-policies and that results show: FIPS; and want to disable that by: (requires reboot when you get a chance)
fips-mode-setup --disable && reboot
Then:
update-crypto-policies --set LEGACY && reboot
After reboot verify:
update-crypto-policies --show
Please take time and run through and compare what we ran through and compare to what is set now as something changed when the update was applied.
Thanks,
Perry