PHP Fatal error: Uncaught Error: Call to undefined function Ltb\\ldap_sasl_bind()

[luandrea]

I'm trying to run self-service-password using docker container ( image: ltbproject/self-service-password:latest ) to connect to AD, but I'm getting this stacktrace:

self-service-password-app | ldap_url_parse_ext(ldap://localhost/)
self-service-password-app | ldap_init: trying /etc/ldap/ldap.conf
self-service-password-app | ldap_init: using /etc/ldap/ldap.conf
self-service-password-app | ldap_init: HOME env is NULL
self-service-password-app | ldap_init: trying ldaprc
self-service-password-app | ldap_init: LDAPCONF env is NULL
self-service-password-app | ldap_init: LDAPRC env is NULL
self-service-password-app | ldap_create
self-service-password-app | ldap_url_parse_ext(ldaps://ABC.local)
self-service-password-app | [Wed Nov 20 16:51:27.399481 2024] [php:warn] [pid 20:tid 20] [client 172.18.0.1:53104] PHP Warning: Undefined variable $ldap_krb5ccname in /var/www/vendor/ltb-project/ltb-common/src/Ltb/Ldap.php on line 63, referer: http://localhost/
self-service-password-app | [Wed Nov 20 16:51:27.399585 2024] [php:error] [pid 20:tid 20] [client 172.18.0.1:53104] PHP Fatal error: Uncaught Error: Call to undefined function Ltb\ldap_sasl_bind() in /var/www/vendor/ltb-project/ltb-common/src/Ltb/PhpLDAP.php:41\nStack trace:\n#0 /var/www/vendor/ltb-project/ltb-common/src/Ltb/Ldap.php(64): Ltb\PhpLDAP::ldap_sasl_bind()\n#1 /var/www/htdocs/change.php(70): Ltb\Ldap->connect()\n#2 /var/www/htdocs/index.php(229): require_once('...')\n#3 {main}\n thrown in /var/www/vendor/ltb-project/ltb-common/src/Ltb/PhpLDAP.php on line 41, referer: http://localhost/

Could you help me?
Is there something I have to install to the container?

Best regards,
Luca

[davidcoutadeur]

You can give a look to the configuration procedure with docker: https://self-service-password.readthedocs.io/en/stable/installation.html#docker

I have just tested the docker image by myself, but I don't have any error:

docker run -p 80:80 \
    -v $PWD/conf/config.inc.docker.php:/var/www/conf/config.inc.local.php \
    -it ltbproject/self-service-password:latest

You should set at least a local configuration file with the LDAP URL and credentials.

[luandrea]

Hi David,
thanks for your quick reply.

I have already read all the documentation , but I'm stuck with that error.

Here is my main configuration:

ssp.conf.php

<?php // My SSP configuration
$keyphrase = "mysecret";
$debug = true;
$ldap_url = "ldaps://ABC.local";

$ldap_login_attribute = "sAMAccountName";
$ldap_fullname_attribute = "cn";

$ldap_base = "OU=Users,OU=Accounts,DC=ABC,DC=local";

$ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
$who_change_password = "manager";

$ldap_binddn = null;
$ldap_bindpw = null;
$ldap_krb5ccname = "/tmp/krb5cc_1000";

$ad_mode = true;
$audit_log_file = "/tmp/audit.log";
$show_extended_error = true;
?>

docker-compose.yml

name: self-service-password

services:
  ssp-app:
    image: ltbproject/self-service-password:latest
    container_name: self-service-password-app
    volumes:
      - ./ssp.conf.php:/var/www/conf/config.inc.local.php
      - ./ssl/ABC-CA.pem:/etc/ssl/ca.crt
      - ./ldap.conf:/etc/ldap/ldap.conf
      - /tmp/krb5cc_1000:/tmp/krb5cc_1000
    ports:
      - "80:80"
    extra_hosts:
      - "host.docker.internal:host-gateway"
      - "ABC.local:111.111.111.111"
    restart: always

ldap.conf

TLS_CACERT /etc/ssl/ca.crt
sasl_secprops minssf=0,maxssf=0

I also verified that, with Ldap Admin, I can sucessfully change the password of an AD user, using the same parameters that I'm trying to use with SSP.

Also I can successfully search with ldapsearch in that AD with that parameters.

I'm not familiar with PHP, but two things are not clear to me.

First this error:

Undefined variable $ldap_krb5ccname in /var/www/vendor/ltb-project/ltb-common/src/Ltb/Ldap.php on line 63, referer: http://localhost/

It is about this line:
putenv("KRB5CCNAME=".$ldap_krb5ccname);

Or should it be like that?
putenv("KRB5CCNAME=".$this->ldap_krb5ccname);

The second error:

PHP Fatal error: Uncaught Error: Call to undefined function Ltb\ldap_sasl_bind() in /var/www/vendor/ltb-project/ltb-common/src/Ltb/PhpLDAP.php:41\nStack trace:\n#0 /var/www/vendor/ltb-project/ltb-common/src/Ltb/Ldap.php(64): Ltb\PhpLDAP::ldap_sasl_bind()\n#1 /var/www/htdocs/change.php(70): Ltb\Ldap->connect()\n#2 /var/www/htdocs/index.php(229): require_once('...')\n#3 {main}\n thrown in /var/www/vendor/ltb-project/ltb-common/src/Ltb/PhpLDAP.php on line 41, referer: http://localhost/

It is about an undefined function. Am I missing something? Should I install something else on the docker container?

[davidcoutadeur]

It is about this line:
putenv("KRB5CCNAME=".$ldap_krb5ccname);

Or should it be like that?
putenv("KRB5CCNAME=".$this->ldap_krb5ccname);

Indeed, this is a bug in our code. Could you open an issue at the ltb-common project for this?

PHP Fatal error: Uncaught Error: Call to undefined function Ltb\ldap_sasl_bind() in /var/www/vendor/ltb-project/ltb-common/src/Ltb/PhpLDAP.php:41

This one is weird. Maybe it is a consequence of the first bug. ldap_sasl_bind is a function available in standard php ldap library. It should be available already.

[davidcoutadeur]

I reproduce this bug on my side:

PHP Fatal error: Uncaught Error: Call to undefined function Ltb\ldap_sasl_bind() in /var/www/vendor/ltb-project/ltb-common/src/Ltb/PhpLDAP.php:41

Also, the variables ldap_binddn and ldap_bindpw, even when empty ("") do not permit to use gssapi auth. I think the test must be fixed

[luandrea]

I fixed the "Undefined variable $ldap_krb5ccname" on my side and opened the issue as per your request.

The second error still remains.

I checked if any module is missing in the container, but don't know if this is correct.

root@3a1e04260431:/var/www/htdocs# php -m | grep ldap
ldap

This is the output of php -i:
php_info.txt

I see in particular:
GSSAPI => Yes
GSASL => No

The GASL could be connected to the missing ldap_sasl_bind() method?

[davidcoutadeur]

Yes, there is indeed a problem with the docker image.

[davidcoutadeur]

@luandrea could you try building the new docker image using the branch:

https://github.com/ltb-project/self-service-password/tree/1008-fix-ldap-sasl-bind-docker

You can build with this command:

DOCKER_BUILDKIT=1 docker build -t self-service-password -f ./docker/Dockerfile ../

Anyway, thanks for the bug report

[luandrea]

Hi @davidcoutadeur ,
I succesfully rebuild the image and tested it on my enviroment, now the previous error has gone!

However , I'm getting another error now: Bind error -6 (Unknown authentication method)

self-service-password-app  | ldap_url_parse_ext(ldap://localhost/)
self-service-password-app  | ldap_init: trying /etc/ldap/ldap.conf
self-service-password-app  | ldap_init: using /etc/ldap/ldap.conf
self-service-password-app  | ldap_init: HOME env is NULL
self-service-password-app  | ldap_init: trying ldaprc
self-service-password-app  | ldap_init: LDAPCONF env is NULL
self-service-password-app  | ldap_init: LDAPRC env is NULL
self-service-password-app  | ldap_create
self-service-password-app  | ldap_url_parse_ext(ldaps://ABC.local)
self-service-password-app  | ldap_sasl_interactive_bind: user selected: GSSAPI
self-service-password-app  | ldap_int_sasl_bind: GSSAPI
self-service-password-app  | ldap_new_connection 1 1 0
self-service-password-app  | ldap_int_open_connection
self-service-password-app  | ldap_connect_to_host: TCP ABC.local:636
self-service-password-app  | ldap_new_socket: 11
self-service-password-app  | ldap_prepare_socket: 11
self-service-password-app  | ldap_connect_to_host: Trying 1111.111.111.111:636
self-service-password-app  | ldap_pvt_connect: fd: 11 tm: 10 async: 0
self-service-password-app  | ldap_ndelay_on: 11
self-service-password-app  | attempting to connect:
self-service-password-app  | connect errno: 115
self-service-password-app  | ldap_int_poll: fd: 11 tm: 10
self-service-password-app  | ldap_is_sock_ready: 11
self-service-password-app  | ldap_ndelay_off: 11
self-service-password-app  | ldap_pvt_connect: 0
self-service-password-app  | ldap_int_sasl_open: host=ABC.local
self-service-password-app  | ldap_msgfree
self-service-password-app  | ldap_err2string
self-service-password-app  | [Thu Nov 21 14:04:17.661198 2024] [php:warn] [pid 18:tid 18] [client 172.18.0.1:34044] PHP Warning:  ldap_sasl_bind(): Unable to bind to server: Unknown authentication method in /var/www/vendor/ltb-project/ltb-common/src/Ltb/PhpLDAP.php on line 41, referer: http://localhost/
self-service-password-app  | [Thu Nov 21 14:04:17.661232 2024] [php:notice] [pid 18:tid 18] [client 172.18.0.1:34044] LDAP - GSSAPI Bind failed, referer: http://localhost/
self-service-password-app  | ldap_err2string
self-service-password-app  | [Thu Nov 21 14:04:17.661395 2024] [php:notice] [pid 18:tid 18] [client 172.18.0.1:34044] LDAP - Bind error -6  (Unknown authentication method), referer: http://localhost/
self-service-password-app  | ldap_free_connection 1 1
self-service-password-app  | ldap_send_unbind
self-service-password-app  | ldap_free_connection: actually freed

[davidcoutadeur]

I think there was still a missing module for enabling GSSAPI: libsasl2-modules-gssapi-mit
Could you try with my last commit?

[luandrea]

Ok, also this error has gone!

I still cannot connect to the AD, this is the stacktrace now:

ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/ldap/ldap.conf
ldap_init: using /etc/ldap/ldap.conf
ldap_init: HOME env is NULL
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
ldap_create
ldap_url_parse_ext(ldaps://ABC.local)
ldap_sasl_interactive_bind: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ABC:636
ldap_new_socket: 11
ldap_prepare_socket: 11
ldap_connect_to_host: Trying 111.111.111.111:636
ldap_pvt_connect: fd: 11 tm: 10 async: 0
ldap_ndelay_on: 11
attempting to connect:
connect errno: 115
ldap_int_poll: fd: 11 tm: 10
ldap_is_sock_ready: 11
ldap_ndelay_off: 11
ldap_pvt_connect: 0
ldap_int_sasl_open: host=ABC.local
ldap_msgfree
ldap_err2string
PHP Warning:  ldap_sasl_bind(): Unable to bind to server: Local error in /var/www/vendor/ltb-project/ltb-common/src/Ltb/PhpLDAP.php on line 41, referer: http://localhost/
LDAP - GSSAPI Bind failed, referer: http://localhost/
ldap_err2string
LDAP - Bind error -2  (Local error), referer: http://localhost/
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed

Now I don't see any useful information in it. Could you help me?

[davidcoutadeur]

Indeed this error is not quite precise...

Maybe do you have more details in system logs? (especially security logs)

Other possibility: maybe you need a saslauthd daemon for treating this authentication. You could try this by entering manually in the container and installing sasl2-bin, and then running manually saslauthd

[luandrea]

Ok, I didn't find any useful log.

BUT I found that I was missing the correct permission for the Kerberos token cache that I create using kinit and then mount in the container. I do it like this for now because I want to check if everything works before automating it through k5start.

After fixing the permissions, as you can see, I get a successful connection (status: Connected) to the AD server, but, as I understand, the search does not return what I'm searching:

ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/ldap/ldap.conf
ldap_init: using /etc/ldap/ldap.conf
ldap_init: HOME env is NULL
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
ldap_create
ldap_url_parse_ext(ldaps://ABC.local)
ldap_sasl_interactive_bind: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ABC.local:636
ldap_new_socket: 11
ldap_prepare_socket: 11
ldap_connect_to_host: Trying 111.111.111.111:636
ldap_pvt_connect: fd: 11 tm: 10 async: 0
ldap_ndelay_on: 11
attempting to connect:
connect errno: 115
ldap_int_poll: fd: 11 tm: 10
ldap_is_sock_ready: 11
ldap_ndelay_off: 11
ldap_pvt_connect: 0
ldap_int_sasl_open: host=ABC.local
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_msgfree
ldap_result ld 0x55ac7d36d340 msgid 1
wait4msg ld 0x55ac7d36d340 msgid 1 (infinite timeout)
wait4msg continue ld 0x55ac7d36d340 msgid 1 all 1
** ld 0x55ac7d36d340 Connections:
* host: ABC.local  port: 636  (default)
* from: IP=172.18.0.2:48270
  refcnt: 2  status: Connected
  last used: Thu Nov 21 16:11:25 2024


** ld 0x55ac7d36d340 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x55ac7d36d340 request count 1 (abandoned 0)
** ld 0x55ac7d36d340 Response Queue:
   Empty
  ld 0x55ac7d36d340 response count 0
ldap_chkResponseList ld 0x55ac7d36d340 msgid 1 all 1
ldap_chkResponseList returns ld 0x55ac7d36d340 NULL
ldap_int_select
read1msg: ld 0x55ac7d36d340 msgid 1 all 1
ldap_find_request_by_msgid: msgid 1, lr 0x55ac7d38a610 lr->lr_refcnt = 1
read1msg: ld 0x55ac7d36d340 msgid 1 message type bind
read1msg: ld 0x55ac7d36d340 0 new referrals
read1msg:  mark request completed, ld 0x55ac7d36d340 msgid 1
request done: ld 0x55ac7d36d340 msgid 1
res_errno: 14, res_error: <>, res_matched: <>
ldap_return_request: lrx 0x55ac7d38a610, lr 0x55ac7d38a610
ldap_return_request: lrx->lr_msgid 1, lrx->lr_refcnt is now 0, lr is still present
ldap_free_request (origid 1, msgid 1)
ldap_free_request_int: lr 0x55ac7d38a610 msgid 1 removed
ldap_do_free_request: asked to free lr 0x55ac7d38a610 msgid 1 refcnt 0
ldap_int_sasl_bind: GSSAPI
ldap_parse_sasl_bind_result
ldap_parse_result
sasl_client_step: 2
sasl_client_step: 1
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_msgfree
ldap_result ld 0x55ac7d36d340 msgid 2
wait4msg ld 0x55ac7d36d340 msgid 2 (infinite timeout)
wait4msg continue ld 0x55ac7d36d340 msgid 2 all 1
** ld 0x55ac7d36d340 Connections:
* host: ABC.local  port: 636  (default)
* from: IP=172.18.0.2:48270
  refcnt: 2  status: Connected
  last used: Thu Nov 21 16:11:25 2024


** ld 0x55ac7d36d340 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x55ac7d36d340 request count 1 (abandoned 0)
** ld 0x55ac7d36d340 Response Queue:
   Empty
  ld 0x55ac7d36d340 response count 0
ldap_chkResponseList ld 0x55ac7d36d340 msgid 2 all 1
ldap_chkResponseList returns ld 0x55ac7d36d340 NULL
ldap_int_select
read1msg: ld 0x55ac7d36d340 msgid 2 all 1
ldap_find_request_by_msgid: msgid 2, lr 0x55ac7d38a940 lr->lr_refcnt = 1
read1msg: ld 0x55ac7d36d340 msgid 2 message type bind
read1msg: ld 0x55ac7d36d340 0 new referrals
read1msg:  mark request completed, ld 0x55ac7d36d340 msgid 2
request done: ld 0x55ac7d36d340 msgid 2
res_errno: 14, res_error: <>, res_matched: <>
ldap_return_request: lrx 0x55ac7d38a940, lr 0x55ac7d38a940
ldap_return_request: lrx->lr_msgid 2, lrx->lr_refcnt is now 0, lr is still present
ldap_free_request (origid 2, msgid 2)
ldap_free_request_int: lr 0x55ac7d38a940 msgid 2 removed
ldap_do_free_request: asked to free lr 0x55ac7d38a940 msgid 2 refcnt 0
ldap_int_sasl_bind: GSSAPI
ldap_parse_sasl_bind_result
ldap_parse_result
sasl_client_step: 0
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_msgfree
ldap_result ld 0x55ac7d36d340 msgid 3
wait4msg ld 0x55ac7d36d340 msgid 3 (infinite timeout)
wait4msg continue ld 0x55ac7d36d340 msgid 3 all 1
** ld 0x55ac7d36d340 Connections:
* host: ABC.local  port: 636  (default)
* from: IP=172.18.0.2:48270
  refcnt: 2  status: Connected
  last used: Thu Nov 21 16:11:25 2024


** ld 0x55ac7d36d340 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x55ac7d36d340 request count 1 (abandoned 0)
** ld 0x55ac7d36d340 Response Queue:
   Empty
  ld 0x55ac7d36d340 response count 0
ldap_chkResponseList ld 0x55ac7d36d340 msgid 3 all 1
ldap_chkResponseList returns ld 0x55ac7d36d340 NULL
ldap_int_select
read1msg: ld 0x55ac7d36d340 msgid 3 all 1
ldap_find_request_by_msgid: msgid 3, lr 0x55ac7d38ec90 lr->lr_refcnt = 1
read1msg: ld 0x55ac7d36d340 msgid 3 message type bind
read1msg: ld 0x55ac7d36d340 0 new referrals
read1msg:  mark request completed, ld 0x55ac7d36d340 msgid 3
request done: ld 0x55ac7d36d340 msgid 3
res_errno: 0, res_error: <>, res_matched: <>
ldap_return_request: lrx 0x55ac7d38ec90, lr 0x55ac7d38ec90
ldap_return_request: lrx->lr_msgid 3, lrx->lr_refcnt is now 0, lr is still present
ldap_free_request (origid 3, msgid 3)
ldap_free_request_int: lr 0x55ac7d38ec90 msgid 3 removed
ldap_do_free_request: asked to free lr 0x55ac7d38ec90 msgid 3 refcnt 0
ldap_int_sasl_bind: GSSAPI
ldap_parse_sasl_bind_result
ldap_parse_result
ldap_pvt_sasl_generic_install
ldap_msgfree
ldap_search_ext
put_filter: "(&(objectClass=user)(sAMAccountName=x_tandrea)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
put_filter: AND
put_filter_list "(objectClass=user)(sAMAccountName=x_tandrea)(!(userAccountControl:1.2.840.113556.1.4.803:=2))"
put_filter: "(objectClass=user)"
put_filter: simple
put_simple_filter: "objectClass=user"
put_filter: "(sAMAccountName=x_tandrea)"
put_filter: simple
put_simple_filter: "sAMAccountName=x_tandrea"
put_filter: "(!(userAccountControl:1.2.840.113556.1.4.803:=2))"
put_filter: NOT
put_filter_list "(userAccountControl:1.2.840.113556.1.4.803:=2)"
put_filter: "(userAccountControl:1.2.840.113556.1.4.803:=2)"
put_filter: simple
put_simple_filter: "userAccountControl:1.2.840.113556.1.4.803:=2"
ldap_build_search_req ATTRS: *
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 0x55ac7d36d340 msgid 4
wait4msg ld 0x55ac7d36d340 msgid 4 (infinite timeout)
wait4msg continue ld 0x55ac7d36d340 msgid 4 all 1
** ld 0x55ac7d36d340 Connections:
* host: ABC.local  port: 636  (default)
* from: IP=172.18.0.2:48270
  refcnt: 2  status: Connected
  last used: Thu Nov 21 16:11:25 2024


** ld 0x55ac7d36d340 Outstanding Requests:
 * msgid 4,  origid 4, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x55ac7d36d340 request count 1 (abandoned 0)
** ld 0x55ac7d36d340 Response Queue:
   Empty
  ld 0x55ac7d36d340 response count 0
ldap_chkResponseList ld 0x55ac7d36d340 msgid 4 all 1
ldap_chkResponseList returns ld 0x55ac7d36d340 NULL
ldap_int_select
read1msg: ld 0x55ac7d36d340 msgid 4 all 1
ldap_err2string
[Thu Nov 21 16:11:25.649335 2024] [php:warn] [pid 21:tid 21] [client 172.18.0.1:43858] PHP Warning:  ldap_search(): Search: Can't contact LDAP server in /var/www/vendor/ltb-project/ltb-common/src/Ltb/PhpLDAP.php on line 56, referer: http://localhost/
ldap_err2string
[Thu Nov 21 16:11:25.649377 2024] [php:notice] [pid 21:tid 21] [client 172.18.0.1:43858] LDAP - Search error -1  (Can't contact LDAP server), referer: http://localhost/
ldap_do_free_request: asked to free lr 0x55ac7d38dc70 msgid 4 refcnt 0
ldap_free_connection 1 1
ldap_free_connection: actually freed
172.18.0.1 - - [21/Nov/2024:16:11:25 +0000] "POST / HTTP/1.1" 200 1460 "http://localhost/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"
172.18.0.1 - - [21/Nov/2024:16:11:25 +0000] "GET /css/self-service-password.css HTTP/1.1" 404 487 "http://localhost/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"
172.18.0.1 - - [21/Nov/2024:16:11:25 +0000] "GET /css/ppolicy.css HTTP/1.1" 404 488 "http://localhost/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"
172.18.0.1 - - [21/Nov/2024:16:11:25 +0000] "GET /images/favicon.ico HTTP/1.1" 200 1450 "http://localhost/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"

If I make the same search using ldasearch I get the correct result:

ldapsearch -d 1 -Y GSSAPI -H ldaps://ABC.local -b "dc=devops-esl,dc=local" "(&(objectClass=user)(sAMAccountName=x_tandrea)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";

Output:

ldap_url_parse_ext(ldaps://ABC.local)
ldap_create
ldap_url_parse_ext(ldaps://ABC.local:636/??base)
ldap_sasl_interactive_bind: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ABC.local:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 111.111.111.111:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_int_sasl_open: host=ABC.local
SASL/GSSAPI authentication started
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 1590 bytes to sd 3
ldap_msgfree
ldap_result ld 0x5626cde56bc0 msgid 1
wait4msg ld 0x5626cde56bc0 msgid 1 (infinite timeout)
wait4msg continue ld 0x5626cde56bc0 msgid 1 all 1
** ld 0x5626cde56bc0 Connections:
* host: ABC.local  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Thu Nov 21 17:20:44 2024


** ld 0x5626cde56bc0 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x5626cde56bc0 request count 1 (abandoned 0)
** ld 0x5626cde56bc0 Response Queue:
   Empty
  ld 0x5626cde56bc0 response count 0
ldap_chkResponseList ld 0x5626cde56bc0 msgid 1 all 1
ldap_chkResponseList returns ld 0x5626cde56bc0 NULL
ldap_int_select
read1msg: ld 0x5626cde56bc0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 176 contents:
read1msg: ld 0x5626cde56bc0 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x5626cde56bc0 0 new referrals
read1msg:  mark request completed, ld 0x5626cde56bc0 msgid 1
request done: ld 0x5626cde56bc0 msgid 1
res_errno: 14, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_int_sasl_bind: GSSAPI
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
sasl_client_step: 1
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 22 bytes to sd 3
ldap_msgfree
ldap_result ld 0x5626cde56bc0 msgid 2
wait4msg ld 0x5626cde56bc0 msgid 2 (infinite timeout)
wait4msg continue ld 0x5626cde56bc0 msgid 2 all 1
** ld 0x5626cde56bc0 Connections:
* host: ABC.local  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Thu Nov 21 17:20:44 2024


** ld 0x5626cde56bc0 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x5626cde56bc0 request count 1 (abandoned 0)
** ld 0x5626cde56bc0 Response Queue:
   Empty
  ld 0x5626cde56bc0 response count 0
ldap_chkResponseList ld 0x5626cde56bc0 msgid 2 all 1
ldap_chkResponseList returns ld 0x5626cde56bc0 NULL
ldap_int_select
read1msg: ld 0x5626cde56bc0 msgid 2 all 1
ber_get_next
ber_get_next: tag 0x30 len 50 contents:
read1msg: ld 0x5626cde56bc0 msgid 2 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x5626cde56bc0 0 new referrals
read1msg:  mark request completed, ld 0x5626cde56bc0 msgid 2
request done: ld 0x5626cde56bc0 msgid 2
res_errno: 14, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_int_sasl_bind: GSSAPI
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
sasl_client_step: 0
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 56 bytes to sd 3
ldap_msgfree
ldap_result ld 0x5626cde56bc0 msgid 3
wait4msg ld 0x5626cde56bc0 msgid 3 (infinite timeout)
wait4msg continue ld 0x5626cde56bc0 msgid 3 all 1
** ld 0x5626cde56bc0 Connections:
* host: ABC.local  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Thu Nov 21 17:20:44 2024


** ld 0x5626cde56bc0 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x5626cde56bc0 request count 1 (abandoned 0)
** ld 0x5626cde56bc0 Response Queue:
   Empty
  ld 0x5626cde56bc0 response count 0
ldap_chkResponseList ld 0x5626cde56bc0 msgid 3 all 1
ldap_chkResponseList returns ld 0x5626cde56bc0 NULL
ldap_int_select
read1msg: ld 0x5626cde56bc0 msgid 3 all 1
ber_get_next
ber_get_next: tag 0x30 len 18 contents:
read1msg: ld 0x5626cde56bc0 msgid 3 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x5626cde56bc0 0 new referrals
read1msg:  mark request completed, ld 0x5626cde56bc0 msgid 3
request done: ld 0x5626cde56bc0 msgid 3
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 3, msgid 3)
ldap_int_sasl_bind: GSSAPI
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
SASL username: [email protected]
SASL SSF: 0
ldap_msgfree
# extended LDIF
#
# LDAPv3
# base <dc=devops-esl,dc=local> with scope subtree
# filter: (&(objectClass=user)(sAMAccountName=x_tandrea)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
# requesting: ALL
#

ldap_search_ext
put_filter: "(&(objectClass=user)(sAMAccountName=x_tandrea)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
put_filter: AND
put_filter_list "(objectClass=user)(sAMAccountName=x_tandrea)(!(userAccountControl:1.2.840.113556.1.4.803:=2))"
put_filter: "(objectClass=user)"
put_filter: simple
put_simple_filter: "objectClass=user"
put_filter: "(sAMAccountName=x_tandrea)"
put_filter: simple
put_simple_filter: "sAMAccountName=x_tandrea"
put_filter: "(!(userAccountControl:1.2.840.113556.1.4.803:=2))"
put_filter: NOT
put_filter_list "(userAccountControl:1.2.840.113556.1.4.803:=2)"
put_filter: "(userAccountControl:1.2.840.113556.1.4.803:=2)"
put_filter: simple
put_simple_filter: "userAccountControl:1.2.840.113556.1.4.803:=2"
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 153 bytes to sd 3
ldap_result ld 0x5626cde56bc0 msgid -1
wait4msg ld 0x5626cde56bc0 msgid -1 (infinite timeout)
wait4msg continue ld 0x5626cde56bc0 msgid -1 all 0
** ld 0x5626cde56bc0 Connections:
* host: ABC.local  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Thu Nov 21 17:20:44 2024


** ld 0x5626cde56bc0 Outstanding Requests:
 * msgid 4,  origid 4, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x5626cde56bc0 request count 1 (abandoned 0)
** ld 0x5626cde56bc0 Response Queue:
   Empty
  ld 0x5626cde56bc0 response count 0
ldap_chkResponseList ld 0x5626cde56bc0 msgid -1 all 0
ldap_chkResponseList returns ld 0x5626cde56bc0 NULL
ldap_int_select
read1msg: ld 0x5626cde56bc0 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 1497 contents:
read1msg: ld 0x5626cde56bc0 msgid 4 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
ldap_dn2ufn
ldap_dn_normalize
# TEST Andreatta, Users, Accounts, devops-esl.local
dn: CN=TEST Andreatta,OU=Users,OU=Accounts,DC=devops-esl,DC=local

[davidcoutadeur]

This one is a connectivity problem:

LDAP - Search error -1  (Can't contact LDAP server)

either ABC.local is not reachable, either the TLS establishment has problems.

[luandrea]

Hi @davidcoutadeur ,
inside the container telnet connects correctly on that address and port, so the server is reachable.

About TLS, if I remove the cert, I get a specific error, something like this:

TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).

I added again this row in ldap.conf that I removed in previous tests:

sasl_secprops minssf=0,maxssf=0

Now I get a different error:

res_errno: 1, res_error: <000004DC: LdapErr: DSID-0C091048, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839>, res_matched: <>

I will investigate better tomorrow.