Mantis Bugtracker          
testlink.org

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0008762TestLinkLDAP authenticationpublic2019-09-13 12:332019-10-30 16:06
Reporterohummel 
Assigned Tofman 
PriorityurgentSeveritymajorReproducibilityalways
StatusassignedResolutionopen 
PlatformBitnami VMOSDebianOS Version9
Product Version1.9.19 (2019 Q1) 
Fixed in Version 
Summary0008762: LDAP with TLS authentication fails
DescriptionWe are operating Testlink with LDAP connection to Active Directory. The LDAP is changing to a new server and therefore secured with TLS. We tried different options, STARTTLS and TLS directly, but were not able to get it working.

How can we configure LDAPS or STARTTLS with certificate verification?
Why does the "ldap_tls" configuration parameter only define to use STARTTLS, not TLS directly?
Steps To ReproduceContent of /opt/bitnami/apps/testlink/htdocs/custom_config.inc.php:

For STARTTLS we tried:
<?php
define('DBUG_ON',1);
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);

$tlCfg->authentication['method'] = 'LDAP';
$tlCfg->authentication['ldap'] = array();
$tlCfg->authentication['ldap'][1]['ldap_server'] = 'ourserver.com';
$tlCfg->authentication['ldap'][1]['ldap_port'] = '389';
$tlCfg->authentication['ldap'][1]['ldap_version'] = '3';
$tlCfg->authentication['ldap'][1]['ldap_root_dn'] = 'OU=Regions,DC=net,...';
$tlCfg->authentication['ldap'][1]['ldap_bind_dn'] = 'CN=ourBindDN,...,DC=com';
$tlCfg->authentication['ldap'][1]['ldap_bind_passwd'] = 'ourPassword';
$tlCfg->authentication['ldap'][1]['ldap_tls'] = true;
$tlCfg->authentication['ldap'][1]['ldap_organization'] = '';
$tlCfg->authentication['ldap'][1]['ldap_uid_field'] = 'sAMAccountName';

$g_log_level='INFO';
?>

For using TLS directly (which would be preferred) we tried the following changes:
$tlCfg->authentication['ldap'][1]['ldap_server'] = 'ldaps://ourserver.com:636'; [^]
$tlCfg->authentication['ldap'][1]['ldap_port'] = '636';
$tlCfg->authentication['ldap'][1]['ldap_tls'] was set to true and false, but that did not help.

/opt/bitnami/apps/testlink/htdocs/logs/userlog0.log shows either

ldap_start_tls(): Unable to start TLS: Can't contact LDAP server
or
ldap_bind(): Unable to bind to server: Can't contact LDAP server

Contacting the LDAP server using PHP outside of Testlink, but on the same host works successfully:
<?php
putenv('LDAPTLS_CACERT=/home/bitnami/pl_ca_chain.pem');
$ldaphost = "ldap://ourserver.com:389"; [^]
$ldapUsername = "CN=ourBindDN,...,DC=com";
$ldapPassword = "ourPassword";

$ds = ldap_connect($ldaphost);
if(!ldap_set_option($ds, LDAP_OPT_REFERRALS, 0)){
        print "Could not set referrals";
}

if(!ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)){
        print "Could not set LDAPv3";
} else {
    if (ldap_start_tls($ds)) {
        $ldapError = ldap_error($ds);
        print "StartTLS returned: $ldapError";

        $bth = ldap_bind($ds, $ldapUsername, $ldapPassword) or die("\r\nCould not connect to LDAP server\r\n");

         $bindError = ldap_error($ds);
         print "Return value is: $bindError";
    } else {
      $ldapError2 = ldap_error($ds);
      print "start tls failed with: $ldapError2";
    }
}
?>
Additional InformationAlso failed with the productive version of Testlink Bitnami VM: Testlink 19.9.16, Ubuntu 14.04
TagsNo tags attached.
Database (MySQL,Postgres,etc)MySQL
Browser
PHP Version7.3.8
TestCaseID
QA Team - Task Workflow Status
Attached Files

- Relationships

-  Notes
(0029156)
fman (administrator)
2019-09-14 12:52

Till now I've never have tried to use LDAP with secure option.

regarding

>> Why does the "ldap_tls" configuration parameter only define to use STARTTLS, not TLS
>> directly?


There are some old notes here
https://www.php.net/manual/en/function.ldap-start-tls.php [^]
(0029157)
fman (administrator)
2019-09-14 12:58

I can not say that this is the reason but your configuration is different bewteen testlink and your test program:
TestLink
$tlCfg->authentication['ldap'][1]['ldap_server'] = 'ldaps://ourserver.com:636';

your php script
$ldaphost = "ldap://ourserver.com:389";


then IMHO you can not compare results.
(0029158)
fman (administrator)
2019-09-14 17:23

Just done following test

1. create account on http://jumpcloud.com [^]
2. create a user user01testlink on TestLink
3. create same user on Directory in jumpcloud.com
4. configure TestLink this way

$tlCfg->authentication['method'] = 'LDAP';
$tlCfg->authentication['ldap_automatic_user_creation'] = false;
$tlCfg->authentication['ldap'][1]['ldap_server'] = 'ldaps://ldap.jumpcloud.com'; [^]

$tlCfg->authentication['ldap'][1]['ldap_root_dn'] =
  'ou=Users,o=5b2e60eb39193845a6811bd1,dc=jumpcloud,dc=com';

# o=5b2e60eb39193845a6811bd1 this is the code for the organization I've created

$tlCfg->authentication['ldap'][1]['ldap_bind_dn'] =
  'uid=LDAPBind,ou=Users,o=5b2e60eb39193845a6811bd1,dc=jumpcloud,dc=com';

$tlCfg->authentication['ldap'][1]['ldap_bind_passwd'] = 'MYSUPERSECRETPASSWORD';


$tlCfg->authentication['ldap'][1]['ldap_organization'] = '';
$tlCfg->authentication['ldap'][1]['ldap_uid_field'] = 'uid';


I was able to login to testlink with user01testlink

Tested used latest code from github, from branch testlink_1_19




I've done some checks from my Mac Laptop (where I test TestLink) at LDAP level using LDAP Admin Tool standard edition version 7.0
(0029160)
ohummel (reporter)
2019-09-16 14:20

Thanks for trying, but we are still not able to get it work. Some more questions:

- Which port did you use for the test?
- Was ldap_tls set to true or false?
- Where did you put the certificate in order to verify it?
(0029161)
fman (administrator)
2019-09-16 17:06
edited on: 2019-09-16 17:28

Q1 - Which port did you use for the test?
I've done the tests again with this config


$tlCfg->authentication['ldap'] = array();
$tlCfg->authentication['method'] = 'LDAP';
$tlCfg->authentication['ldap'][1]['ldap_server'] =
  'ldap://ldap.jumpcloud.com'; [^]


$tlCfg->authentication['ldap'][1]['ldap_tls'] = true;
$tlCfg->authentication['ldap'][1]['ldap_version'] = 3;
$tlCfg->authentication['ldap'][1]['ldap_organization'] = '';
$tlCfg->authentication['ldap'][1]['ldap_uid_field'] = 'uid';
$tlCfg->authentication['ldap'][1]['ldap_email_field'] = 'mail';
$tlCfg->authentication['ldap'][1]['ldap_firstname_field'] = 'givenname';
$tlCfg->authentication['ldap'][1]['ldap_surname_field'] = 'sn';

$tlCfg->authentication['ldap'][1]['ldap_root_dn'] =
  'ou=Users,o=5b2e60eb39193845a6811bd1,dc=jumpcloud,dc=com';

$tlCfg->authentication['ldap'][1]['ldap_port'] = 389;

$tlCfg->authentication['ldap'][1]['ldap_bind_dn'] =
  'uid=LDAPBind,ou=Users,o=5b2e60eb39193845a6811bd1,dc=jumpcloud,dc=com';


Q2 - Was ldap_tls set to true or false?
in latest test TRUE

Q3 - Where did you put the certificate in order to verify it?
I've not used the certificate


I can confirm you that communication is crypted.

(0029183)
ohummel (reporter)
2019-09-19 12:32

So if you were using STARTTLS successfully, where have you put the certificate or where did you disable the checking of the certificate? Otherwise TLS won't work.
And what should a user do if there is no STARTTLS option enabled in the active directory, hence we have to use TLS directly?
(0029188)
fman (administrator)
2019-09-19 14:10

Hi
as I've explained I've to trust what jumpclpud provides.
I've not done any analysis at network level (i.e. using wireshark of something similar), then I can not assure that TLS has been activated or not.

Unfortunately, I can provide limited support on this because:
1. php documentation regarding ldap with tls is near to zero
2. I've used as reference for this development old mantisBT code.

As soon as I will be able to give a look to new mantisBt code I will be try to understand what they are doing.
I suppose my mistake has been using a code without chance to fully test it, I'm sorry
(0029217)
atisne (reporter)
2019-09-25 12:13

The both following configurations work for me:

$tlCfg->authentication['ldap'][1]['ldap_server'] = 'ourserver.com';
$tlCfg->authentication['ldap'][1]['ldap_port'] = '389';
$tlCfg->authentication['ldap'][1]['ldap_version'] = '3';
$tlCfg->authentication['ldap'][1]['ldap_root_dn'] = '...';
$tlCfg->authentication['ldap'][1]['ldap_bind_dn'] = 'uid=...';
$tlCfg->authentication['ldap'][1]['ldap_bind_passwd'] = 'xxxx';
$tlCfg->authentication['ldap'][1]['ldap_tls'] = true;

or

$tlCfg->authentication['ldap'][1]['ldap_server'] = 'ldaps://ourserver.com'; [^]
$tlCfg->authentication['ldap'][1]['ldap_port'] = '686';
$tlCfg->authentication['ldap'][1]['ldap_version'] = '3';
$tlCfg->authentication['ldap'][1]['ldap_root_dn'] = '...';
$tlCfg->authentication['ldap'][1]['ldap_bind_dn'] = 'uid=...';
$tlCfg->authentication['ldap'][1]['ldap_bind_passwd'] = 'xxxx';
$tlCfg->authentication['ldap'][1]['ldap_tls'] = false;

I installed the certificate authority that signed my certificate at the OS level. (in /etc/pki/ca-trust/source/anchors for CentOS7)
(0029219)
fman (administrator)
2019-09-25 12:33

@atisne:
thanks for your contribution.

I'm not able to understand why in my installation there is no warning raised due to certificates, because I have installed nothing.
May be there is something preinstalled

thanks again
(0029221)
ohummel (reporter)
2019-09-25 14:56

<?php
  //putenv('LDAPTLS_CACERT=/home/bitnami/my_ca_chain.pem');
  ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
  $ldapconn = ldap_connect('ldaps://ourserver.com', [^] 636);
  
  ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
  ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
  $ldapuser = "CN=ourBindDN,...,DC=com";
  $ldappwd = "ourPassword";
  
  ldap_bind($ldapconn, $ldapuser, $ldappwd);
?>


Thanks again for trying, but unfortunately that didn't help.
I already added the CA certificate chain to the OS certificate store (chained, separated, doesn't matter), but PHP doesn't seem to find them.
I tried the code snippet above on the bitnami machine running Testlink. If the environment variable in the beginning is not set, the code snippet fails with a similar error as Testlink:

ldap_create
ldap_url_parse_ext(ldaps://ourserver.com [^])
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ourserver.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 149.246.249.171:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 20, subject: ourTrustCA, issuer: ourRootCA
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate).
ldap_err2string
PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /home/bitnami/debug.php on line 13

If I add the line setting the environment variable everything works as expected:

ldap_create
ldap_url_parse_ext(ldaps://ourserver.com [^])
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ourserver.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 149.246.249.171:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 2, err: 0, subject: ourRootCA, issuer: ourRootCA
TLS certificate verification: depth: 1, err: 0, subject: ourTrustCA, issuer: ourRootCA
TLS certificate verification: depth: 0, err: 0, subject: , issuer: ourTrustCA
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server key exchange A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x31bc010 msgid 1
wait4msg ld 0x31bc010 msgid 1 (infinite timeout)
wait4msg continue ld 0x31bc010 msgid 1 all 1
** ld 0x31bc010 Connections:
* host: ourserver.com port: 636 (default)
  refcnt: 2 status: Connected
  last used: Wed Sep 25 14:40:57 2019
** ld 0x31bc010 Outstanding Requests:
 * msgid 1, origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x31bc010 request count 1 (abandoned 0)
** ld 0x31bc010 Response Queue:
   Empty
  ld 0x31bc010 response count 0
ldap_chkResponseList ld 0x31bc010 msgid 1 all 1
ldap_chkResponseList returns ld 0x31bc010 NULL
ldap_int_select
read1msg: ld 0x31bc010 msgid 1 all 1
read1msg: ld 0x31bc010 msgid 1 message type bind
read1msg: ld 0x31bc010 0 new referrals
read1msg: mark request completed, ld 0x31bc010 msgid 1
request done: ld 0x31bc010 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
TLS trace: SSL3 alert write:warning:close notify
ldap_free_connection: actually freed

I already tried adding the same variable in custom_config.inc.php, but for Testlink this solution does not work.
Do you have any idea if, where and how I could this environment variable for Testlink to take effect?
Thanks in advance for all the support.
(0029224)
fman (administrator)
2019-09-25 17:30

I'm going to ask to bitnami engineering people if they can provide some help
It's a pitty that PHP documentation for ldap with tls is no good
(0029225)
atisne (reporter)
2019-09-26 16:43

@fman (in reply to http://mantis.testlink.org/view.php?id=8762#c29219 [^])

If you have no warning that means that the certification authority (CA) should be in the ca-bundle of your server. OS' come with pre-packaged CAs. If you use them, it works out of the box. You have to install something (a root CA) if the certificate you are using is signed by an authority whose its root CA (CAs may be chained) is not already present in the ca-bundle.
(0029226)
atisne (reporter)
2019-09-26 16:51

@ohummel (in reply to http://mantis.testlink.org/view.php?id=8762#c29221 [^])

The interesting part seems to be here:

TLS certificate verification: depth: 1, err: 20, subject: ourTrustCA, issuer: ourRootCA
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA

It seems that you use your own root CA (ourRootCA). Do you install it on your testlink server? (Please read the previous comment.)
(0029227)
ohummel (reporter)
2019-09-27 09:55

@fman (in reply to http://mantis.testlink.org/view.php?id=8762#c29226 [^])

Yes we use our own self signed root as well as the intermediate CA. The server certificate used by Testlink to secure the web page has also been issued by the intermediate CA (ourTrustCA) and works fine. As the experiments show the certificates are matching each other and working fine if I explicitly define which one to use.

I installed the CA chain on the Bitnami Debian machine as usual by copying them to /usr/local/share/ca-certificates and calling "sudo update-ca-certificates". They are added, I'm restarting everything, but they do not have any effect for PHP.
I guess the relevant point is that I do not know where the PHP LDAP connector used in Testlink is actually looking for the trusted CA certificates by default or where I can change this setting.

Usually the environment variable I set in the test script can also be set in the ldap.conf file. I already tried manipulating it (even tried both places) as described in https://stackoverflow.com/a/7586808/12084911 [^] but that didn't help for PHP.
Then I thought the problem could be that it's not PHP establishing the connection to the LDAP but maybe you or PHP is using curl and/or openssl. Therefore I tried to follow the solution as described in https://askubuntu.com/a/945231 [^] and added the curl.cainfo parameter in /opt/bitnami/php/etc/php.ini but that didn't work either. I also checked that both certificates are part of /etc/ssl/certs/ca-certificates.crt.

Any further hint or help is appreciated. Thanks in advance!
(0029228)
beltran (reporter)
2019-09-30 12:24

Hi,

Bitnami developer here. It seems you are trying to update the CA cert into the Bitnami VM. The PHP installation is configured to use the CA Cert from '/opt/bitnami/common/openssl/certs/curl-ca-bundle.crt'. Could you try to overwrite that certificate with your own one?
(0029242)
ohummel (reporter)
2019-10-07 11:51

Hi,
we tried both, appending our certificate to the file as well as replacing the file completely, but the error remains the same.
(0029279)
swf (reporter)
2019-10-30 15:46
edited on: 2019-10-30 16:06

Hi all,

We recently face the same issue in our production (not on bitnami stack, however, but I think it doesn't matter here).

The problem is not in Testlink itself. That's because PHP-LDAP client can't verify server FQDN if you're using any intermediate CA's in your net.

The solution is to edit your global openldap client configuration ( /etc/*/ldap.conf).

I see your post in the middle of thread, yes, really. But LDAP doesn't use system-wide certificates you're trying to update.

So, the options are:

1) Change TLS_REQCERT option to "never" value.

OR

2) Collect all CAs certs used in your certificate chain
     Convert them to DER format, if needed
     Stick them together to one bundle file (simple `cat` helps here)
     Change TLS_CACERT option to full path to that file

Don't be fooled by TLS_CACERTDIR option present on the next line, it will require certs to be hashed by openssl. Using bundle file does not.

And for testlink itself, the correct config options is to provide LDAP URI without enforcing protocol and use default non-secure port, because of how STARTTLS works and how testlink passes arguments to PHP-LDAP client.


- Issue History
Date Modified Username Field Change
2019-09-13 12:33 ohummel New Issue
2019-09-14 12:52 fman Note Added: 0029156
2019-09-14 12:58 fman Note Added: 0029157
2019-09-14 17:23 fman Note Added: 0029158
2019-09-14 17:23 fman Assigned To => fman
2019-09-14 17:23 fman Status new => feedback
2019-09-16 14:20 ohummel Note Added: 0029160
2019-09-16 14:20 ohummel Status feedback => assigned
2019-09-16 17:06 fman Note Added: 0029161
2019-09-16 17:25 fman Note Edited: 0029161 View Revisions
2019-09-16 17:28 fman Note Edited: 0029161 View Revisions
2019-09-16 17:29 fman Note View State: 0029161: public
2019-09-19 12:32 ohummel Note Added: 0029183
2019-09-19 14:10 fman Note Added: 0029188
2019-09-25 12:13 atisne Note Added: 0029217
2019-09-25 12:33 fman Note Added: 0029219
2019-09-25 14:56 ohummel Note Added: 0029221
2019-09-25 17:30 fman Note Added: 0029224
2019-09-26 16:43 atisne Note Added: 0029225
2019-09-26 16:51 atisne Note Added: 0029226
2019-09-27 09:55 ohummel Note Added: 0029227
2019-09-30 12:24 beltran Note Added: 0029228
2019-10-07 11:51 ohummel Note Added: 0029242
2019-10-30 15:46 swf Note Added: 0029279
2019-10-30 15:47 swf Note Edited: 0029279 View Revisions
2019-10-30 15:48 swf Note Edited: 0029279 View Revisions
2019-10-30 15:49 swf Note Edited: 0029279 View Revisions
2019-10-30 15:52 swf Note Edited: 0029279 View Revisions
2019-10-30 15:58 swf Note Edited: 0029279 View Revisions
2019-10-30 16:01 swf Note Edited: 0029279 View Revisions
2019-10-30 16:05 swf Note Edited: 0029279 View Revisions
2019-10-30 16:05 swf Note Edited: 0029279 View Revisions
2019-10-30 16:06 swf Note Edited: 0029279 View Revisions



Copyright © 2000 - 2019 MantisBT Team
Powered by Mantis Bugtracker