Hi there, I'm running ‎4.1.3-rc1 and it's still not working for me.

This is the set-up we use with J3. Do I need to do anything differently?

As you use ldaps, you also need #37962

@nickdring Can you confirm it's working with the 2 PRs applied?

Hi @tatankat I updated to ‎4.1.5-rc1 but its still not working. Sorry.

@nickdring The code from these PRs are not yet released in a Joomla version (AFAIK), so you have to apply the changes "manually" to test. As @richard67 said in #37962, only once these changes are tested by several humans, these PRs will be merged and can be included in Joomla.

Hi @tatankat sorry didn't realise. So I manually added the new changes but it still doesn't work.

Hi @tatankat sorry didn't realise. So I manually added the new changes but it still doesn't work.

@nickdring You have added the changes from both PRs, #37962 and this one here? If so, you have to edit and save the ldap plugin settings once so that the right encryption setting is used. Or you would have to apply the database changes from the other PR, but that would be too complicated now. Or if you have apploed only the changes from this PR here, you should test with ldap (without s).

Hi, #37962 has 5 files, one of which is ldap.php, which is the same file as #37959. But I tried both versions and it doesn't work.

Hi, #37962 has 5 files, one of which is ldap.php, which is the same file as #37959. But I tried both versions and it doesn't work.

@nickdring In the ldap.php you would have to use an editor and apply the changes from both PRs if you want to use ldaps. Maybe @tatankat can provide you a download of the file with the changes from both PRs if you can't do that.

If @tatankat can do that for me I'd be happy to try it.

@nickdring Are you testing on a testing environment or a testing copy of your life site? Or are you using your life site for testing? I'm asking in order to give you the right advise later for testing. If possible you should use a testing environment or a testing copy of your life site.

I'm testing J4 on a staging, I can break it as much as I like ;)

@nickdring Good to know about your test environment :)

As you don't use [username] in your User's DN, this PR won't do anything. And as the other PR separately does not work, it does not work yet with the two combined. (but hold on)

As I was investigating, I found another change of behavior which (probably) also explains why logging in with domain fails (which I suspect you do too). When User's DN is empty, V3 took the entered login, while V4 does not. Except when you use this PR (combined with the other, will give you that next week if still necessary) and put simply [username] in the User's DN. Can you test that?

If this does not work, can you give me some more details about your installation and what type of credentials you use to login?

Hi @tatankat I tried that, but it didn't work. This is our usual set up as per J3. As you can see, LDAP v3 is not activated, and we don't use User's DN or Connect Username

.

@tatankat Should @nickdring select an encryption protocol when using a host with "ldaps://"?

@nickdring and @richard67 , yes, the SSL encryption protocol should be selected (I will check if I can improve #37962 for that, as I am apparently not the only one using it this way).

The combination of both PRs are in https://github.com/tatankat/joomla-cms/tree/patched/plugins/authentication/ldap (my "patched" branch).

This PR now most probably also fixes #36074, #35573 and #35571

Hi @tatankat so would you like me to try with the two files in https://github.com/tatankat/joomla-cms/tree/patched/plugins/authentication/ldap ? Do I need to change any of the settings?

Yes, please. You need to remove the "ldaps://" part in the Host and set "Encryption Protocol" to SSL. When code is accepted to J4, this will be done automatically on upgrade.
It's also strange you don't have LDAP v3, so maybe try that one if it is not working - you never know this did not do anything in J3.

Ok, two new uploaded, and I removed ldaps:// from the host and set encryption to SSL. I also tried LDAP v3 option on and off and a bunch of other combinations, but it is always the same result I'm afraid.

A last guess: do you still have the port number in the "Host" field?
If it is, can you test with the port number removed?
If not, then some debugging will need to take place. Is there some error in the php logs? It seems to me the debug option currently has no effect, so I will check if something can be done with that.
Can you check on your ldap server if something is connecting and what it is doing?

Hi @tatankat I've tried with and without the port number in the host field. I've tried different port numbers too, LDAP v3 on and off, I've also tried with our User DN.
In the PHP logs, all I see is '2022-05-24T13:15:10+00:00 INFO 10.255.7.56 ldapfailure Username and password do not match, or you do not have an account yet.'
BTW I updated to 4.1.5.rc2, and I see the option for the encryption has changed, now it's either on or off and only TLS.
I'll see if I can get any LDAP logs/info from my colleagues in ICT.

This pull requests has automatically rebased to 4.2-dev.

This pull requests has been automatically converted to the PSR-12 coding standard.

@nickdring I have fixed the ldap debug in PR #38388
To run with ldap debugging, you should update the file (or run from https://github.com/tatankat/joomla-cms/tree/patched which includes all ldap fixes) and execute composer update symfony/ldap
Can you please issue a test and show us the resulting log?

Hi there, I tried your branch on a local installation and its still not working. The only log message is '2022-08-19T08:47:54+00:00 INFO 10.255.7.56 ldapfailure Username and password do not match or you do not have an account yet.' I've tried all the variations I can think off.

@nickdring If you have successfully enabled the ldap debugging, then you should find in the php error log (not in the joomla log), then you should see messages like these:

ldap_create
ldap_url_parse_ext(ldap://localhost:1389)
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:1389

If this is not the case, then check if your installation uses the right symonfony ldap version, joomla has ldap debugging correctly enabled and it logs somewhere the php stderr messages. Using those messages, we should find what is wrong. If you can't enable/find those messages, I can't help you, sorry.

Hi, in the php_error.log i see the follwing error:
Stack trace:
#0 /Applications/MAMP/bin/phpMyAdmin5/libraries/classes/Controllers/ExportController.php(394): PhpMyAdmin\Export->getFilenameAndMimetype('database', '', Object(PhpMyAdmin\Plugins\Export\ExportSql), '', NULL)
#1 /Applications/MAMP/bin/phpMyAdmin5/libraries/classes/Routing.php(187): PhpMyAdmin\Controllers\ExportController->index(Array)
#2 /Applications/MAMP/bin/phpMyAdmin5/index.php(19): PhpMyAdmin\Routing::callControllerForRoute('/export', Object(FastRoute\Dispatcher\GroupCountBased), Object(Symfony\Component\DependencyInjection\ContainerBuilder))
#3 {main}
thrown in /Applications/MAMP/bin/phpMyAdmin5/libraries/classes/Export.php on line 348
[05-Aug-2022 14:00:37 UTC] PHP Warning: ldap_connect(): Could not create session handle: Bad parameter to an ldap routine in /Applications/MAMP/htdocs/libraries/vendor/symfony/ldap/Adapter/ExtLdap/Connection.php on line 162
[05-Aug-2022 14:01:02 UTC] PHP Warning: ldap_connect(): Could not create session handle: Bad parameter to an ldap routine in /Applications/MAMP/htdocs/libraries/vendor/symfony/ldap/Adapter/ExtLdap/Connection.php on line 162
[05-Aug-2022 14:01:48 UTC] PHP Warning: ldap_connect(): Could not create session handle: Bad parameter to an ldap routine in /Applications/MAMP/htdocs/libraries/vendor/symfony/ldap/Adapter/ExtLdap/Connection.php on line 162
[08-Aug-2022 08:27:15 UTC] PHP Warning: ldap_connect(): Could not create session handle: Bad parameter to an ldap routine in /Applications/MAMP/htdocs/libraries/vendor/symfony/ldap/Adapter/ExtLdap/Connection.php on line 162
[08-Aug-2022 08:28:05 UTC] PHP Warning: ldap_connect(): Could not create session handle: Bad parameter to an ldap routine in /Applications/MAMP/htdocs/libraries/vendor/symfony/ldap/Adapter/ExtLdap/Connection.php on line 162
[08-Aug-2022 08:42:55 UTC] PHP Warning: ldap_connect(): Could not create session handle: Bad parameter to an ldap routine in /Applications/MAMP/htdocs/libraries/vendor/symfony/ldap/Adapter/ExtLdap/Connection.php on line 162
[08-Aug-2022 08:43:39 UTC] PHP Warning: ldap_connect(): Could not create session handle: Bad parameter to an ldap routine in /Applications/MAMP/htdocs/libraries/vendor/symfony/ldap/Adapter/ExtLdap/Connection.php on line 162
[08-Aug-2022 08:44:18 UTC] PHP Warning: ldap_connect(): Could not create session handle: Bad parameter to an ldap routine in /Applications/MAMP/htdocs/libraries/vendor/symfony/ldap/Adapter/ExtLdap/Connection.php on line 162
[08-Aug-2022 08:44:34 UTC] PHP Warning: ldap_connect(): Could not create session handle: Bad parameter to an ldap routine in /Applications/MAMP/htdocs/libraries/vendor/symfony/ldap/Adapter/ExtLdap/Connection.php on line 162

@nickdring ok, from the php error log, it is clear that the ldap client did not yet start. You probably still have the protocol (ldaps://) and/or the port number in the Host field. Can you check?
You can check which parameter is used in ldap_connect. For now, you can add error_log("LDAP connecting to ".$this->config['connection_string']); on line 149162 in libraries/vendor/symfony/ldap/Adapter/ExtLdap/Connection.php . I'll probably work on some more (and more correct) Joomla logging later.

Hi @tatankat this is my setup.

@nickdring If there aren't any trailing spaces there, I see no reason why it would give that error. Everything looks ok.
So I added the logging. To get some logging, you should enable logging in Joomla: "Global configuration" > Logging > "Log Almost Everything". On the same page, you see also the file where the logs should be (named everything.php).

The ldap client debug logging is still somewhere else, not in the php_error.log, but your web server error log.

I hope this will give us some pointers... Also, adding the php snippet I gave, can give us some useful information.

Hi @tatankat
Here is the log. I notice that what ever setting I try, it uses LDAP and not LDAPS.
everything.txt

Hi @nickdring
you are probably missing (this part of) the ldaps fix: https://github.com/joomla/joomla-cms/pull/37962/files#diff-13c3c0b4641749560ace9ea3d0f5ac35a569e9de1986e8eaef848714c79c6ac3

I was pretty sure I added them, but to be sure I've done it again.
The error is now:
2022-09-12T09:11:45+00:00 DEBUG ::1 ldap Creating LDAP session to connect to "ldap://10.255.8.30:3269" while binding
2022-09-12T09:11:45+00:00 DEBUG ::1 ldap Direct binding to LDAP server with entered user dn "nicholas.dring@iit.it" and user entered password
2022-09-12T09:11:45+00:00 ERROR ::1 ldap Could not initiate TLS connection: Success
2022-09-12T09:11:45+00:00 INFO ::1 ldapfailure Username and password do not match or you do not have an account yet.
2022-09-12T09:11:45+00:00 WARNING ::1 jerror Username and password do not match or you do not have an account yet.

Actually, my previous post is a little inaccurate. The settings have changed, I now see the connection security option.
But whichever option I try I still get the same error in the log and I still see LDAP and not LDAPS.
As you can see here I also tried adding parameters to the Users DN:
2022-09-12T09:19:40+00:00 DEBUG ::1 ldap Creating LDAP session to connect to "ldap://10.255.8.30:3269" while binding
2022-09-12T09:19:40+00:00 DEBUG ::1 ldap Direct binding to LDAP server with entered user dn "CN=Digital,OU=Mailboxes,OU=Service Accounts,DC=iit,DC=local" and user entered password
2022-09-12T09:19:40+00:00 ERROR ::1 ldap Can't contact LDAP server
2022-09-12T09:19:40+00:00 INFO ::1 ldapfailure Username and password do not match or you do not have an account yet.
2022-09-12T09:19:40+00:00 WARNING ::1 jerror Username and password do not match or you do not have an account yet.

Please make sure you selected "SSL/TLS" in "Connection Security".
If this changes the protocol not to ldaps, there is something wrong setting the parameter in the DB. Can you check:

select params from cms_extensions where name = 'plg_authentication_ldap';

or equivalent on your database system.

rp2pn_extensions.sql.txt
here you go!

The database content looks ok (but you have entered an unnecessary username/password in your config).
Can you give the code in plugins/authentication/ldap/ldap.php from line 68 to 78 ?

HI, the username password I added while trying various options. With or without, it makes no difference.
Here is the code.
$options = [ 'host' => $this->params->get('host'), 'port' => (int) $this->params->get('port'), 'version' => $this->params->get('use_ldapV3', '0') == '1' ? 3 : 2, 'referrals' => (bool) $this->params->get('no_referrals', '0'), 'encryption' => $this->params->get('negotiate_tls', '0') == '1' ? 'tls' : 'none', ]; $connection_string = sprintf('ldap%s://%s:%s', 'ssl' === $options['encryption'] ? 's' : '', $options['host'], $options['port']); Log::add(sprintf('Creating LDAP session to connect to "%s" while binding', $connection_string), Log::DEBUG, $logcategory); $ldap = Ldap::create( 'ext_ldap',

Hi @nickdring you are still missing this part of the ldaps fix: https://github.com/joomla/joomla-cms/pull/37962/files#diff-13c3c0b4641749560ace9ea3d0f5ac35a569e9de1986e8eaef848714c79c6ac3

Hi, to be sure, I copied the repo to my local GitHub. I replaced the file again.
Here is the code again. The strange thing is that now in the log file, everything.txt I don't see the line 'Creating LDAP session to connect to "ldap://10.255.8.30:3269" while binding'

[
            'host'       => $this->params->get('host'),
            'port'       => (int) $this->params->get('port'),
            'version'    => $this->params->get('use_ldapV3', '0') == '1' ? 3 : 2,
            'referrals'  => (bool) $this->params->get('no_referrals', '0'),
            'encryption' => $this->params->get('encryption', 'none'),
        ]
    );

    switch ($auth_method) {

        case 'search':

You can't just replace the file as both PRs have changes to the same file. You basically revert always one part of the PRs. You can either:

• use the files from the "patched" branch from this fork
• or patch the file by hand by simple replacing the line with 'encryption' => as shown here after using the file from this PR

The problem is you encounter two issues at the same time and in your case both need to be fixed for it to work.

Cool, so now I'm seeing ldaps in the log :)
But its not working. Here is the log which confirms that its using ldaps.
I'm going to try this on a staging server instead of a local machine and let you know.
2022-09-14T10:22:33+00:00 DEBUG ::1 ldap Creating LDAP session to connect to "ldaps://10.255.8.30:3269" while binding
2022-09-14T10:22:33+00:00 DEBUG ::1 ldap Direct binding to LDAP server with entered user dn "nicholas.dring@iit.it" and user entered password
2022-09-14T10:22:33+00:00 ERROR ::1 ldap Can't contact LDAP server
2022-09-14T10:22:33+00:00 INFO ::1 ldapfailure Username and password do not match or you do not have an account yet.
2022-09-14T10:22:34+00:00 WARNING ::1 jerror Username and password do not match or you do not have an account yet.

Hi, moved the files to the staging server with J4 v4.2.2 installed. It still doesn't work.
I have other staging sites running J3, and they connect to the LDAP without any issues.
Here is teh J3 setup, fyi.

Here is the error, which is the same as the local installation:

2022-09-14T11:21:57+00:00	DEBUG 10.255.7.56	ldap	Creating LDAP session to connect to "ldap://10.255.8.30:3269" while binding
2022-09-14T11:21:57+00:00	DEBUG 10.255.7.56	ldap	Direct binding to LDAP server with entered user dn "nicholas.dring@iit.it" and user entered password
2022-09-14T11:21:57+00:00	ERROR 10.255.7.56	ldap	Can't contact LDAP server
2022-09-14T11:21:57+00:00	INFO 10.255.7.56	ldapfailure	Username and password do not match or you do not have an account yet.

Again, it still tries to connect using ldap://
Please check the log files (php error log for php error messages and webserver error log for ldap client error messages) once it connects with ldaps:// and only check new messages after that.

Sorry, I pasted in the wrong lines. It is using LDAPS.
2022-09-14T11:14:34+00:00 DEBUG 10.255.7.56 ldap Creating LDAP session to connect to "ldaps://10.255.8.30:3269" while binding 2022-09-14T11:14:34+00:00 DEBUG 10.255.7.56 ldap Direct binding to LDAP server with entered user dn "nicholas.dring@iit.it" and user entered password 2022-09-14T11:14:34+00:00 ERROR 10.255.7.56 ldap Can't contact LDAP server

Ok, that is something :)
The "Can't contact LDAP server" message is something PHP gets from the ldap library, so more details can't be given there. Please check the php error log (should be empty) and find the ldap client debug logs (be aware you need also #38388 to get these messages) to find the issue.

My guess is your LDAP client does not accept the server's certificate (which is also a functionality that apparently worked on windows on J3 that is broken now and thought to be unsupported in php, see #35323). To allow self-signed certificates (easily, with the same functionality) for now, so you can test, you have to add TLS_REQCERT never in:

• C:\openldap\sysconf\ldap.conf (on windows, the directories may need to be created)
• ldap.conf somewhere in /etc (on linux, it may be located in /etc/ldap.conf, /etc/openldap/ldap.conf, /etc/ldap/ldap.conf, ...)

That's interesting. On my MAMP I can see the PHP error log and there is something:
[14-Sep-2022 09:32:50 UTC] PHP Warning: ldap_connect(): Could not create session handle: Bad parameter to an ldap routine in /Applications/MAMP/htdocs/libraries/vendor/symfony/ldap/Adapter/ExtLdap/Connection.php on line 162

Which is probably (and hopefully) from when the code was not yet right, when it was connecting to ldap://ldaps://<host>:<port>. That is why I asked to check new messages.

If it is still logging this error, then is this an installation where J3 is working with ldap?
If not, then you may have this issue Adldap2/Adldap2#533 and you should really look into your apache error log.
If it is and the message is created when the joomla log tells you are using a correct ldaps://<ip>:<port>, then I am out of ideas and the last thing I can come up is to try BookStackApp/BookStack#2153 (comment) (which does not make sense and was probably an issue like the first one, but we're talking about windows, so who knows...).

Yeah, i think you are right, that's from before. It's not showing any errors now.
I have an Apache error log with some info. To be honest I'm not sure what I have to do to fix that.
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /Applications/MAMP/conf/openldap/ldap.conf
ldap_init: HOME env is /Users/nicholasdring
ldap_init: trying /Users/nicholasdring/ldaprc
ldap_init: trying /Users/nicholasdring/.ldaprc
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
ldap_create
ldap_url_parse_ext(ldaps://10.255.8.30:3269)
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 10.255.8.30:3269
ldap_new_socket: 17
ldap_prepare_socket: 17
ldap_connect_to_host: Trying 10.255.8.30:3269
ldap_pvt_connect: fd: 17 tm: 60 async: 0
ldap_ndelay_on: 17
attempting to connect:
connect errno: 36
ldap_int_poll: fd: 17 tm: 60
ldap_is_sock_ready: 17
ldap_ndelay_off: 17
ldap_pvt_connect: 0
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x12d8f6710 msgid 1
wait4msg ld 0x12d8f6710 msgid 1 (infinite timeout)
wait4msg continue ld 0x12d8f6710 msgid 1 all 1
** ld 0x12d8f6710 Connections:

• host: 10.255.8.30 port: 3269 (default)
  refcnt: 2 status: Connected
  last used: Wed Sep 14 17:28:25 2022

@nickdring That is actually the beginning of a successful connection. But the part you copied is not complete. The full log of 1 session goes up to "ldap_free_connection: actually freed". Please provide the full log of 1 new session.

Also, about the TLS_REQCERT option, from the log, it looks like you may have to set it in one of these files instead of C:\openldap\sysconf\ldap.conf:
ldap_init: trying /Applications/MAMP/conf/openldap/ldap.conf
ldap_init: trying /Users/nicholasdring/ldaprc
ldap_init: trying /Users/nicholasdring/.ldaprc

This fix works fine for me after I manually changed the 3 files.

Before I had to implement the fix presented in the issue #35829 to have a working ldap.

This fix works fine for me after I manually changed the 3 files.

@mattsh61 That means you have successfully tested this pull request (PR) here? If so, could you go to the PR in the issue tracker here https://issues.joomla.org/tracker/joomla-cms/37959 , click the blue "Test this" button at the top left corner, select your test result (success) and submit? This would be needed to properly count the successful test. Thanks in advance.

Before I had to implement the fix presented in the issue #35829 to have a working ldap.

@mattsh61 You mean the fix from PR #37962 ? If so: Does it mean you have also tested that PR with success? If so, could you also mark the test result in the issue tracker here https://issues.joomla.org/tracker/joomla-cms/37962 as described above for this PR? Thanks in advance.

I have tested this item ✅ successfully on 8be9f21

This fix worked fine after I manually changed the 3 files. I can now use the ldap login in with Joomla (4.2.4). Ldap login did not work earlier. Tested at 2 Joomla sites.

No, I have not tested code changes from #37962 just the 1 line code change from #35829. And it worked for me.

I have tested this item ✅ successfully on 8be9f21

RTC

Unfortunately this pr changes the behavior of the LDAP plugin in a way that the UI has some variables mandatory where they haven't been before. So I would rebase it to the 4.3 branch. Then we have also more time to detect regressions during the alpha/beta phase. Thanks for understanding.

Unfortunately this pr changes the behavior of the LDAP plugin in a way that the UI has some variables mandatory where they haven't been before. So I would rebase it to the 4.3 branch. Then we have also more time to detect regressions during the alpha/beta phase. Thanks for understanding.

@laoneo Does the same apply to #38388 which updates the ldap dependency, and #37962 which replaces a configuration parameter of the plugin?

Yes

Yes

@laoneo Should the author do that or will we rebase them?

As soon as 4.3 is up to date, we can do it.

Thank you @tatankat for the fix!

Hi there, I'm running the ‎4.3.0-alpha2-dev+pr.37959 build on a staging server and its still not working for me. In the everything l see: 2022-09-19T07:43:01+00:00 DEBUG 10.255.7.56 ldap Creating LDAP session to connect to "ldaps://10.255.8.30:3269" while binding
2022-09-19T07:43:01+00:00 DEBUG 10.255.7.56 ldap Direct binding to LDAP server with entered user dn "nicholas.dring@iit.it" and user entered password
2022-09-19T07:43:01+00:00 ERROR 10.255.7.56 ldap Can't con
tact LDAP server
2022-09-19T07:43:01+00:00 INFO 10.255.7.56 ldapfailure Username and password do not match or you do not have an account yet.
2022-09-19T07:43:01+00:00 WARNING 10.255.7.56 jerror Username and password do not match or you do not have an account yet.

Thanks for the merge @obuisard !

I am not at ease rebasing to 4.3, can someone do that for the other ldap PRs (#38388 & #37962), so it is correctly done? Or tell me how/when it can be correctly done?

@nickdring You still need the other PRs applied too and to find your problem, you should look at de ldap client debug logging. Your problem is probably a non-accepted ldap server certificate. To get that working, you should configure the default ldap client options. Once all PRs are accepted (and thus mainly: tested), I can add an additional configuration option to accept non-trusted certificates.

@tatankat Done the rebase for you :-)

Thanks!