Ubuntu server able to connect via LDAP but not LDAPS though LDP shows SSL is enabled

Question

I've installed Ubuntu Desktop 18.04 and LAMP, enabled LDAP, etc. I am able to connect via LDAP and port 389. When I attempt to connect with LDAPS on 636, I get blocked out. I've used LDP in Windows to connect to the server to verify SSL is enabled and I can connect to the server using SSL within the LDP program.

This is a fresh virtual machine with a bridged network connection running Ubuntu 18.04 desktop. I've tried multiple sets of code and different AD user accounts from basic user accounts to domain admin accounts.

<?php
$ldaphost = "ldaps://my.domain.controller"; //edited for security purposes
$ldapport = 636;

$lconn = ldap_connect($ldaphost) // also tried $lconn = ldap_connect($ldaphost,$ldapport); to no avail
 or die("Could not connect to host!");

As mentioned, it works if I change it to standard LDAP so I know that's enabled correctly. I've been searching online for hours and nothing else has helped.

The LDP program provides the following information:

0x0 = ldap_unbind(ld);
ld = ldap_sslinit("my.domain.controller", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 256 bits
Established connection to my.domain.controller.
Retrieving base DSA information...
Getting 1 entries:

EDIT: Ended up being a cert error. They weren't set up properly by the previous administration. Working on fixing them now.

Answer 1

You are going to need to verify a few things:

• CA cert from the DC is installed on the Ubuntu Server.
• SSL cert signed from the CA with the FQDN (or IP- depending on how your LDAPS uri is written) in the CN of the cert is installed on the Ubuntu Server.
• If using openldap for any part of connecting, modify your ldap.conf like so:

BASE    dc=domain,dc=com
URI     ldaps://dc.domain.com:636
TLS_CACERT /path/to/ca-cert.cer
TLS_REQCERT DEMAND

and then ldap search should return results with a query similar to:

ldapsearch -x -H ldaps://dc.domain.com -D 'CN=LDAP-bind,OU=Service Accounts,OU=Accounts,DC=domain,DC=com' -W -b 'OU=Accounts,DC=domain,DC=com'

These are the instructions I followed when I setup my web apps to authenticate over LDAPS → Enable LDAP over SSL for Microsoft Active Directory servers

This is the code I use to test my LDAPS connection from different client servers.

  class LDAP {

    public function connect($host, $user, $pass){
      $ds = ldap_connect($host);     
      if(!ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)){
        print "Could not set LDAPv3";
      } else {
          $ldap = ldap_bind($ds, $user, $pass);
        }
      if(strpos($host, 'ldaps://') !== false){
        $ssl = ' over SSL';
        $host = str_replace('ldaps://', '', $host);
      } else {
          $ssl = null;
          $host = str_replace('ldap://', '', $host);
        }

      if($ldap) {
        //$host = str_replace('ldap://', replace, subject)
        echo '<b>LDAP</b> : <u>Microsoft AD</u> <br /><br />
          Connection to <u>' . $host . '</u>' . $ssl . ' was successful! <br /><br />
          [WebServer] ←→ [LDAP Server] <br /><br />
          <b>Status:</b> <u>Up</u> &#10004; <br />';
      } else {
          echo 'Connection to <u>' . $host . '</u>' . $ssl . ' was NOT successful. Please try again. <br /><br />
          [WebServer] ←x→ [LDAP Server] <br /><br />
          <b>Status:</b> <u>Down</u> &#10006; <br />';
        }
    }

    public function disconnect(){
      $ldap = null;
    }
  } # class ldap

  $LDAP = new LDAP();
  $host = "ldaps://dc.domain.com";
  $user  = "svc.ldap@domain.com";
  $pass = "password1";
  $LDAP->connect($host, $user, $pass);
  $LDAP->disconnect();
  // echo 'HOST['.$host.'] USER['.$user.']'; // toggle to troubleshoot db connection