LDAP authentication does not support start_tls connections.
Closed this issue · 5 comments
The following options are configured in the api/config.php file (obfuscated):
$authentication_type = 'ldap';
$ldap_server = 'ldap://myldap-server.gov';
$ldap_search = 'ou=people,dc=example,dc=gov';
I am using the current master branch c2b8e95
But it appears that store.js is unable to find/configure an LDAP authentication method.
My "snap judgement" on this is that it's related to the changes to the system to move away from the old Backbone/Marionette based code towards Vue.js. At Diamond Light we use CAS rather than LDAP, so I'll have to set up a test environment to check this out. Rather than any concrete answers, at the moment all I've got is a "we're looking into it".
Which version/Git hash were you using previously (when LDAP was working?)
I dont think LDAP itself is broken, its in use at IMCA-CAT and is working ok with new vue-master ui. I'd guess that actually something else has changed at the API level and that there is a config variable missing. I will try and debug with @dsclassen
I completely removed my existing /var/www/sites/synchweb directory and did a clean install from master. I now see the logon page. Maybe I was missing something in config.php previously? But the LDAP authentication still fails. Further investigation of my LDAP logs indicates that my LDAP server requires start_tls. The way I was able to fix this is to add a call to ldap_start_tls in api/src/Authentication/Type/LDAP.php on line 25:
ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_start_tls($conn);
If this is not detrimental to IMCA-CAT then I could create a simple MR. or maybe we could make this configurable?
Making it a config options sounds like a great idea to me.
With the default set to 2 (????)