"Have you tried to turn it off and on again?" + some LDAP magic
"Sir, have you tried to turn it off and on again? And have you double checked that everything is connected properly?"
There are multiple reasons why IT support is asking these questions. And not only because even IT wizards every now and then forget this most basic troubleshooting procedure. Whatever your weird issue with any kind of an computer system is, it's better restart/reboot the system before doing any deeper debugging. In 99,99999....% or so cases (and I'm not exaggerating at all!) this solves the issue.
We had such incident at work this week, and that made me recall one situation some years back. So, blog post it is!
"We have this older PHP application and need you to connect it to our LDAP server."
Normal requirement. Not an big issue, especially if the application just supports LDAP. You configure LDAP server address, port and perhaps user account used for connecting to the system. And in internal systems quite often you also need to add the internal CA certificate, because there is an internal PKI infra in use.
I added correct addresses and checked the location where CA certificate will be located. /etc/openldap/cacerts seemed to the be location based on /etc/openldap/ldap.conf file. I copied the CA certificate there.
No luck. Login didn't work, and we got error to the logs. "Can't connect to the LDAP server".
Okay. Tried some different things. No luck either. I'm not a developer, and neither have much experience with PHP, but I can read and edit code. I had one developer working with me, but he also didn't have senior level expertise with LDAP connectivity.
So, had to do some googling, and found this article. You can start PHP console from command line and input commands one by one.
It complained about the CA certificate naming. What the.... Okay, you need to do the following, because OpenLDAP assumes that it finds the certificate with the name <hash>.<number>
$ cacertdir_rehash /etc/openldap/certs
$ ls -l /etc/openldap/certs
-rw-r--r-- 1 account users 1233 Apr 21 08:56 ca.crt
lrwxrwxrwx 1 account users 6 Apr 21 08:57 ea43f18c.0 -> ca.crt
And now the command line worked flawlessly. So did also our ldap_test.php which we run via
$ php ldap_test.php
As you probably can guess, the actual login still didn't work. And we got quite many connectivity errors in Apache logs.
We started to look through the actual PHP code and found out that there was a bug in using the secure LDAP. It worked just fine when using LDAP without TLS, but not with it.
My colleague fixed the code after some digging. But it still didn't fix the actual problem.
We dug deeper. And deeper. I almost called a construction company to rent an excavator. Tried even to find a way to accept all CA certs, so not to validate them. Didn't help. It looked like the Apache didn't care about the changes we made in the ldap.conf. What the?? Had we found some really weird bug in PHP+Apache+OpenLDAP config??
Aaaaand finally. After almost 3 hours wasted efforts, I heard from behind "Hmm... Did you restart Apache?"
Yup. Apache OpenLDAP module reads the ldap.conf during startup. Naturally.
Luckily it was Friday.
There are multiple reasons why IT support is asking these questions. And not only because even IT wizards every now and then forget this most basic troubleshooting procedure. Whatever your weird issue with any kind of an computer system is, it's better restart/reboot the system before doing any deeper debugging. In 99,99999....% or so cases (and I'm not exaggerating at all!) this solves the issue.
We had such incident at work this week, and that made me recall one situation some years back. So, blog post it is!
"We have this older PHP application and need you to connect it to our LDAP server."
Normal requirement. Not an big issue, especially if the application just supports LDAP. You configure LDAP server address, port and perhaps user account used for connecting to the system. And in internal systems quite often you also need to add the internal CA certificate, because there is an internal PKI infra in use.
I added correct addresses and checked the location where CA certificate will be located. /etc/openldap/cacerts seemed to the be location based on /etc/openldap/ldap.conf file. I copied the CA certificate there.
No luck. Login didn't work, and we got error to the logs. "Can't connect to the LDAP server".
Okay. Tried some different things. No luck either. I'm not a developer, and neither have much experience with PHP, but I can read and edit code. I had one developer working with me, but he also didn't have senior level expertise with LDAP connectivity.
So, had to do some googling, and found this article. You can start PHP console from command line and input commands one by one.
$ php -a
Interactive mode enabled
php > ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
...
ldap_init: using /etc/ldap/ldap.conf
...
php > $conn = ldap_connect("your_ldap_server");
php > ldap_start_tls($conn);It complained about the CA certificate naming. What the.... Okay, you need to do the following, because OpenLDAP assumes that it finds the certificate with the name <hash>.<number>
$ cacertdir_rehash /etc/openldap/certs
$ ls -l /etc/openldap/certs
-rw-r--r-- 1 account users 1233 Apr 21 08:56 ca.crt
lrwxrwxrwx 1 account users 6 Apr 21 08:57 ea43f18c.0 -> ca.crt
And now the command line worked flawlessly. So did also our ldap_test.php which we run via
$ php ldap_test.php
As you probably can guess, the actual login still didn't work. And we got quite many connectivity errors in Apache logs.
We started to look through the actual PHP code and found out that there was a bug in using the secure LDAP. It worked just fine when using LDAP without TLS, but not with it.
My colleague fixed the code after some digging. But it still didn't fix the actual problem.
We dug deeper. And deeper. I almost called a construction company to rent an excavator. Tried even to find a way to accept all CA certs, so not to validate them. Didn't help. It looked like the Apache didn't care about the changes we made in the ldap.conf. What the?? Had we found some really weird bug in PHP+Apache+OpenLDAP config??
Aaaaand finally. After almost 3 hours wasted efforts, I heard from behind "Hmm... Did you restart Apache?"
Yup. Apache OpenLDAP module reads the ldap.conf during startup. Naturally.
Luckily it was Friday.
Comments
Post a Comment