TOPIC:

We have recently started experiencing issues with LDAP and currently no one can log in. I have debug activated on our test version and this is advising that there is an issue binding to LDAP. All other services using LDAP are connecting without issue and we have checked the credentials and all are correct. The certifcate was recently updated, however we were able to access for a few days after this was updated. Are there any other settings I need to check?
FYI - We are running Xerte on Windows.

Where did you enable debug? In the Xerte install or the LDAP server? If the latter, you could set $development to true around line 43 in the config.php of your Xerte installation.

Hopefully it will give you a hint of what is going on. The debug.log file will be written to the error_logs folder of your Xerte installation by default.

Hi Tom,

Thanks for your reply. We have a test installation of Xerte and this is where we set $development to true. We keep getting the error message in the debig.log stating "Failed to bind to ldap server- perhaps the dn(cn=****) or password are incorrect?"

We have had the password reset for the user and this still does not work. We have checked the LDAP cert and it appears to be OK. Is there anything else you would suggest checking?

Regards,

Ross

Ok, so Xerte is trying to use a authenticated bind.

Above the error, there should also be a line like:

Trying to authenticate against <host name>

In the management.php of Xerte or in the ldap table of the Xerte database (if you have more then one ldap server cnfigured) you should be able to find this entry and you can verify the password. It is using that password.

For reference, I thought I would add what I did here just in case someone else finds it helpful. The issue we had was with the LDAP cert and how we were converting that rather than the bind user and password.

I was given a PFX file from our LDAP engineer and this contained the full chain for Certificate Authorities etc and the password for the cert. I had to install this on the Windows Certificate Store first. This PFX file then needed to be converted to a PEM file using openssl pkcs12 -in <path-to-certificate>.pfx -out <path-to-output>.pem -nodes. Please make sure you do not use -nocerts as the certs are required. We then updated the openldap configuration file with the path to the new PEM file and restarted the web server.

Thank you for getting back on this.