I have tried a few different ways to bind several different PHP applications to our instance of NethServer, and we’re running into issues where we’re getting errors like:
Bind failed: Strong(er) authentication required: Unable to bind to server nsdc-network.ad.local.lan
At the moment, I am attempting to setup an instance of osTicket that forced LDAP authentication, and while it sees the server, and connects using the credentials I supply it with, it falls back to that error, no matter what I select.
osTicket is on a separate server from NethServer, and that has the LDAP PHP extension on it. Is there something I’m doing wrong here? Computers and Workstations work fine, but we can’t connect using PHP anywhere.
Insight would be greatly appreciated.
*** Update ***
I have tried connection on both 389 and 636, as well as with and without the protocol on the string (ldap:// and ldaps://).
You would need the LDAPservice User, when using AD. That allows other Apps to query the AD.
See the Account-provider for credentials…
I think what’s missing is a SSL which is accepted by PHP, for example LetsEncrypt.
Even if NethServer has LetsEncrypt, the AD in NethServer uses it’s own self created certs…
What you can do is create a software hook in the LetsEncrypt renewal script, and simply copy these certs to the NSDC folder. These are valid ssl certs, and will be recognized by any App needing SSL from your AD…
Thanks for the quick response. So these scripts are hosted on the same local network (within the same network and range as Nethserver), do I still need to worry about SSL certificates being self signed?
Additionally, I have tried using the ldapservice user, which allowing it to bind, but then it fails with the error message I have above. So while the user works, it fails with a TLS error.
It could also be an issue of using local.lan as a domainname…
This is actually just a name I put in there, it’s using a FQDN. I just omitted it for security.
Does PHP “know” that it’s running on a closed LAN and it “should” accept any cert?
I should hope so since I’m using a 10.0.0.0/8 range. But it doesn’t have an option to choose “allow self-signed certificates”. As I mentioned, I’m trying to use osTicket.
A LOT of PHP Apps, but also other stuff don’t offer a buttton or config option to “accept ANY cert”.
Even any old Android phone has that option, but a lot of Apps out there don’t.
Generally, if it’s not on the same box, you’ll have issues…
Even if it’s on the same box, you can have issues…
That stinks we wanted to avoid putting it on the same box. But I’ll give that a try I guess and see if it resolves the issue we’re seeing. Else we’ll have to look elsewhere for a ticketing system, or design one ourselves.
Does this allow for LDAP authentication for both Client and “Staff”, or just client. We also need to enforce being logged in to log tickets, no anonymous tickets.
I’m assuming this was on the same box? We were trying to keep them separate, but I don’t know if we’ll be able to do that if we decide we want to use this approach.
Sry for the late answer, but had a small emergency yesterday…
RT can handle LDAP / AD logins.
There are also plenty of plugins available, so Mail / Fax / Telephone can all go thru RT, if needed.
It’s one of the biggest, oldest and most used TTS systems…
It’s also flexible enough to run on the same box, or seperately.
It also runs well as a slim LXC in Proxmox.
Just look at their (public) client list. Some clients do not publish this information, but you can see that they have been using RT for a long time, if you ever had a ticket with them… Apple is one of thoose rumored clients…