View Issue Details

IDProjectCategoryView StatusLast Update
0028328mantisbtauthenticationpublic2022-06-24 18:42
Reportermartin.fernau Assigned Todregad  
PrioritynormalSeverityblockReproducibilityhave not tried
Status closedResolutionno change required 
OSdebianOS Version9.13 
Product Version2.25.0 
Summary0028328: After Upgrade I got "APPLICATION ERROR #1406" with ERROR_LDAP_UNABLE_TO_STARTTLS after login
Description

I found bug 0015361 which mentioned ERROR_LDAP_UNABLE_TO_STARTTLS. Unfortunately I don't know where to start or what to do to fix that..

With previous mantis 2.21.1 I was able to work with LDAP authentication since a long time. After upgrading to 2.25. my system stops to work

Could anyone please point me to the right direction?

In the meanwhile I need to rollback my installation

TagsNo tags attached.

Relationships

related to 0015361 closedcommunity Add STARTTLS Support to LDAP 

Activities

atrol

atrol

2021-04-19 14:47

developer   ~0065397

Last edited: 2021-04-19 14:48

This note might explain it.

As a workaround adding the following line to config_inc.php might work

$g_ldap_use_starttls = OFF;
martin.fernau

martin.fernau

2021-04-20 04:37

reporter   ~0065404

Last edited: 2021-04-20 04:40

Thank you - I found the problem.
I needed to modify my configuration from:
$g_login_method = LDAP;
$g_ldap_server = 'ldap://<my domain>:389';

to:
$g_login_method = LDAPS;
$g_ldap_server = 'ldaps://<my domain>';

atrol

atrol

2021-04-20 06:14

developer   ~0065406

$g_login_method = LDAPS;

Really?

I don't see any place in source code where LDAPS is used to check login_method.

martin.fernau

martin.fernau

2021-04-20 06:38

reporter   ~0065407

If I change it back to "LDAP" I get the mentioned error again (see attachment - but its German).
If I set it to "LDAPS" then the error is going away..

I'm confused too

Screenshot_20210420_123753.png (26,432 bytes)   
Screenshot_20210420_123753.png (26,432 bytes)   
dregad

dregad

2021-04-20 06:48

developer   ~0065408

@martin.fernau good to hear you fixed your problem.

FYI, the standard way to connect securely with LDAP is with StartTLS, which is what Mantis now does by default ($g_ldap_use_starttls = ON). Usage of the ldaps protocol is generally considered as deprecated, although there is no "official" statement about this (that I know of anyway) - probably since it was never an official standard to begin with.

martin.fernau

martin.fernau

2021-04-20 06:49

reporter   ~0065409

Even more funny:
I can set $g_login_method to any String I like. For example "TAXIDRIVER" and I can successfully login.
But I can not set it to "LDAP" (lead to the shown error message).
Commenting the variable out is also not right as mantis will then use its own user database again.

dregad

dregad

2021-04-20 06:54

developer   ~0065410

I'm confused too

What @atrol means, is that LDAPS does not exist as login method in MantisBT. So you probably (should) have

$g_login_method = LDAP;
$g_ldap_server = 'ldaps://&lt;my domain>';

or (insecure, not recommended)

$g_login_method = LDAP;
$g_ldap_use_starttls = OFF;
$g_ldap_server = 'ldap://&lt;my domain>';

or, the recommended method which requires your LDAP server to be properly configured to handle StartTLS (which is apparently not the case)

$g_login_method = LDAP;
$g_ldap_server = 'ldap://&lt;my domain>';
dregad

dregad

2021-04-21 04:09

developer   ~0065412

In reply to 0028328:0065409

Even more funny:
I can set $g_login_method to any String I like. For example "TAXIDRIVER" and I can successfully login.

$g_login_method expects an integer value (for example, constant LDAP = 3). In PHP, an arbitrary string evaluates to 0, so with TAXIDRIVER you're basically telling Mantis to use PLAIN authentication (i.e. unencrypted password will be stored in DB). Don't do that...

These legacy login methods really need to be removed, but that is another story (0022839)

dregad

dregad

2022-06-11 10:39

developer   ~0066726

@martin.fernau,

You did not provide any feedback since more than one year, so I assume you were able to fix your problem. I'll resolve this issue as "no change required".

Feel free to reopen it at a later time and provide the requested information.