ldap_start_tls(): Unable to start TLS: Server is unavailable
2,127 views
Skip to first unread message
Muhammad Panji
Jan 7, 2013, 6:20:27 PM1/7/13
to simple...@googlegroups.com
Dear All,
I'm using simpleSAMLphp with adauth module to authenticate Google Apps user with Active Directory. Yesterday some users can't login. Some users get Internal Server Error message some of them get simpleSAMLphp error with reason "Missing AuthState parameter"
I found these error messages on /var/log/messages
Jan 7 20:21:32 centos simplesamlphp[17112]: 3 [977d83c4ac] SimpleSAML_Error_Exception: Error 2 - ldap_start_tls(): Unable to start TLS: Server is unavailable
Jan 7 20:22:57 centos simplesamlphp[17113]: 3 [6baa4eaf81] SimpleSAML_Error_Exception: Error 2 - ldap_start_tls(): Unable to start TLS: Server is unavailable
Jan 7 20:54:34 centos simplesamlphp[17258]: 3 [dde73b9925] SimpleSAML_Error_Exception: Error 2 - ldap_start_tls(): Unable to start TLS: Server is unavailable
Jan 7 20:59:29 centos simplesamlphp[17256]: 3 [56c23b2360] SimpleSAML_Error_Exception: Error 2 - ldap_start_tls(): Unable to start TLS: Server is unavailable
Jan 7 20:59:32 centos simplesamlphp[17257]: 3 [56c23b2360] SimpleSAML_Error_BadRequest: BADREQUEST('%REASON%' => 'Missing AuthState parameter.')
Jan 7 20:59:32 centos simplesamlphp[17257]: 3 [56c23b2360] Error report with id 09ff7f79 generated.
Is it because simpleSAMLphp using TLS to lookup users in Active Directory, How to solve this problem? Can I set adauth not to use TLS when connecting to AD? or should I increase the number of connection on AD? Thank you.
Regards,
--
Muhammad Panji
http://www.panji.web.id
http://www.kurungsiku.com
I'm using simpleSAMLphp with adauth module to authenticate Google Apps user with Active Directory. Yesterday some users can't login. Some users get Internal Server Error message some of them get simpleSAMLphp error with reason "Missing AuthState parameter"
I found these error messages on /var/log/messages
Jan 7 20:21:32 centos simplesamlphp[17112]: 3 [977d83c4ac] SimpleSAML_Error_Exception: Error 2 - ldap_start_tls(): Unable to start TLS: Server is unavailable
Jan 7 20:22:57 centos simplesamlphp[17113]: 3 [6baa4eaf81] SimpleSAML_Error_Exception: Error 2 - ldap_start_tls(): Unable to start TLS: Server is unavailable
Jan 7 20:54:34 centos simplesamlphp[17258]: 3 [dde73b9925] SimpleSAML_Error_Exception: Error 2 - ldap_start_tls(): Unable to start TLS: Server is unavailable
Jan 7 20:59:29 centos simplesamlphp[17256]: 3 [56c23b2360] SimpleSAML_Error_Exception: Error 2 - ldap_start_tls(): Unable to start TLS: Server is unavailable
Jan 7 20:59:32 centos simplesamlphp[17257]: 3 [56c23b2360] SimpleSAML_Error_BadRequest: BADREQUEST('%REASON%' => 'Missing AuthState parameter.')
Jan 7 20:59:32 centos simplesamlphp[17257]: 3 [56c23b2360] Error report with id 09ff7f79 generated.
Is it because simpleSAMLphp using TLS to lookup users in Active Directory, How to solve this problem? Can I set adauth not to use TLS when connecting to AD? or should I increase the number of connection on AD? Thank you.
Regards,
--
Muhammad Panji
http://www.panji.web.id
http://www.kurungsiku.com
Peter Schober
Jan 7, 2013, 7:01:18 PM1/7/13
to simple...@googlegroups.com
* Muhammad Panji <sumo...@gmail.com> [2013-01-08 00:20]:
SimpleSAMLphp). Cf.
http://www.google.com/search?q=ldap_start_tls()%3A+%22Unable+to+start+TLS%3A+Server+is+unavailable%22
The reasons for that are also not specific to SSP but to your
environment and configuration of involved software. So hard to say for
anyone else.
-peter
> I found these error messages on /var/log/messages
> Jan 7 20:21:32 centos simplesamlphp[17112]: 3 [977d83c4ac]
> SimpleSAML_Error_Exception: Error 2 - ldap_start_tls(): Unable to start
> TLS: Server is unavailable
That's a generic error from PHP's LDAP bindings (not specific to
> Jan 7 20:21:32 centos simplesamlphp[17112]: 3 [977d83c4ac]
> SimpleSAML_Error_Exception: Error 2 - ldap_start_tls(): Unable to start
> TLS: Server is unavailable
SimpleSAMLphp). Cf.
http://www.google.com/search?q=ldap_start_tls()%3A+%22Unable+to+start+TLS%3A+Server+is+unavailable%22
The reasons for that are also not specific to SSP but to your
environment and configuration of involved software. So hard to say for
anyone else.
-peter
Muhammad Panji
Jan 7, 2013, 9:14:09 PM1/7/13
to simple...@googlegroups.com
Hi Peter,
Thank you for your reply. I know this is a generic PHP error but I got this error log from simpleSAMLphp error log that currently use syslog.
What is the best module to connect to AD from simpleSAMLphp, is it using adauth or ldap module? and how does people usually authenticate with simpleSAMLphp against Active Directory. Thank you.
Regards,
Thank you for your reply. I know this is a generic PHP error but I got this error log from simpleSAMLphp error log that currently use syslog.
What is the best module to connect to AD from simpleSAMLphp, is it using adauth or ldap module? and how does people usually authenticate with simpleSAMLphp against Active Directory. Thank you.
Regards,
Ian Webb
Jan 7, 2013, 9:51:45 PM1/7/13
to simple...@googlegroups.com
The most "pure SAML" method would be to run ADFS 2.0 on the Active
Directory server and use that as the IdP. Then SimpleSAML is just an
SP like any other. If you need to use SimpleSAML as the IdP, then yes,
LDAP would be the easiest authsource to configure.
Cheers,
Ian
Directory server and use that as the IdP. Then SimpleSAML is just an
SP like any other. If you need to use SimpleSAML as the IdP, then yes,
LDAP would be the easiest authsource to configure.
Cheers,
Ian
Peter Schober
Jan 8, 2013, 11:21:52 AM1/8/13
to simple...@googlegroups.com
* Muhammad Panji <sumo...@gmail.com> [2013-01-08 03:14]:
part of SimpleSAMLphp. Feel free to ask its author (Chris Seufert
<seu...@gmail.com>, in this case, it seems).
Then the repository at http://code.google.com/p/simplesamlphp-adauth/
is empty (for whatever reason) but the download tarball seems to be
using code from a project called "adldap" to connect to MS-Active
Directory -- another codebase that is not part of SimpleSAMLphp and
not written by anyone here, see http://adldap.sourceforge.net/
(where the current version is 4.0.4; "adauth" contains 3.3.2, jfyi).
Well, I don't expect "adldap" to have written their own LDAP code in
pure PHP either so you end up with the generic error from PHP's LDAP
code, which in turn just wraps libldap. Which in turn just uses
openssl (or maybe gnutls or perhaps libnss, as the hostname in your
log is "centos", which indicates an RHEL-derivat) for TLS/SSL, which
is where this problem likely lies. So that's the level of detail you'd
need to look into this.
You'll find the problem you're experiencing has nothing to do with
SimpleSAMLphp even it you want to use that code for your SimpleSAMLphp
install.
It's all in your environment and configuration, none of which we know
or you provide any detail about.
From the error message it could be anything, like a wrong SSL server
certificate on the LDAP server or even your LDAP connection
parameters. We can't say. It's not our code.
> What is the best module to connect to AD from simpleSAMLphp, is it
> using adauth or ldap module? and how does people usually
> authenticate with simpleSAMLphp against Active Directory.
No idea, I don't.
-peter
> Thank you for your reply. I know this is a generic PHP error but I
> got this error log from simpleSAMLphp error log that currently use
> syslog.
Well, no. First of all, I've never heard of "adauth" and it is not
> got this error log from simpleSAMLphp error log that currently use
> syslog.
part of SimpleSAMLphp. Feel free to ask its author (Chris Seufert
<seu...@gmail.com>, in this case, it seems).
Then the repository at http://code.google.com/p/simplesamlphp-adauth/
is empty (for whatever reason) but the download tarball seems to be
using code from a project called "adldap" to connect to MS-Active
Directory -- another codebase that is not part of SimpleSAMLphp and
not written by anyone here, see http://adldap.sourceforge.net/
(where the current version is 4.0.4; "adauth" contains 3.3.2, jfyi).
Well, I don't expect "adldap" to have written their own LDAP code in
pure PHP either so you end up with the generic error from PHP's LDAP
code, which in turn just wraps libldap. Which in turn just uses
openssl (or maybe gnutls or perhaps libnss, as the hostname in your
log is "centos", which indicates an RHEL-derivat) for TLS/SSL, which
is where this problem likely lies. So that's the level of detail you'd
need to look into this.
You'll find the problem you're experiencing has nothing to do with
SimpleSAMLphp even it you want to use that code for your SimpleSAMLphp
install.
It's all in your environment and configuration, none of which we know
or you provide any detail about.
From the error message it could be anything, like a wrong SSL server
certificate on the LDAP server or even your LDAP connection
parameters. We can't say. It's not our code.
> What is the best module to connect to AD from simpleSAMLphp, is it
> using adauth or ldap module? and how does people usually
> authenticate with simpleSAMLphp against Active Directory.
-peter
Jason Haar
Jan 10, 2013, 9:00:51 PM1/10/13
to simple...@googlegroups.com
Sounds to me like your DC was unavailable during those transactions -
you need backup LDAP servers to talk to
Here's an AD trick that may help you. All domain controllers within an
AD domain are associated with the "realm.name" DNS record. (eg
"dc1.realm.name" is the "dc1" domain controller for the AD domain
"realm.name")
So if you configure your LDAP lookups against "realm.name" instead of
"dc1.realm.name", then PHP's LDAP implementation will be able to
round-robin through any DC associated with "realm.name" at no (code)
cost. i.e. if realm.name has two DCs - dc1 and dc2, and dc1 is down, the
first "ldap_connect" call to realm.name will still succeed without any
extra code
Jason
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
you need backup LDAP servers to talk to
Here's an AD trick that may help you. All domain controllers within an
AD domain are associated with the "realm.name" DNS record. (eg
"dc1.realm.name" is the "dc1" domain controller for the AD domain
"realm.name")
So if you configure your LDAP lookups against "realm.name" instead of
"dc1.realm.name", then PHP's LDAP implementation will be able to
round-robin through any DC associated with "realm.name" at no (code)
cost. i.e. if realm.name has two DCs - dc1 and dc2, and dc1 is down, the
first "ldap_connect" call to realm.name will still succeed without any
extra code
Jason
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Peter Schober
Jan 11, 2013, 4:04:08 AM1/11/13
to simple...@googlegroups.com
* Jason Haar <Jason...@trimble.com> [2013-01-11 07:35]:
(which includes dc1, which is assumed to be down in the example), how
would that accomplish that my SimpleSAMLphp client will only reach the
LDAP server which is up?
Either the TCP end point of my LDAP connection is guaranteed to be up
and can forward or proxy connections to a node that is known to be up
and working (something you need a load balancer for, IMO) or
connections will blindly iterate (round-robin) over all members of a
group of servers, which means every 1/(num of members) requests will
timeout or fail (with 1 member down). No?
-peter
> So if you configure your LDAP lookups against "realm.name" instead of
> "dc1.realm.name", then PHP's LDAP implementation will be able to
> round-robin through any DC associated with "realm.name" at no (code)
> cost. i.e. if realm.name has two DCs - dc1 and dc2, and dc1 is down, the
> first "ldap_connect" call to realm.name will still succeed without any
> extra code
If connections will in fact, as you say, "round-robin through any DC"
> "dc1.realm.name", then PHP's LDAP implementation will be able to
> round-robin through any DC associated with "realm.name" at no (code)
> cost. i.e. if realm.name has two DCs - dc1 and dc2, and dc1 is down, the
> first "ldap_connect" call to realm.name will still succeed without any
> extra code
(which includes dc1, which is assumed to be down in the example), how
would that accomplish that my SimpleSAMLphp client will only reach the
LDAP server which is up?
Either the TCP end point of my LDAP connection is guaranteed to be up
and can forward or proxy connections to a node that is known to be up
and working (something you need a load balancer for, IMO) or
connections will blindly iterate (round-robin) over all members of a
group of servers, which means every 1/(num of members) requests will
timeout or fail (with 1 member down). No?
-peter
Jason Haar
Jan 11, 2013, 4:35:36 AM1/11/13
to simple...@googlegroups.com
On 11/01/13 22:04, Peter Schober wrote:
> If connections will in fact, as you say, "round-robin through any DC"
> (which includes dc1, which is assumed to be down in the example), how
> would that accomplish that my SimpleSAMLphp client will only reach the
> LDAP server which is up?
It's a feature of the PHP ldap_connect command. If you point it at a DNS
> If connections will in fact, as you say, "round-robin through any DC"
> (which includes dc1, which is assumed to be down in the example), how
> would that accomplish that my SimpleSAMLphp client will only reach the
> LDAP server which is up?
name that resolves to several IP addresses, then it will iterate through
until it finds one that "works" (that just means it accepts the
connection - not that it does something intelligent with it afterwards
of course). All the DCs would have to be down for that command to fail
(or some timeout is hit - don't know about that)
If your organization is world-wide like ours, this isn't as wonderful as
it sounds, as it could end up connecting to some random DC that is
continents away - but this wasn't a question about optimization - just
how to get rid of "connection refused" errors ;-)
Obviously it is still unanswered why your DC cannot answer LDAP queries
once in a while - only your organization can figure that out. In our
network, AD's LDAP services tend to be up 100% of the time, only down
when a DC itself is down
> Either the TCP end point of my LDAP connection is guaranteed to be up
> and can forward or proxy connections to a node that is known to be up
> and working (something you need a load balancer for, IMO) or
> connections will blindly iterate (round-robin) over all members of a
> group of servers, which means every 1/(num of members) requests will
> timeout or fail (with 1 member down). No? -peter
comments under http://php.net/manual/en/function.ldap-connect.php -
there they are referring to explicitly listing all the servers, but
multiple A DNS records achieves the same thing
Peter Schober
Jan 11, 2013, 4:48:46 AM1/11/13
to simple...@googlegroups.com
* Jason Haar <Jason...@trimble.com> [2013-01-11 10:35]:
client actually reconnect to a different server if the TCP connection
works but ldap_start_tls failed? (Haven't read the comments yet.)
If it did this how would the OP even notice the problem (assuming
there was a second server configured or available via DNS IP
rotation.)
And of course there are plenty more failure modes that would not be
worked around with DNS-based load distribution, e.g. connections
timing out would keep the client hanging each time you hit the same
node, just establishing a TCP or even SSL connection doesn't
necessarily mean that the LDAP server will be working etc.
-peter
> > Either the TCP end point of my LDAP connection is guaranteed to be up
> > and can forward or proxy connections to a node that is known to be up
> > and working (something you need a load balancer for, IMO) or
> > connections will blindly iterate (round-robin) over all members of a
> > group of servers, which means every 1/(num of members) requests will
> > timeout or fail (with 1 member down). No? -peter
>
> No. It will blindly iterate until it finds one that works. Read the
> comments under http://php.net/manual/en/function.ldap-connect.php -
> there they are referring to explicitly listing all the servers, but
> multiple A DNS records achieves the same thing
Not sure that would help for the problem reported here: Would the
> > and can forward or proxy connections to a node that is known to be up
> > and working (something you need a load balancer for, IMO) or
> > connections will blindly iterate (round-robin) over all members of a
> > group of servers, which means every 1/(num of members) requests will
> > timeout or fail (with 1 member down). No? -peter
>
> No. It will blindly iterate until it finds one that works. Read the
> comments under http://php.net/manual/en/function.ldap-connect.php -
> there they are referring to explicitly listing all the servers, but
> multiple A DNS records achieves the same thing
client actually reconnect to a different server if the TCP connection
works but ldap_start_tls failed? (Haven't read the comments yet.)
If it did this how would the OP even notice the problem (assuming
there was a second server configured or available via DNS IP
rotation.)
And of course there are plenty more failure modes that would not be
worked around with DNS-based load distribution, e.g. connections
timing out would keep the client hanging each time you hit the same
node, just establishing a TCP or even SSL connection doesn't
necessarily mean that the LDAP server will be working etc.
-peter
Muhammad Panji
Jan 11, 2013, 8:29:54 PM1/11/13
to simple...@googlegroups.com
Dear All,
Just want to share a little update. It seems that the problem is because simpleSAMLphp can't found the users on Active Directory.
When I test :
1. Input correct username with wrong password simplesamlphp give username / password invalid message.
2. Input the error users (the one that simplesamlphp can't found on AD) with the correct password, it only give blank page without error, simpleSAMLphp log only show TLS problem
3. Input wrong username (random letter) and random password it also give only blank page only
I plan to test with fresh active directory to know whether this blank page is specific to the AD that my client use or generic error.
My friend solve this problem by changing the domain name with Capital Case. For now one user that was not found can login to simpleSAMLphp. In case someone hit the same problem can try this. Thank you.
Regards,
Just want to share a little update. It seems that the problem is because simpleSAMLphp can't found the users on Active Directory.
When I test :
1. Input correct username with wrong password simplesamlphp give username / password invalid message.
2. Input the error users (the one that simplesamlphp can't found on AD) with the correct password, it only give blank page without error, simpleSAMLphp log only show TLS problem
3. Input wrong username (random letter) and random password it also give only blank page only
I plan to test with fresh active directory to know whether this blank page is specific to the AD that my client use or generic error.
My friend solve this problem by changing the domain name with Capital Case. For now one user that was not found can login to simpleSAMLphp. In case someone hit the same problem can try this. Thank you.
Regards,
Peter Schober
Jan 12, 2013, 4:36:43 AM1/12/13
to simple...@googlegroups.com
* Muhammad Panji <sumo...@gmail.com> [2013-01-12 02:30]:
errors, but as I said, none of the code in play here comes from this
project.
Btw, for blank pages look at your webserver's error logs as there will
be an error from PHP.
-peter
> When I test :
> 1. Input correct username with wrong password simplesamlphp give username
> / password invalid message.
> 2. Input the error users (the one that simplesamlphp can't found on AD)
> with the correct password, it only give blank page without error,
> simpleSAMLphp log only show TLS problem
> 3. Input wrong username (random letter) and random password it also give
> only blank page only
>
> I plan to test with fresh active directory to know whether this blank page
> is specific to the AD that my client use or generic error.
>
> My friend solve this problem by changing the domain name with Capital Case.
> For now one user that was not found can login to simpleSAMLphp. In case
> someone hit the same problem can try this. Thank you.
I find that all rather weird and doubt any of that would case those
> 1. Input correct username with wrong password simplesamlphp give username
> / password invalid message.
> 2. Input the error users (the one that simplesamlphp can't found on AD)
> with the correct password, it only give blank page without error,
> simpleSAMLphp log only show TLS problem
> 3. Input wrong username (random letter) and random password it also give
> only blank page only
>
> I plan to test with fresh active directory to know whether this blank page
> is specific to the AD that my client use or generic error.
>
> My friend solve this problem by changing the domain name with Capital Case.
> For now one user that was not found can login to simpleSAMLphp. In case
> someone hit the same problem can try this. Thank you.
errors, but as I said, none of the code in play here comes from this
project.
Btw, for blank pages look at your webserver's error logs as there will
be an error from PHP.
-peter
Reply all
Reply to author
Forward
0 new messages