LDAP auth not working on new server (V12 with php8.0)

Hi colleagues,

we have an issue with LDAP auth. We upgraded a Sugar from 10 to 12, and installed the upgraded version on a new server.

the server is a debian-like linux, we installed php8.0 with appropriate packages (included php8.0-ldap)

cli command auth to LDAP from the server works.

Sugar succeed to reach LDAP server, but LDAP answers with "ldap error in order to perform this operation a successful bind must be completed on the connection"

connexion from old server still works.

is there any configuration/package that I could have missed to make it work ?

Parents
  • after long investigations and diverse exchanges with Sugar support team, we found that the issue came from the blowfish encryption mechanism.

    Ubuntu 22.04 comes with OpenSSL v3+ but sugar is using a legacy cipher that is not supported by default.

    to fix this issue the solution is to modify the openssl config file (/etc/ssl/openssl.cnf) with the following:

    [provider_sect]
    default = default_sect
    legacy = legacy_sect
    
    [default_sect]
    activate = 1
    
    [legacy_sect]
    activate = 1

    the provider_sect already exists, you have to add the legacy row
    the default_sect already exists, you have to uncomment the activate row (otherwise only legacy ciphers will be enabled and you will not anymore able to use system passwords in cli, like for ssh connexion or mysql client)
    the legacy_sect has to be added.

Reply
  • after long investigations and diverse exchanges with Sugar support team, we found that the issue came from the blowfish encryption mechanism.

    Ubuntu 22.04 comes with OpenSSL v3+ but sugar is using a legacy cipher that is not supported by default.

    to fix this issue the solution is to modify the openssl config file (/etc/ssl/openssl.cnf) with the following:

    [provider_sect]
    default = default_sect
    legacy = legacy_sect
    
    [default_sect]
    activate = 1
    
    [legacy_sect]
    activate = 1

    the provider_sect already exists, you have to add the legacy row
    the default_sect already exists, you have to uncomment the activate row (otherwise only legacy ciphers will be enabled and you will not anymore able to use system passwords in cli, like for ssh connexion or mysql client)
    the legacy_sect has to be added.

Children
No Data