Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server

[astenman]

I was pulling the latest image with tag php:8.0-apache which installs php 8.0.9

Could no longer connect to the domain LDAP server. Downgraded to php:8.0.7-apache, and it works again.

[mzac]

I'm having a similar issue with using php:7.4-apache. I'm trying to downgrade to php7.4-21-apache now to see if it'll fix it.

Edit: Tried the downgrade and it didn't fix it :(
Edit 2: Downgrading to php7.4.20-apache fixed it!

[tianon]

It's likely related to the upgrade to Debian Bullseye (#1190); if you pin to the Debian Buster variants instead, it will probably work again (although you should really spend some time digging in to figure out what broke, since you'll need to cross that bridge eventually).

[mzac]

I turned on some debugging using the bullseye image and I'm getting this error when trying to bind. So either something is broken in the ldap package or maybe another package is required...

TLS: can't connect: (unknown error code).
ldap_err2string

[yosifkit]

So is there an issue in how we build the module or is it something like an older certificate or TLS protocol that Debian Bullseye openssl refuses to verify/use by default?

[mzac]

So is there an issue in how we build the module or is it something like an older certificate or TLS protocol that Debian Bullseye openssl refuses to verify/use by default?

I just tried to disable TLS and it seems to work now... So yes, maybe something with the protocol. I'll have to dig a bit deeper.

My ldap server does support TLS 1, 1.1 and 1.2 so not sure that is the issue, but maybe it could be the root CA causing the issue too?

For our cert we are using:

Issuer Thawte RSA CA 2018 (DigiCert Inc from US)

[mzac]

Interesting.. in the new bullseye version there is no /etc/ldap/ldap.conf however there is on the older buster version.

Comparing packages, on bullseye the libldap-common package is missing.

[mzac]

That fixed it.. adding libldap-common as part of my Dockerfile was it. I guess on buster this package was automatically installed but no longer on bullseye

apt install libldap-common

[yosifkit]

Oh, in buster the curl package depends on libcurl4 which depends on libldap-2.4-2 which depends on libldap-common.
While in bullseye, the libldap-2.4-2 package only recommends libldap-common.

[mzac]

I see.. btw this is what I was installing before it broke:

# Install required packages
RUN apt-get update \
    && apt-get upgrade -y \
    && apt-get install -y \
    cron \
    libaio1 \
    libcurl4-gnutls-dev \
    libldap2-dev \
    libpq-dev \
    libssl-dev \
    nano \
    pkg-config \
    unzip \
    wget \
    zlib1g-dev

[dacog]

As @yosifkit wrote, not all dependencies for LDAP are installed.

We saw this error Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server when using PHP 8 and PHP 7.4 images (We have not yet tested 7.3).

Just in case it helps someone else, we added in both cases the following to our Dockerfile (which builds from the PHP image) and LDAP works again.

RUN apt-get update && apt-get install -y libldap-common

[m0wer]

RUN apt-get update && apt-get install -y libldap-common

This solution solved the problem for me too. It has to be done that way (building the image with the extra RUN command), installing the dependency in a running instance won't work since PHP would be already running.

[scs2771]

Adding libldap-common fixed the issue for our projects too. Thank you for finding this.