phruby,

If you use starttls, then your bind URL should be plain ldap:// on port 389 (i.e. not ldaps://). And indeed your SSL certificates need to be configured on the server.

This is not a bug or feature request for MantisBT (you are asking for help on how to configure the system). I am therefore resolving this issue as "no change required".

Please use the forums to get support on customizing and using MantisBT (refer to https://www.mantisbt.org/support.php for links and further details).

The SSL certificates are configured correctly on the server. Our IT says to use $g_ldap_server = 'ldaps://us.bank-dns.com:636';
However, now I get back a stack trace of
153 trigger_error <string>'1401', <integer>256
374 ldap_connect_bind
344 ldap_authenticate_by_username <string>'administrator', <string>'root'
762 ldap_authenticate <integer>1, <string>'root'
150 auth_does_password_match <integer>1, <string>'root'

Why is it using administrator? I want it to use my AD service account as listed in $g_ldap_bind_dn

$g_login_method = LDAP;
$g_ldap_server = 'ldaps://us.bank-dns.com:636';
$g_ldap_root_dn = 'DC=US,DC=BANK-DNS,DC=COM';
$g_ldap_use_starttls = OFF;
$g_show_detailed_errors=ON;
$g_ldap_uid_field = 'uid';
$g_ldap_realname_field = 'cn';
$g_ldap_follow_referrals = OFF;
$g_ldap_protocol_version = 3;
$g_ldap_bind_dn='CN=cdospuatappid,OU=APPIDS,DC=us,DC=bank-dns,DC=com';

No one has a solution on the forums and they get very little traffic. I'll post this there too.

Why is it using administrator? I want it to use my AD service account as listed in $g_ldap_bind_dn

I understand this could be confusing, but this is not the actual LDAP connection to authenticate the user, only a "sanity check" that is performed in the login page to ensure that you have changed the default administrator account's password which is assigned when installing MantisBT. Subsequent LDAP calls will use the configured $g_ldap_bind_dn.

You can disable this behavior either by setting $g_admin_checks = OFF; in your config_inc.php, or by deleting/disabling the default administrator account in manage_user_page.php.

Assuming you're still facing the same error as reported in your original post:

2023-12-08 09:42 CST LDAP ldap_api.php:50 ldap_log_error() ERROR #-1: Can't contact LDAP server

Please note that what you see in the MantisBT log is the error that is triggered by PHP's ldap_bind() function, as returned by ldap_error() - we are just reporting it back and have no control over what is happening in or beyond PHP's LDAP extension.

You can test and confirm this by running a simple script like

include 'config_inc.php';
$ds = ldap_connect($g_ldap_server);
ldap_bind($ds, $g_ldap_bind_dn, $g_ldap_bind_passwd) or die('ERROR');
echo 'SUCCESS';

Therefore, this is not a MantisBT bug, but a problem with your system's configuration and as mentioned previously this is not the right channel to discuss configuration issues.

I would suggest, if possible, to test if the connection works with a plain LDAP connection (i.e. without SSL) over port 389. If that works then you're most likely facing an issue with certificates configuration.

@phruby to help troubleshoot your problem, you may want to increase the LDAP debug level (e.g. set to LDAP_DEBUG_ANY). Adapting the test script I posted earlier:

ldap_set_option(null, LDAP_OPT_DEBUG_LEVEL, 0xffff); 
$ds = ldap_connect($g_ldap_server);
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_bind($ds, $g_ldap_bind_dn, $g_ldap_bind_passwd) or die('ERROR');
echo 'SUCCESS';

On an incorrectly configured Windows PC at work, this gives

[snip]
TLS certificate verification: depth: 1, err: 20, subject: /DC=com/DC=example/DC=activedir, issuer: /CN=example-CA
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS: can't connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate).
[snip]
Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in C:\Temp\ldap.php on line 9
ERROR