Page MenuHomePhabricator

LDAP Unable to Connect
Closed, InvalidPublic


LDAP doesn't work from inside Phabricator, but does using ldapsearch and the included auth tool.

When attempting to login to Phabricator using LDAP, I get:

Unhandled Exception ("Exception")	
LDAP Exception: Failed to bind to LDAP server (as user "$user@$").
LDAP Error #-1: Can't contact LDAP server

Using Ldap diagnostic tool I get:

Connecting to LDAP...
>>> [6] <ldap> connect (ldap.$
<<< [6] <ldap> 234 us
>>> [7] <ldap> bind ($user@$
<<< [7] <ldap> 8,855 us
>>> [8] <ldap> search (DC=AD,DC=$company,DC=COM, sAMAccountName=$user)
<<< [8] <ldap> 4,206 us
Found LDAP Account: $user

LDAP Settings:

hostname: ldap.$
port: 389
DN: DC=ad,DC=$company,DC=com
Search Attributes: sAMAccountName
Username Attributes: sAMAccountName
Realname Attributes: givenName, sn
LDAP Version: 3
ActiveDirectory Domain: $


phabricator b256f2d7b2db27318728a63b7c2565241f87452c (Tue, May 31) 
arcanist 2234c8cacc21ce61c9c10e8e5918b6a63cc38fc8 (Mon, May 16) 
phutil 5eaf0a9f5a3540a2eba9c75b4e792d0fb26cf69a (Thu, May 26)

Event Timeline

Thanks for the report, and for including version information.

To move forward, we first need to reproduce this bug. I'm not sure how to do this because I can't access your company's LDAP server, and LDAP works fine for us and for many other users. We also haven't changed LDAP recently.

Here are some ways we can move forward:

  • You can provide complete reproduction instructions that we can follow in a clean environment (i.e., with no dependencies on proprietary systems which we can't access) to reproduce the bug. These steps need to include instructions for installing and configuring an LDAP server in a way that reliably reproduces the problem. Once you provide instructions and we're able to reproduce the problem, we'll confirm it and fix the issue. See Providing Reproduction Steps for specifics.
  • Or, we can treat this as a support request instead of a bug report, and help you resolve this problem in your environment at consulting rates ($1,500/hr). See Consulting for details. (If you're in the San Francisco bay area, we can come onsite which may lead to quicker resolution).

Let us know how you'd like to move forward.

(If you choose not to move forward along either pathway, we'll close this report in a few days.)

Unfortunately, it would certainly be impossible to reproduce our AD as it is fairly large, but the settings are very straight forward. I found the following in my apache error log, perhaps it's possible to determine what happened based off of this.

[Fri Jun 03 08:42:33.843963 2016] [:error] [pid 22594] [client] [2016-06-03 08:42:33] EXCEPTION: (Exception) LDAP Exception: Failed to bind to LDAP server (as user "adbind@$").\nLDAP Error #-1: Can't contact LDAP server at [<phutil>/src/auth/PhutilLDAPAuthAdapter.php:455]
[Fri Jun 03 08:42:33.844293 2016] [:error] [pid 22594] [client] arcanist(head=master, ref.master=2234c8cacc21), phabricator(head=master, ref.master=b256f2d7b2db), phutil(head=master, ref.master=5eaf0a9f5a35)
[Fri Jun 03 08:42:33.844301 2016] [:error] [pid 22594] [client]   #0 <#2> PhutilLDAPAuthAdapter::raiseConnectionException(resource, string) called at [<phutil>/src/auth/PhutilLDAPAuthAdapter.php:481]
[Fri Jun 03 08:42:33.844312 2016] [:error] [pid 22594] [client]   #1 <#2> PhutilLDAPAuthAdapter::bindLDAP(resource, string, PhutilOpaqueEnvelope) called at [<phutil>/src/auth/PhutilLDAPAuthAdapter.php:364]
[Fri Jun 03 08:42:33.844313 2016] [:error] [pid 22594] [client]   #2 <#2> PhutilLDAPAuthAdapter::establishConnection() called at [<phutil>/src/auth/PhutilLDAPAuthAdapter.php:213]
[Fri Jun 03 08:42:33.844315 2016] [:error] [pid 22594] [client]   #3 <#2> PhutilLDAPAuthAdapter::loadLDAPUserData() called at [<phutil>/src/auth/PhutilLDAPAuthAdapter.php:161]
[Fri Jun 03 08:42:33.844316 2016] [:error] [pid 22594] [client]   #4 <#2> PhutilLDAPAuthAdapter::getLDAPUserData() called at [<phutil>/src/auth/PhutilLDAPAuthAdapter.php:114]
[Fri Jun 03 08:42:33.844317 2016] [:error] [pid 22594] [client]   #5 <#2> PhutilLDAPAuthAdapter::getAccountID() called at [<phabricator>/src/applications/auth/provider/PhabricatorLDAPAuthProvider.php:166]
[Fri Jun 03 08:42:33.844319 2016] [:error] [pid 22594] [client]   #6 <#2> PhabricatorLDAPAuthProvider::processLoginRequest(PhabricatorAuthLoginController) called at [<phabricator>/src/applications/auth/controller/PhabricatorAuthLoginController.php:40]
[Fri Jun 03 08:42:33.844320 2016] [:error] [pid 22594] [client]   #7 <#2> PhabricatorAuthLoginController::handleRequest(AphrontRequest) called at [<phabricator>/src/aphront/configuration/AphrontApplicationConfiguration.php:237]
[Fri Jun 03 08:42:33.844322 2016] [:error] [pid 22594] [client]   #8 phlog(Exception) called at [<phabricator>/src/aphront/handler/PhabricatorDefaultRequestExceptionHandler.php:32]
[Fri Jun 03 08:42:33.844323 2016] [:error] [pid 22594] [client]   #9 PhabricatorDefaultRequestExceptionHandler::handleRequestException(AphrontRequest, Exception) called at [<phabricator>/src/aphront/configuration/AphrontApplicationConfiguration.php:644]
[Fri Jun 03 08:42:33.844325 2016] [:error] [pid 22594] [client]   #10 AphrontApplicationConfiguration::handleException(Exception) called at [<phabricator>/src/aphront/configuration/AphrontApplicationConfiguration.php:242]
[Fri Jun 03 08:42:33.844326 2016] [:error] [pid 22594] [client]   #11 AphrontApplicationConfiguration::processRequest(AphrontRequest, PhutilDeferredLog, AphrontPHPHTTPSink, MultimeterControl) called at [<phabricator>/src/aphront/configuration/AphrontApplicationConfiguration.php:149]
[Fri Jun 03 08:42:33.844328 2016] [:error] [pid 22594] [client]   #12 AphrontApplicationConfiguration::runHTTPRequest(AphrontPHPHTTPSink) called at [<phabricator>/webroot/index.php:17]

We can only move forward with complete reproduction steps that allow us to reproduce this problem in a local environment.

If you come up with reproduction steps, feel free to file a new report.

Ran into this issue myself over the past few days on a fresh install of CentOS 7 connecting to a Windows Server 2008 R2 domain controller with active directory. I was able to use ldapsearch and the provided bin/auth tool to query the active directory server successfully but yet through the web interface for phabricator it kept rejecting with the error describe in the original post. After some debugging I determined it to be due to SELinux blocking the ldap connection from httpd. Turns out you can run the following command to allow for httpd to use php-ldap to connect out to the active directory server.

setsebool -P httpd_can_network_connect=1

Hope this helps someone else that is struggling through the same problem.

See also T4947 for some discussion of SELinux.