A lot of substance, but the main question is:
Why can not we connect after setting up secure LDAP passwords on STARTTLS, but when we changed to SSL / TLS, can we? Previously, we could connect and we had not changed the encryption.
For a small non-profit NGO, we operate a website (PHP 7.2) including a sub-domain for our volunteers. Of course, volunteers must have an account and log in. For storage of relevant files for volunteers, we have a Synology NAS configuration (and a backup, of course).
To ensure that volunteers can use the same account for the NAS and for our website, the NAS has an LDAP directory server configuration, which functions as a provider server. When a volunteer logs on to the website, the credentials are checked using LDAP. In addition, there are options to change passwords and others, all that you normally expect.
When a user changes their password on the website, it will be on the LDAP server via ldap_mod_replace ()so that the user can connect to both places with the same identification information. Until here everything is fine.
When you change the password via the & # 39; DSM & # 39; (Disk Station Manager, the proprietary software of Synology NAS), it is automatically salted and hashed with the help of SHA-512. However, we discovered that when switching via PHP (with ldap_mod_replace () ), it is simply stored in plain text. Obviously, a risk that we were not willing to take.
To mitigate this, we wrote code for salt and hash in PHP before replacing it. The end result should be the same as changing it via Synology. It seemed that Bcrypt, for example, was not available, so we still used SHA-512. To ensure that all users have hashed passwords, we automatically generated random passwords, hashed them and replaced current passwords, and forced everyone to change their password. Disadvantage but necessary.
The problem: After that, all the passwords were replaced by new random passwords. The connection to the website was still working, and with the admin accounts, we could still connect via software like Apache Directory Studio. However, when we tried to connect via the DSM, we received errors indicating that our username or password was invalid. Even when we changed the passwords with the help of the DSM, we still have the same mistakes. Even when we re-entered passwords in plain text, we still could not connect.
The solution: After trying a lot of things, the solution has proven quite simple. The LDAP * client on the NAS had to have encryption set to SSL / TLS instead of STARTTLS, as it was before. After that, we could reconnect. This solution was more a lucky strike than a well thought out plan.
* Client, in this case, because the NAS is running an LDAP provider but also a client, for connection and directories.
The question: Do you have an idea of the cause of this problem and why did this solution work? We have not changed any LDAP server or LDAP client settings, we only changed the passwords. As far as we know, this should have had effects on the encryption used for the connection. If anyone has an idea, we would like to hear them! It works now, but why is a complete mystery for us.
Also, please let me know if this is not the place to ask for this!