Error "Unable to bind to server" with PHP 8.4

[zapftho]

We are currently trying to update to PHP 8.4.4 and are facing issues with LoginLDAP. I have tried to use PHP 8.2.27 which is working fine. On 8.8.4 we cannot sync users using LDAP and also the login is not working. So I can rule out any general issues with the LDAP configuration.

When running the synchronization for a user with PHP 8.4.4 on console, we get the following error:

Trying the same with PHP 8.2.27:

Same behavior when trying to import a user over the UI in Matomo.

We are using the newest LoginLDAP version 5.1.0 with Matomo 5.2.2

[snake14]

Hi @zapftho . Thank you for taking the time to create this issue. I was able to reproduce the same issue in my local environment. However, if I remove the port from the Server URL field, it still works as expected with PHP 8.4.4. Do you include the port in your Server URL?

[zapftho]

@snake14 Thanks for reproducing this! This is our server config:

So we do not have the port included in the Server URL but we included the protocol as LDAPs.

So I did some testing now with different settings. I did remove the "ldaps://" from server URL, added the according port and enabled TLS.

This resulted in another error:

WARNING   [2025-03-10 07:39:03] 11096  C:\inetpub\wwwroot\matomo-dev\plugins\LoginLdap\Ldap\Client.php(105): Warning - ldap_start_tls(): Unable to start TLS: Can't contact LDAP server
DEBUG     [2025-03-10 07:39:03] 11096  anonymous ldap_start_tls returned error '-1'
INFO      [2025-03-10 07:39:03] 11096  C:\inetpub\wwwroot\matomo-dev\plugins\LoginLdap\Ldap\Client.php(106): ldap_start_tls failed: Can't contact LDAP server [Query: , CLI mode: 1]

When using this config on PHP 8.2 I get the same error, so the only working configuration for us right now is the one using ldaps path in Server URL and ignoring the Server Port & TLS Settings in this scenario.

Another try without TLS failed as well, this time with the same error as described in the initial post.

We have the ldap.conf file set up in C:\OpenLDAP\sysconf and we are referencing the certificate with TLS_CACERT in there only just fyi. But as its working fine with PHP 8.2 I assume this is also not related.

[snake14]

Hi @zapftho . Thank you for the additional information. Using ldaps:// should work, but if you don't set the port in the Server Port field, it will default to 389, which I'm assuming isn't your server's secure LDAP port. Is LDAPS using port 636? have you tried setting that as the port when using LDAPS? Here's what my local configuration looks like for LDAPS to work:

It didn't work until I specified the port.

[zapftho]

@snake14 Thank you for providing your config. I tested it with specifying the port and this is working fine 🙂 So there must have been a change with handling this in PHP? As it did work up to PHP 8.2 without specifying the port.

Also to me the following information in the LDAP Configuration is a bit misleading then:

the same is described at https://plugins.matomo.org/LoginLdap, even more specifically for LDAPS:

So normally I would expect when specifying the URL starting with ldaps:// any configuration used in "Server Port" is not considered as well? As for LDAPS the default port is 636 no change should be needed then and actually wasn't needed until updating to PHP 8.4.

UPDATE: it looks like there have been some changes for PHP >= 8.3 (https://www.php.net/manual/en/function.ldap-connect.php) and they actually seem to be the reason for the described behavior. In LoginLDAP these changes have been reflected here:

plugin-LoginLdap/Ldap/Client.php

Line 85 in f19508a

if (version_compare(PHP_VERSION, 8.3, '>=')) {

I also found out another way to get it working without specifying the port: when I add a trailing slash to my LDAPS URL it just works fine as well. I tried it because it was documented like that in the examples here as an alternative to specifying the port: https://www.php.net/manual/en/function.ldap-connect.php

So it might be helpful for others to update the information texts shown in LoginLDAP Config Page and the documentation on the Matomo Plugin Page.

[snake14]

Hi @zapftho . I'm glad to hear that you were able to get it working.

Thank you for the additional information. You're correct. PHP 8.3 changed the implementation of the ldap_connect function, so we had to make some code changes to accommodate that. We tried to keep functionality the same, but it seems like we didn't get it quite right. I'll keep this ticket open and notify our Product team so that we can either make a code correction or adjust the helptext and documenation.

[zapftho]

@snake14 great, thank you for your support on this one! 🙂

[snake14]

Hi @zapftho . We just released version 5.1.1 of the plugin which fixes the default port when using ldaps://. I didn't adjust the helptext or documentation because it's accurate for anyone using PHP 8.2 or lower. It's also more accurate for PHP 8.3 and higher now that 5.1.1 defaults to port 636 if no port is configured and the host uses ldaps.