oh, I can’t believe I solved it: the issue was caused by the TLS certificate on the ldap server: it was signed by a CA made by us.
from the linux (Rocky) server where we have installed SuiteCRM8, I tested the connection to our LDAP (OpenLDAP) server and saw it was not working
$ ldapsearch -x -H ldaps://ldap.example.com:636
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
(where, of course, the ldap.example.com would be the URL of our LDAP server)
I’ve installed openldap-clients in the linux server hosting SuiteCRM with
yum install openldap-clients
and added this line to the file /etc/openldap/ldap.conf:
TLS_CACERT /etc/openldap/our_custom_ldap.ca-certificates.crt
we’ve got that file from the ldap server at /etc/ldap/sasl2/ca-certificates.crt (our OpenLdap installation)
with the above the above ldapsearch command worked, and then SuiteCRM8 LDAP also started working, and precisely with this configuration:
APP_ENV=qa
# https://docs.suitecrm.com/8.x/admin/configuration/ldap-configuration/#_enabling_ldap_authentication
# note: the `username` in suiteCrm must be the user's email
AUTH_TYPE=ldap
###> LDAP CONFIG ###
LDAP_HOST='ldap.bwlocal.it'
LDAP_PORT=389
# LDAP_PORT=636
LDAP_ENCRYPTION=tls
# LDAP_ENCRYPTION=none
LDAP_PROTOCOL_VERSION=3
LDAP_REFERRALS=false
LDAP_DN_STRING='ou=users,dc=example,dc=it'
LDAP_QUERY_STRING='mail={username}'
# here a user dedicate to just query LDAP (mandatory)
LDAP_SEARCH_DN='cn=crm_ldap_user_for_queries,ou=users,dc=example,dc=it'
LDAP_SEARCH_PASSWORD='blablabla'
So, it is clear the issue was not related to SuiteCRM and Symfony: it is evidently the php-ldap code that uses somehow (fortunately) the content of the o.s. file /etc/openldap/ldap.conf to get the CA certificate
We’ve spend a lot of hours on LDAP, so we hope this will help others.
Please note that, in the above, we’ve set APP_ENV=qa: without that line we have problem with caches… (LDAP works, but we have to log two or three times)
(see also Integrating LDAP for User-Authentication fails )