Continuous errors since enabling LDAP TLS, but everything works

Pydio version 8, Debian.

So since last wednesday I’ve been getting these error messages in the picture every few minutes. They all started coming after I enabled the mod ldap.conf (etc/apache2/mods-enabled/ldap.conf) and configured it to use TLS.

Exactly like I’ve done with all our other apache machines I configured it and pointed it to our cert that is in usr/local/share/ca-certificates/extra. That plus enabling starttls in the pydio gui.

The thing is that everthing in pydio works. It’s just that it’s spamming errors. I know TLS works because if I delete a line in the cert I get a start_tls error when trying to log in.

I tried to disable TLS in the GUI, but that only stopped the error message containing tls.

So my best guess is that all the other error messages comes from ldap.conf. Because that’s the only other change I’ve done (except adding the cert).

Do you guys have any idea what causes this? I’m only an apprentice so I’m terribly new to all this, and have googled all day trying different solutions without getting through. Would love to get some help. Thanks for reading.


Could you please post the version of PHP, os version ?
Please post the ldap.conf as well.

1 Like

PHP 5.6.39-0+deb8u1

“Debian GNU/Linux 8 (jessie)”

Ldap.conf looks like this:

<Location /ldap-status>
SetHandler ldap-status
Require ip ::1

LDAPTrustedGlobalCert CA_BASE64 /usr/local/share/ca-certificates/extra/ldapsslcertificate.cer
LDAPTrustedMode TLS
LDAPSharedCacheSize 500000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600


A stupid question: You are configure ldap for apache or for PHP? If you are config ldap for php (which necessary for ldap plugin) please config (of create if it’s not existed) in /etc/ldap/ldap.conf

1 Like

It was for apache since that is how we log in. But the errors are php. Don’t know how php ldap works or where it is used?

(Btw we don’t use openldap and we are authenticating ourselves to a microsoft AD server)

But if if I would configure /etc/ldap/ldap.conf would it look like this aaand what service should I restart after doing those changes?

BASE ou=COMPANYNAME, dc=companyname,dc=local
URI ldap://dc.companyname.local

#DEREF never

TLS_CACERT /usr/local/share/ca-certificates/extra/ldapsslcertificate.cer

Still wonder about this. Anyone can help?

Could you please post the configuration of Pydio >> Settings >> Authentication >> Master Driver & Secondary Driver ?

Master Driver

LDAP/AD Directory
LDAP url ldap://dcname.local,ldap://dcname2.local
Protocol: StartsTLS | LDAP Port: 389 | Ldap bind username: username | password: password |


People DN: ou=Users, ou=COMPANY, dc = company, dc = local
LDAP Filter: objectClass=person
User attribute: sAMAccountname

ou=Certain Groups1, ou=COMPANY, dc=company, dc=local
ou=Certains Group2, ou=COMPANY, dc=company, dc=local
LDAP Filter: objectClass=person
User attribute: sAMAccountname


Seems pretty empty but there is

LDAP attribute: memberOf
Mapping Type: Role Id

LDAP attribute: displayName
Mapping Type: Plugin Parameter
Plugin parameter: core.conf/USER_DISPLAY_NAME

LDAP attribute: mail
Mapping Type: Plugin Parameter
Plugin parameter: core.conf/email


Fake MemberOf. value of member/memberUid: Turned on
Search Users by Attribute: displayName
LDAP Server page size: 500
Cache User Count (hours): 1
All other settings are off


Nothing turned on or filled in here

Secondary Driver

Multiple Instances Mode

Mode: Master/Slave
Cache master users: Turned on
Users Listing: Both

Secondary Instance Driver
Instance Type: DB Auth Storage
Connection: Core Connexion
The Database Connection: SQL TABLES
Auth Driver Commons
Auto Create User: Turned on
Rest is empty.

That’s all :slight_smile:

And on General Options the only things turned on are “Standard Login Screen”, API Keystore and Enable Users.


Ldap Url: please use one ip or domain name without ldap://
Such as: dcname.local
or: dcname2.local

Note: Default port for StartsTLS is 636 and SSL is 389
If you use StartsTLS, please make sure that /etc/ldap/ldap.conf is configured (

LDAP Filter: (objectClass=person)

LDAP Filter: (objectClass=group)

Should be turnof if you are running Active Directory