[PHP] PHP LDAP over SSL problems

Thu, 02 Apr 2009 11:27:07 -0700 

Hello, 

I have been working on this problem for some time now and I can't seem to 
resolve it. Everything I have found on google and php.net says I can connect to 
an LDAP server with SSL by setting "TLS_REQCERT never" in ldap.conf. I want to 
eliminate certs from the picture for now just to confirm I can make the 
connection which is why I have "TLS_REQCERT never" set. 

I added that setting to my ldap.conf and my test code now works from the 
command line but it does not work when I call it from a browser. Here is my 
test: 

<?php
$ldaphost = "ldaps://my.ldap.server";

//ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
// Connecting to LDAP
$ldapconn = ldap_connect($ldaphost)
          or die("Could not connect to {$ldaphost}");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);

echo var_dump(@ldap_bind($ldapconn, "cn=Keithl, ou=Users, o=LH"));
?>

This returns true when called from the command line: 
[www]/www/doc/ktlwiki > php ldap-test.php
bool(true)

But when I load the same code through a browser it fails. 

I'm using php 5.2.6, openldap 2.4.11 and openssl 0.9.8i on Solaris 10. I built 
everything from source, PHP has LDAP and SSL support compiled in.

My openldap install is in /opt. Trussing the command line process and the 
apache process shows similar results: 

Command line: 
26651:  open("/opt/lib/libldap-2.4.so.2", O_RDONLY)     = 3
26651:  open("ldap-test.php", O_RDONLY)                 = 4
26651:  resolvepath("/www/doc/INTRA/ktlwiki/ldap-test.php", 
"/www/doc/INTRA/ktlwiki/ldap-test.php", 1024) = 36
26651:  open("/opt/etc/openldap/ldap.conf", O_RDONLY)   = 4

Apache process: 
24656:  open("/opt/lib/libldap-2.4.so.2", O_RDONLY)     = 6
24818:  open("/www/doc/INTRA/ktlwiki/ldap-test.php", O_RDONLY) = 45
24818:  open("/opt/etc/openldap/ldap.conf", O_RDONLY)   = 4

Any idea why the same code served by apache would ignore the TLS_REQCERT 
setting?!

TIA
Keith

 
--------------------------------------------------------------------------------

The information transmitted is intended only for the person or entity to which 
it is addressed and may contain confidential and/or privileged material. Any 
review, retransmission, dissemination or other use of, or taking of any action 
in  reliance upon, this information by persons or entities other  than the 
intended recipient is prohibited. If you received this  in error, please 
contact the sender and delete the material from any computer. 


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to