Re: [PHP] PHP LDAP over SSL problems (SOLVED)
>>> On Fri, Apr 3, 2009 at 10:16 AM, in message <49d5e20c.8302.00a...@sjhc.london.on.ca>, "Keith Lawson" wrote: > On Thu, Apr 2, 2009 at 5:51 PM, in message <49d53344.7040...@gmail.com>, > Chris > wrote: >> Keith Lawson wrote: >>> Hello, >>> >>> I have been working on this problem for some time now and I can't seem to >> resolve it. Everything I have found on google and php.net says I can connect > >> to an LDAP server with SSL by setting "TLS_REQCERT never" in ldap.conf. I >> want to eliminate certs from the picture for now just to confirm I can make >> the connection which is why I have "TLS_REQCERT never" set. >>> >>> I added that setting to my ldap.conf and my test code now works from the >> command line but it does not work when I call it from a browser. Here is my >> test: >>> >>> >> $ldaphost = "ldaps://my.ldap.server"; >>> >>> //ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7); >>> // Connecting to LDAP >>> $ldapconn = ldap_connect($ldaphost) >>> or die("Could not connect to {$ldaphost}"); >>> ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3); >>> ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0); >>> >>> echo var_dump(@ldap_bind($ldapconn, "cn=Keithl, ou=Users, o=LH")); >> >> It's hard to know - you're suppressing errors. >> >> Add these 2 lines to your script: >> error_reporting(E_ALL); >> ini_set('display_errors', true); > > I've done that and I get the following when I load the page in a browser: > Warning: ldap_bind() [function.ldap- bind]: Unable to bind to server: Can't > contact LDAP server in /www/doc/INTRA/ktlwiki/ldap- test.php on line 19 > bool(false) > Can't contact LDAP server > > From the command line still works: > > [www]/www/doc/> php ldap- test.php > bool(true) > Success > > As I mentioned the command line call did not work until I added "TLS_REQCERT > never" to ldap.conf. I need to figure out why the apache loadable module is > behaving differently than the command line binary. I'm pretty sure the web > page is failing because it is still trying to verify the LDAP server's cert. > > My problem was that I had compiled Apache against the Solaris 10 openSSL libraries version 0.9.7. When I installed OpenLDAP and recompiled PHP I manually build new openSSL libs that were version 0.9.8. Rebuilding apache and linking to the same openSSL libraries resolved this problem for me. That explains why I was seeing different behavior with command line PHP than when I called the same code through Apache. Thanks for the suggestions Chris. >> >> Then get rid of the @ in front of ldap_bind. >> >> Use http://www.php.net/manual/en/function.ldap- error.php to capture the >> error message and search for it. > > > > > > The information transmitted is intended only for the person or entity to > which it is addressed and may contain confidential and/or privileged > material. Any review, retransmission, dissemination or other use of, or > taking of any action in reliance upon, this information by persons or > entities other than the intended recipient is prohibited. If you received > this in error, please contact the sender and delete the material from any > computer. > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP LDAP over SSL problems
>>> On Thu, Apr 2, 2009 at 5:51 PM, in message <49d53344.7040...@gmail.com>, >>> Chris wrote: > Keith Lawson wrote: >> Hello, >> >> I have been working on this problem for some time now and I can't seem to > resolve it. Everything I have found on google and php.net says I can connect > to an LDAP server with SSL by setting "TLS_REQCERT never" in ldap.conf. I > want to eliminate certs from the picture for now just to confirm I can make > the connection which is why I have "TLS_REQCERT never" set. >> >> I added that setting to my ldap.conf and my test code now works from the > command line but it does not work when I call it from a browser. Here is my > test: >> >> > $ldaphost = "ldaps://my.ldap.server"; >> >> //ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7); >> // Connecting to LDAP >> $ldapconn = ldap_connect($ldaphost) >> or die("Could not connect to {$ldaphost}"); >> ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3); >> ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0); >> >> echo var_dump(@ldap_bind($ldapconn, "cn=Keithl, ou=Users, o=LH")); > > It's hard to know - you're suppressing errors. > > Add these 2 lines to your script: > error_reporting(E_ALL); > ini_set('display_errors', true); I've done that and I get the following when I load the page in a browser: Warning: ldap_bind() [function.ldap-bind]: Unable to bind to server: Can't contact LDAP server in /www/doc/INTRA/ktlwiki/ldap-test.php on line 19 bool(false) Can't contact LDAP server >From the command line still works: [www]/www/doc/> php ldap-test.php bool(true) Success As I mentioned the command line call did not work until I added "TLS_REQCERT never" to ldap.conf. I need to figure out why the apache loadable module is behaving differently than the command line binary. I'm pretty sure the web page is failing because it is still trying to verify the LDAP server's cert. > > Then get rid of the @ in front of ldap_bind. > > Use http://www.php.net/manual/en/function.ldap- error.php to capture the > error message and search for it. The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP LDAP over SSL problems
Keith Lawson wrote: Hello, I have been working on this problem for some time now and I can't seem to resolve it. Everything I have found on google and php.net says I can connect to an LDAP server with SSL by setting "TLS_REQCERT never" in ldap.conf. I want to eliminate certs from the picture for now just to confirm I can make the connection which is why I have "TLS_REQCERT never" set. I added that setting to my ldap.conf and my test code now works from the command line but it does not work when I call it from a browser. Here is my test: It's hard to know - you're suppressing errors. Add these 2 lines to your script: error_reporting(E_ALL); ini_set('display_errors', true); Then get rid of the @ in front of ldap_bind. Use http://www.php.net/manual/en/function.ldap-error.php to capture the error message and search for it. -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP LDAP over SSL problems
Hello, I have been working on this problem for some time now and I can't seem to resolve it. Everything I have found on google and php.net says I can connect to an LDAP server with SSL by setting "TLS_REQCERT never" in ldap.conf. I want to eliminate certs from the picture for now just to confirm I can make the connection which is why I have "TLS_REQCERT never" set. I added that setting to my ldap.conf and my test code now works from the command line but it does not work when I call it from a browser. Here is my test: This returns true when called from the command line: [www]/www/doc/ktlwiki > php ldap-test.php bool(true) But when I load the same code through a browser it fails. I'm using php 5.2.6, openldap 2.4.11 and openssl 0.9.8i on Solaris 10. I built everything from source, PHP has LDAP and SSL support compiled in. My openldap install is in /opt. Trussing the command line process and the apache process shows similar results: Command line: 26651: open("/opt/lib/libldap-2.4.so.2", O_RDONLY) = 3 26651: open("ldap-test.php", O_RDONLY) = 4 26651: resolvepath("/www/doc/INTRA/ktlwiki/ldap-test.php", "/www/doc/INTRA/ktlwiki/ldap-test.php", 1024) = 36 26651: open("/opt/etc/openldap/ldap.conf", O_RDONLY) = 4 Apache process: 24656: open("/opt/lib/libldap-2.4.so.2", O_RDONLY) = 6 24818: open("/www/doc/INTRA/ktlwiki/ldap-test.php", O_RDONLY) = 45 24818: open("/opt/etc/openldap/ldap.conf", O_RDONLY) = 4 Any idea why the same code served by apache would ignore the TLS_REQCERT setting?! TIA Keith The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php