Edit report at http://bugs.php.net/bug.php?id=17738&edit=1
ID: 17738 Updated by: [email protected] Reported by: benoit at gide dot net Summary: SSL support for LDAP Status: Open Type: Bug Package: LDAP related Operating System: Redhat 6.2 7.1 7.2 PHP Version: 4.2.1 New Comment: Maybe this helps? http://directory.fedoraproject.org/wiki/Howto:SSL#Configure_LDAP_clients Previous Comments: ------------------------------------------------------------------------ [2010-05-01 19:24:23] [email protected] Here's the bug again. See: http://bugs.debian.org/560161 ------------------------------------------------------------------------ [2006-10-02 02:28:20] michael at akatose dot de Ok, this problem vanished, as soon as I replaced the wildcard-certificate at the LDAP server (CN=*.example.com) with a "simple" certificate (CN=ldap.example.com). I double-checked this with another wildcard-certificate, which is also accepted by the command line utilities. Again, PHP's ldap_start_tls() returns false and gives its warning "Unable to start TLS: Connect error". A capture of the network traffic to the LDAP server reveals, that even though ldap_start_tls() returns false, the connection is encrypted afterwards. So it seems, that the handling of the return code is wrong, when using wildcard-certificates. ------------------------------------------------------------------------ [2006-10-01 02:35:13] michael at akatose dot de This error not only happens with SSL (ldaps), but also when using StartTLS. On my system, the correct CA certificate is referenced in /etc/ldap/ldap.conf and command line utilities can connect without problems: ~# ldapsearch -v -x -ZZ "(objectClass=*)" ldap_initialize( <DEFAULT> ) filter: (objectClass=*) requesting: ALL # extended LDIF # ... But the following PHP script fails (on PHP-5.1.2 from Ubuntu-6.06): <?php $server = ldap_connect("ldap://ldap.example.com";); ldap_set_option($server, LDAP_OPT_PROTOCOL_VERSION, 3); $result = ldap_read($server, "dc=example,dc=com", "(objectclass=*)"); $entry = ldap_get_entries($server, $result); print_r($entry); // everything works fine up to this point // no network problems, we are really talking to the server ldap_start_tls($server); // this fails: // Warning: ldap_start_tls() [function.ldap-start-tls]: // Unable to start TLS: Connect error in /var/www/ldaptest.php on line 10 ldap_close($server); ?> As you can see a "Connect error" is returned, altough this seems to be an error while checking the server certificate. I can get the command line utilities to throw the same error by making the CA certificate unreadable: ~# ldapsearch -v -x -ZZ "(objectClass=*)" ldap_initialize( <DEFAULT> ) ldap_start_tls: Connect error (-11) The PHP script will work, if I disable the verification of the server certificate by putting the already mentioned "TLS_REQCERT never" in /etc/ldap/ldap.conf ------------------------------------------------------------------------ [2004-12-09 09:54:25] sami at sipponen dot com "phpdeveloper at chinese dot university dot hk"'s problem seems to be related an issue with PHP Windows build's "not so good documented features"... See the link below: http://www.ldaphelp.com/viewtopic.php?t=6 It seems that there are some hard coded config file issues with PHP's ldap extension. Copy&paste from the site which link is above: create the directory: C:\OpenLDAP\sysconf\ and put there a ldap.conf file which contains in its first line: TLS_REQCERT never ------------------------------------------------------------------------ [2003-07-19 00:18:04] phpdeveloper at chinese dot university dot hk i am using IIS+windows xp+php4.3.2.2 facing the same problem and can not connect to the ldap except using ldaps://host:636/ but success using ldap://host/ ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=17738 -- Edit this bug report at http://bugs.php.net/bug.php?id=17738&edit=1
