PHP ldap_connect使用ldaps连接到Active Directory时遇到未知CA错误
[英]PHP ldap_connect using ldaps to connect to Active Directory getting Unknown CA error
问题描述
I am trying to connect to MS Active Directory using PHP 7 on a Windows 2012 server (running apache 2.4 but that should be irrelevant to the problem I am having). 
我正在尝试在Windows 2012服务器上使用PHP 7连接到MS Active Directory(运行apache 2.4,但这应该与我遇到的问题无关)。
I should also note that I am able to connect to AD from PHP using non-secure LDAP from the command line and the apache server. 我还应该注意,我能够从命令行和apache服务器使用非安全LDAP从PHP连接到AD。
When I execute the following PHP test file, source: http://muzso.hu/2012/04/02/php-ldap-ssl-ldaps-authentication-in-windows-running-apache , from a command line on the web server: 当我执行以下PHP测试文件时,从Web上的命令行获取源: http : //muzso.hu/2012/04/02/php-ldap-ssl-ldaps-authentication-in-windows-running-apache服务器:
$AD_search_bind_DN = 'CN=someuser,OU=Users,DC=example,DC=com';
$AD_search_bind_PW = 'secret123';
ini_set('display_errors', 1);
error_reporting(E_ALL);
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
$conn = ldap_connect('ldaps://SomeDC.example.com/') or die("Failed to connect to ldap server.");
ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_bind($conn, $AD_search_bind_DN, $AD_search_bind_PW) or die("Failed to bind to ldap server: " + ldap_error($conn));
echo "Successful LDAP bind.";
I get the following output (I highlighted the error): 我得到以下输出(我突出显示了错误):
ldap_url_parse_ext(ldap://localhost/) ldap_url_parse_ext(ldap:// localhost /)
ldap_init: trying %SYSCONFDIR%\\ldap.conf ldap_init:尝试%SYSCONFDIR%\\ ldap.conf
ldap_init: HOME env is NULL ldap_init:HOME环境为NULL
ldap_init: trying ldaprc ldap_init:尝试ldaprc
ldap_init: LDAPCONF env is NULL ldap_init:LDAPCONF环境为NULL
ldap_init: LDAPRC env is NULL ldap_init:LDAPRC环境为NULL
ldap_create ldap_create
ldap_url_parse_ext(ldaps://SomeDC.example.com/) ldap_url_parse_ext(ldaps://SomeDC.example.com/)
ldap_sasl_bind_s ldap_sasl_bind_s
ldap_sasl_bind ldap_sasl_bind
ldap_send_initial_request ldap_send_initial_request
ldap_new_connection 1 1 0 ldap_new_connection 1 1 0
ldap_int_open_connection ldap_int_open_connection
ldap_connect_to_host: TCP SomeDC.example.com:636 ldap_connect_to_host:TCP SomeDC.example.com:636
ldap_new_socket: 244 ldap_new_socket:244
ldap_prepare_socket: 244 ldap_prepare_socket:244
ldap_connect_to_host: Trying {IP Address of SomeDC Removed}:636 ldap_connect_to_host:尝试{已删除SomeDC的IP地址}:636
ldap_pvt_connect: fd: 244 tm: -1 async: 0 ldap_pvt_connect:fd:244 tm:-1异步:0
attempting to connect: 尝试连接:
connect success 连接成功
TLS trace: SSL_connect:before/connect initialization TLS跟踪:SSL_connect:之前/连接初始化
TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS跟踪:SSL_connect:SSLv2 / v3写入客户端问候A
TLS trace: SSL_connect:SSLv3 read server hello A TLS跟踪:SSL_connect:SSLv3读取服务器问候A
TLS certificate verification: depth: 1, err: 20, subject: /DC=com/DC=example/C TLS证书验证:深度:1,错误:20,主题:/ DC = com / DC = example / C
N=Self_Named-SHA256-SubCA, issuer: /CN=ITSS-Ent-SHA256-Root N =自定义名称SHA256-SubCA,颁发者:/ CN = ITSS-Ent-SHA256-Root
TLS certificate verification: Error, unable to get local issuer certificate TLS证书验证:错误,无法获取本地发行者证书
TLS trace: SSL3 alert write:fatal:unknown CA TLS跟踪:SSL3警报写入:致命:未知CA
TLS trace: SSL_connect:error in error TLS跟踪:SSL_connect:错误错误
TLS trace: SSL_connect:error in error TLS跟踪:SSL_connect:错误错误
TLS: can't connect: error:14090086:SSL TLS:无法连接:错误:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate). 例程:ssl3_get_server_certificate:证书验证失败(无法获取本地发行者证书)。
ldap_err2string ldap_err2字符串
PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in C:\\test_bind.php on line 10 PHP警告:ldap_bind():无法绑定到服务器:在第10行的C:\\ test_bind.php中无法联系LDAP服务器
I have both the php_ldap and php_openssl extensions UN-commented in my php.ini file. 我在php.ini文件中同时注释了php_ldap和php_openssl扩展名。
I have copies of the AD CA cert in DER and PEM formats but I am not sure where to place these files on my web server. 我有DER和PEM格式的AD CA证书的副本,但是我不确定将这些文件放在Web服务器上的位置。 There are lots of posts related to linux OS's that simply say to place "TLS_CACERT C:\\openldap\\sysconf\\cacert.pem" in my ldap.conf file. 有很多与Linux OS相关的帖子,只是说要在我的ldap.conf文件中放置“ TLS_CACERT C:\\ openldap \\ sysconf \\ cacert.pem”。 I am not running openLDAP and I do not have a ldap.conf file. 我没有运行openLDAP,也没有ldap.conf文件。
I have openSSL installed but I am not entirely sure that the configuration is correct: 我已经安装了openSSL,但是我不能完全确定配置是否正确:
- The openssl.cfg file is unchanged: http://pastebin.com/KxnWThXh openssl.cfg文件未更改: http : //pastebin.com/KxnWThXh
- I added an environment variable 'OpenSSL' that points to the openssl.cfg file 我添加了一个环境变量“ OpenSSL”,它指向openssl.cfg文件
- When I execute 'openssl version -a' from a cmd line, it shows: OPENSSLDIR: /usr/local/ssl which clearly makes no sense for windows. 当我从cmd行执行'openssl version -a'时,它显示: OPENSSLDIR:/ usr / local / ssl对Windows显然没有意义。 Complete output can be seen here: http://pastebin.com/h3ei3Pwp 完整的输出可以在这里看到: http : //pastebin.com/h3ei3Pwp
== EDIT 1: ======================================== ==编辑1:========================================
Gabriel, thanks for the suggestions / Reference. 加百利,感谢您的建议/参考。
I have now also tried these things without success: 我现在也尝试了这些事情,但没有成功:
- Created a ldap.conf and an openldap.conf file (Using many diferent formats based on various article suggestions, see the variations I've tried here: http://pastebin.com/aP94Nh4Y ) in C:\\ and C:\\openldap\\sysconf 在C:\\和C:\\ openldap中创建了ldap.conf和openldap.conf文件(使用基于各种文章建议的多种格式,请参阅我在这里尝试的变体: http ://pastebin.com/aP94Nh4Y) \\ sysconf
- This article ( https://www.reddit.com/r/PHPhelp/comments/3tykpc/php_7_and_ldap/ ) says to create an environment variable called 'LDAPCONF' that points to the ldap.conf file (C:\\openldap\\sysconf\\ldap.conf). 本文( https://www.reddit.com/r/PHPhelp/comments/3tykpc/php_7_and_ldap/ )说要创建一个名为LDAPCONF的环境变量,该变量指向ldap.conf文件(C:\\ openldap \\ sysconf \\ ldap.conf)。 I did. 是的 No change. 没变。
- I noticed this in the output from executing my test php script (line 2 of the output): ldap_init: trying %SYSCONFDIR%\\ldap.conf . 我在执行测试php脚本的输出中注意到了这一点(输出的第2行): ldap_init:尝试%SYSCONFDIR%\\ ldap.conf 。 The SYSCONFDIR environment variable didn't yet exist so I added that one with a value of 'C:\\openldap\\sysconf\\'. SYSCONFDIR环境变量尚不存在,因此我添加了一个值为'C:\\ openldap \\ sysconf \\'的变量。 -- no change. - 没变。
- Introduced an obvious syntax error into all locations of my ldap.conf/openldap.conf files to see if I could change the test script output to know that it was at least looking at one of those files -- nothing changed. 在我的ldap.conf / openldap.conf文件的所有位置中引入了明显的语法错误,以查看是否可以更改测试脚本输出以知道它至少在查看这些文件之一,而没有改变。
== EDIT 2: ======================================== ==编辑2:=======================================
Gabriel, thanks for the process monitor tip. Gabriel,感谢您的过程监控技巧。 I can now at least confirm that PHP 7 is using the 'LDAPCONF' environment value path to locate and read the ldap.conf file that this ENV variable is pointing to. 现在,我至少可以确认PHP 7正在使用“ LDAPCONF”环境值路径来查找和读取此ENV变量指向的ldap.conf文件。
It also appears that PHP 7 is not handling the 'SYSCONFDIR' environment variable correctly because it first tries to open a file in this literal path: E:\\httpd\\www\\%SYSCONFDIR%\\ldap.conf 还似乎PHP 7没有正确处理'SYSCONFDIR'环境变量,因为它首先尝试在以下文字路径中打开文件:E:\\ httpd \\ www \\%SYSCONFDIR%\\ ldap.conf
It's still not working but now I can focus my effort in tweaking just the one file I know it is reading. 它仍然没有工作,但是现在我可以集中精力调整我知道正在读取的一个文件。
If anyone has any other tips for configuration or could share their ldap.conf file from a working windows installation I would appreciate it. 如果有人有其他配置建议,或者可以从正在运行的Windows安装中共享ldap.conf文件,我将不胜感激。
I am now still stuck and don't know what else to do. 我现在 仍然陷于困境,不知道该怎么办。 Please help! 请帮忙!
2 个解决方案
解决方案1
1 2016-01-26 18:19:25
The answer here should help: https://stackoverflow.com/a/6047293/1202807 此处的答案应该有所帮助: https : //stackoverflow.com/a/6047293/1202807
Under XAMPP on Windows the ldap.conf must be either in the root of the system (c:\\ldap.conf, PHP 5.3.3 if I remember correctly) or in C:\\openldap\\sysconf\\ depending on the PHP version.
So create the ldap.conf file in c:\\ or C:\\openldap\\sysconf\\ if it doesn't exist already, and put your TLS_CACERT line in it. 因此,如果尚不存在,请在c:\\或C:\\ openldap \\ sysconf \\中创建ldap.conf文件,然后将TLS_CACERT行放入其中。
解决方案2
1 2016-10-07 23:18:42
I have similar problem, I have spent some time to resolve it. 我有类似的问题,我花了一些时间解决它。 This behaviour was OpenLDAP bug in PHP. 此行为是PHP中的OpenLDAP错误。 I have reported it and it was fixed and will be released soon. 我已经报告了它,它已经修复,将很快发布。 See: PHP BUG #73243 ( https://bugs.php.net/bug.php?id=73243 ) 请参阅:PHP BUG#73243( https://bugs.php.net/bug.php?id=73243 )
If you need immediate fix, which is a little bit hacking, try this (on your own risk): 如果您需要立即修复(有点hacking),请尝试此操作(后果自负):
- use some binary editor (eg HexEdit) to edit php_ldap.dll 使用一些二进制编辑器(例如HexEdit)编辑php_ldap.dll
- find the expression "%SYSCONFDIR%\\ldap.conf" and 找到表达式“%SYSCONFDIR%\\ ldap.conf”,然后
- replace it with "c:\\ldap_conf\\ldap.conf", the new constant has to have the same length as the replaced constant 将其替换为“ c:\\ ldap_conf \\ ldap.conf”,新常量的长度必须与替换常量的长度相同
- copy the ldap configuration to new location 将ldap配置复制到新位置
Hope, it helps :-) 希望能帮助到你 :-)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.