[英]PHP - LDAP search working sporadically over TLS/SSL
The code below performs a lookup of all OrganizationalUnits
in my LDAP server however it's failing to perform the LDAP search like 40% of the time. 下面的代码对我的LDAP服务器中的所有
OrganizationalUnits
进行查找,但是它无法像40%的时间那样执行LDAP搜索。
The only clues I have are two Apache log entries below. 我仅有的线索是下面的两个Apache日志条目。 I'm not a PHP wizard, but assuming the second error message is caused by the failed connection leaving an empty
$sr
variable. 我不是PHP向导,但是假设第二条错误消息是由连接失败引起的,留下了一个空的
$sr
变量。
I've run tcpdump
during the connect and PHP is connecting to the server but there is very little communication going on during the failure -- only around 1/2 as many packets transferred as opposed to a successful connect. 我在连接期间运行了
tcpdump
,PHP 正在连接到服务器,但是在失败期间几乎没有进行任何通信-与成功连接相比,传输的数据包只有大约1/2倍。
This only seems to happen over TLS/SSL (hecnce the putenv
last-ditch-effort). 这似乎只发生在TLS / SSL(hecnce的
putenv
最后一搏省力)。 If I go clear-text the search works perfectly every time. 如果我使用纯文本格式,则每次搜索都可以完美进行。 What would cause this to not work "sometimes"?
是什么导致它“有时”不起作用? Any way to find out more info on it?
有什么办法找到更多信息吗?
Update: I just noticed this code works 100% of the time when not using LDAPS/TLS so definitely related to SSL/TLS somehow. 更新:我只是注意到此代码在不使用LDAPS / TLS时100%的时间有效,因此肯定与SSL / TLS相关。
<?php
putenv('TLS_REQCERT=never');
print "<html><head><title>ldap test</title></head><body>";
$ldapconn = ldap_connect("ldaps://my.ldap.com") or die("Could not connect to LDAP server.");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
if ($ldapconn)
{
$basedn = "dc=my,dc=ldap,dc=com";
$attributes = array("ou","cn");
$sr = ldap_search ($ldapconn, $basedn, "(ObjectClass=OrganizationalUnit)", $attributes);
$info = ldap_get_entries($ldapconn, $sr);
}
if ($info["count"] > 0)
{
for ($i=0; $i < $info["count"]; $i++)
{
$ou = $info[$i]["ou"][0];
print "<br><input type='radio' name='ldap_ou' value='$ou'>$ou<br>";
}
}
print "</body></html>";
?>
Apache Errors: Apache错误:
PHP Warning: ldap_search(): Search: Can't contact LDAP server in /var/www/test.php on line 14
PHP Warning: ldap_get_entries() expects parameter 2 to be resource, boolean given in /var/www/test.php on line 15
Update 2 (debug fail info): 更新2 (调试失败信息):
...
ldap_prepare_socket: 18
ldap_connect_to_host: Trying 10.14.13.92:636
ldap_pvt_connect: fd: 18 tm: -1 async: 0
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
....
I am having the same problem. 我有同样的问题。 LDAP server wants TLS so we have to use ldaps to connect to the server.
LDAP服务器需要TLS,因此我们必须使用ldaps连接到服务器。 ldap_connect and ldap_bind works everytime.
ldap_connect和ldap_bind每次都有效。 But following ldap_search fails sporadically with Can't contact LDAP Server (-1) error.
但是跟随ldap_search偶尔会失败,并显示“无法联系LDAP服务器(-1)”错误。
On LDAP side I can see a working bind request on my ldap server, but nothing more -.- 在LDAP方面,我可以在ldap服务器上看到一个有效的绑定请求,但仅此而已-.-
I am using CentOS with php7.2, does anybody had the same issues or any solution? 我在php7.2上使用CentOS,有人遇到同样的问题或解决方案吗?
Okay, I switched to use http://php.net/manual/en/function.ldap-start-tls.php which solved the problem for me. 好的,我改用http://php.net/manual/en/function.ldap-start-tls.php ,它为我解决了问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.