PHP-LDAP搜索偶尔通过TLS / SSL工作

Question

The code below performs a lookup of all OrganizationalUnits in my LDAP server however it's failing to perform the LDAP search like 40% of the time.

The only clues I have are two Apache log entries below. I'm not a PHP wizard, but assuming the second error message is caused by the failed connection leaving an empty $sr variable.

I've run tcpdump during the connect and PHP is connecting to the server but there is very little communication going on during the failure -- only around 1/2 as many packets transferred as opposed to a successful connect.

This only seems to happen over TLS/SSL (hecnce the putenv last-ditch-effort). If I go clear-text the search works perfectly every time. What would cause this to not work "sometimes"? Any way to find out more info on it?

Update: I just noticed this code works 100% of the time when not using LDAPS/TLS so definitely related to SSL/TLS somehow.

<?php
   putenv('TLS_REQCERT=never');
   print "<html><head><title>ldap test</title></head><body>";

   $ldapconn = ldap_connect("ldaps://my.ldap.com") or die("Could not connect to LDAP server.");
   ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);

   if ($ldapconn)
   {
      $basedn = "dc=my,dc=ldap,dc=com";
      $attributes = array("ou","cn");
      $sr = ldap_search ($ldapconn, $basedn, "(ObjectClass=OrganizationalUnit)", $attributes);
      $info = ldap_get_entries($ldapconn, $sr);
   }

   if ($info["count"] > 0)
   {
      for ($i=0; $i < $info["count"]; $i++)
      {
         $ou = $info[$i]["ou"][0];
         print "<br><input type='radio' name='ldap_ou' value='$ou'>$ou<br>";
      }
   }

   print "</body></html>";

?>

Apache Errors:

PHP Warning:  ldap_search(): Search: Can't contact LDAP server in /var/www/test.php on line 14
PHP Warning:  ldap_get_entries() expects parameter 2 to be resource, boolean given in /var/www/test.php on line 15

Update 2 (debug fail info):

...
ldap_prepare_socket: 18
ldap_connect_to_host: Trying 10.14.13.92:636
ldap_pvt_connect: fd: 18 tm: -1 async: 0
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
....

Answer 1

I am having the same problem. LDAP server wants TLS so we have to use ldaps to connect to the server. ldap_connect and ldap_bind works everytime. But following ldap_search fails sporadically with Can't contact LDAP Server (-1) error.

On LDAP side I can see a working bind request on my ldap server, but nothing more -.-

I am using CentOS with php7.2, does anybody had the same issues or any solution?

---

Okay, I switched to use http://php.net/manual/en/function.ldap-start-tls.php which solved the problem for me.