[英]Do I need ldap.conf when I connect to Active Directory using PHP?
I'm trying to authenticate to Active Directory using PHP (5.3.2)/Apache (2.0.59)/Windows (2003). 我正在尝试使用PHP(5.3.2)/ Apache(2.0.59)/ Windows(2003)对Active Directory进行身份验证。
However, I'm getting the following error: 但是,出现以下错误:
ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Connect error in E:\\my_page.php on line 15 ldap_start_tls()[function.ldap-start-tls]:无法启动TLS:在第15行的E:\\ my_page.php中连接错误
Here is my current script: 这是我当前的脚本:
putenv('LDAPTLS_REQCERT=never');
$resource = ldap_connect("xxx")
or die("Failed to connect to LDAP server.");
echo "Connected to LDAP server.<br />";
//these options may not be necessary in all environments
ldap_set_option($resource, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($resource, LDAP_OPT_REFERRALS, 0);
$result = ldap_start_tls($resource) or die("Failed to start TLS.<br />");
echo "Started TLS.<br />";
$result = ldap_sasl_bind($resource, NULL, '', 'GSSAPI', 'xxx', '', '')
or die("Failed to GSSAPI bind.<br />");
echo "GSSAPI bound.";
I've looked at this question for help , however, I keep seeing references to ldap.conf. 我一直在寻找这个问题以寻求帮助 ,但是,我一直看到对ldap.conf的引用。
Is this for OpenLDAP as in, the LDAP server your connecting to? 这是您要连接到的LDAP服务器中的OpenLDAP吗? If it is, I could ignore it due to using an existing enteprise Active Directory ? 如果是这样,由于使用现有的企业Active Directory,我可以忽略它。
Or is this for the PHP libraries connecting to an LDAP server (ie. ldap_connect())? 还是针对连接到LDAP服务器的PHP库(即ldap_connect())?
Edit #1 编辑#1
Screenshot of Wireshark... Wireshark的屏幕截图...
I see in there, unknown CA... how would I go solving this (looking online ATM). 我在那儿看到未知的CA ...我将如何解决这个问题(寻找在线ATM)。
Edit #2 编辑#2
Update, I'm now getting a different error. 更新,我现在遇到另一个错误。 I created ldap.conf on c:\\ and c:\\openldap\\sysconf 我在c:\\和c:\\ openldap \\ sysconf上创建了ldap.conf
Content of ldap.conf: ldap.conf的内容:
#
# LDAP Defaults
#
TLS_REQCERT never
Now, it's stuck at the ldap_sasl_bind method which is normal - it's not installed. 现在,它卡在了正常的ldap_sasl_bind方法中-未安装。
Edit #3 编辑#3
Final product: 最终产品:
function isAuthenticated($user, $pass){
//init
$ldap_server = "";
$ldap_user = "";
$ldap_pass = "";
$ldap_dn = "";
$ldap_filter_fields = array("dn","cn","samaccountname");
//establish connection
$ldap_conn = ldap_connect($ldap_server)
or die("Failed to connect to LDAP server.");
//these options may not be necessary in all environments
ldap_set_option($resource, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($resource, LDAP_OPT_REFERRALS, 0);
//Magic happens here, encrypted tunnel starts!
$result = ldap_start_tls($ldap_conn) or die("Failed to start TLS.<br />");
$out = 0;
//connect using our known user
if($bind = ldap_bind($ldap_conn, $ldap_user, $ldap_pass)){
//search for the user
$ldap_search_results = ldap_search($ldap_conn, $ldap_dn, "samaccountname=".$user, $ldap_filter_fields) or die ("Failed to search LDAP");
//get entry
$ldap_record = ldap_get_entries($ldap_conn, $ldap_search_results);
debug($ldap_record);
if($ldap_record["count"] > 0){
//try to authenticate user here
if($bind2 = @ldap_bind($ldap_conn, $ldap_record[0]["dn"], $pass))
$out = 1;
else
//wrong password
$out = 0;
}
else
//user wasn't found
$out = 3;
}
else
//something happened when connecting with our ldap_user
$out = 2;
return $out;
}
You're on the right track with your unknown CA. 使用未知的CA,您将走上正确的道路。 I have had a similar issue with PHP on CentOS connecting to AD. 我在连接到AD的CentOS上遇到了类似的PHP问题。 I had to export the CA certificate from the AD server and configure it to be trusted on the CentOS system, which involved copying the certificate to /etc/openldap/cacerts
and running OpenSSL's c_rehash
. 我必须从AD服务器导出CA证书,并将其配置为在CentOS系统上受信任,这涉及将证书复制到/etc/openldap/cacerts
并运行OpenSSL的c_rehash
。 Unfortunately, I'm not sure how to tell you to get that same setup working under Windows. 不幸的是,我不确定如何告诉您如何在Windows下使用相同的设置。
Yes you are required to change the ldap.conf file and change the value of TLS_REQCERT to demand if you are trying to connect with the AD for which the trust has not been established on your host machine running Apache. 是的,如果您试图与尚未在运行Apache的主机上建立信任关系的AD连接,则需要更改ldap.conf文件并更改TLS_REQCERT的值。 If you have certificate from a trusted CA ie already installed on the machine OS keystore then it may run with the TLS_REQCERT set to never otherwise you will have to explicitly give the certificates and change the variable TLS_REQCERT. 如果您具有来自受信任CA的证书(即已经安装在计算机操作系统密钥库中),则它可以在TLS_REQCERT设置为从不的情况下运行,否则您将必须明确提供证书并更改变量TLS_REQCERT。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.