Secure LDAP works with PHP CLI but not through apache

Question

I am trying to authenticate over secure LDAP against my Debian server from another Debian box.

The following code works from the command line (prints "Success"):

if($ldap = ldap_connect('ldaps://myserver.tld'))
{
  ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
  $bind = ldap_bind($ldap,'cn=admin,dc=myserver,dc=tld','mypassword');
  print ldap_error($ldap);
}

...pulling the same file via Apache/mod_php prints "Can't contact LDAP server"

There is another similar question here on stackoverflow, but its answers did not work for me. I have already tried using the same php.ini for apache that was used for the cli, but the problem stayed the same.

Answer 1

We just had this problem happen. It turned out that all we had to do was restart Apache.

I have no idea what the cause was (I don't administer the server) but it was most likely security updates.

Answer 2

I was finally able to resolve my own issue and I do want to share my solution with you:

I am using a self-signed certificate for my LDAP-server, so it was neccessary to create my own ca-certificate and import it to the client's certificate store to establish trust. While I ran the above script from the cli as user root , apache runs as www-data . My selfmade ca-certifictate's permissions were set to 400 , its user to root , thus only root could read it.

This prevented php on apache (running as www-data) from estabishing a connection to my LDAP-server. As soon as I had changed the ca-certificate's permissions to 444 , everything worked like a charm...