php7 ldap connect and bind via TLS

Question

I have this simple php file:

    $ldap="localhost";
    $port=636;
    $usr="CN=admin";
    $pwd="pwd123";

    $ds=ldap_connect("$ldap", $port); 
    $ldapbind=false;
    // for debugging
    ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 9);
    if(ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3))
    if(ldap_set_option($ds, LDAP_OPT_X_TLS_REQUIRE_CERT, 0))
                    if(ldap_set_option($ds, LDAP_OPT_REFERRALS, 0))
                    if(ldap_start_tls($ds))
                            $ldapbind = @ldap_bind($ds, $usr, $pwd);   
    ldap_close($ds);

    if(!$ldapbind)
            echo "BIND ERROR!\n";
    else
            echo "BIND OK!\n";

Where I try to connect and bind an ldap server on localhost. (command: php testcon.php ). I've added the TLS_REQCERT never line to /etc/ldap.conf as well.

But I got BIND ERROR! result. Furthermore I got warning msg as well:

PHP Warning:  ldap_start_tls(): Unable to start TLS: Can't contact LDAP server in /root/testfolder/testcon.php on line 16

If I comment out the 16. line I got no warning, but BIND ERROR! stays.

Furher Infos:

• PHP version: PHP 7.2.5
• server: openSUSE Leap 15.0
• ldap: active directory 2.4.46-lp150.7.1
• The required php libs are isntalled

I try with basedn and without base dn (same result).

Answer 1

Can't contact LDAP server

This can mean two things:

1. The server is unreachable over network or
2. the TLS connection could not be established because of a cert validation error

The error message

ldap_start_tls(): Unable to start TLS

is a bit misleading because after initializing the context with ldap_connect() the TCP connection is still not established yet. The first real LDAP operation called, ldap_start_tls() in your case, is opening the TCP connection.

I'd recommend:

• to use CLI tool ldapwhoami from the same machine to check whether you can connect at all
• not to switch off certificate validation even for tests

Answer 2

Per the comments to the question, since it ended up being the answer:

Change the port to 389. Port 636 is for LDAP over SSL, which is deprecated (was never standardized as part of LDAP actually). LDAP works from port 389 and when you issue the StartTLS (with ldap_start_tls()) it encrypts the connection.