stackoom
  简体   繁体   中英

PHP - LDAP search working sporadically over TLS/SSL

 原文  2018-12-05 14:05:17       php/ linux/ apache/ ldap

Question

The code below performs a lookup of all OrganizationalUnits in my LDAP server however it's failing to perform the LDAP search like 40% of the time.

The only clues I have are two Apache log entries below. I'm not a PHP wizard, but assuming the second error message is caused by the failed connection leaving an empty $sr variable.

I've run tcpdump during the connect and PHP is connecting to the server but there is very little communication going on during the failure -- only around 1/2 as many packets transferred as opposed to a successful connect.

This only seems to happen over TLS/SSL (hecnce the putenv last-ditch-effort). If I go clear-text the search works perfectly every time. What would cause this to not work "sometimes"? Any way to find out more info on it?

Update: I just noticed this code works 100% of the time when not using LDAPS/TLS so definitely related to SSL/TLS somehow. 

<?php
   putenv('TLS_REQCERT=never');
   print "<html><head><title>ldap test</title></head><body>";

   $ldapconn = ldap_connect("ldaps://my.ldap.com") or die("Could not connect to LDAP server.");
   ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);

   if ($ldapconn)
   {
      $basedn = "dc=my,dc=ldap,dc=com";
      $attributes = array("ou","cn");
      $sr = ldap_search ($ldapconn, $basedn, "(ObjectClass=OrganizationalUnit)", $attributes);
      $info = ldap_get_entries($ldapconn, $sr);
   }

   if ($info["count"] > 0)
   {
      for ($i=0; $i < $info["count"]; $i++)
      {
         $ou = $info[$i]["ou"][0];
         print "<br><input type='radio' name='ldap_ou' value='$ou'>$ou<br>";
      }
   }

   print "</body></html>";

?>

Apache Errors: 

PHP Warning:  ldap_search(): Search: Can't contact LDAP server in /var/www/test.php on line 14
PHP Warning:  ldap_get_entries() expects parameter 2 to be resource, boolean given in /var/www/test.php on line 15

Update 2 (debug fail info): 

...
ldap_prepare_socket: 18
ldap_connect_to_host: Trying 10.14.13.92:636
ldap_pvt_connect: fd: 18 tm: -1 async: 0
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
....

1 answers

solution1
 -1  2018-12-21 08:32:58

I am having the same problem. LDAP server wants TLS so we have to use ldaps to connect to the server. ldap_connect and ldap_bind works everytime. But following ldap_search fails sporadically with Can't contact LDAP Server (-1) error.

On LDAP side I can see a working bind request on my ldap server, but nothing more -.-

I am using CentOS with php7.2, does anybody had the same issues or any solution?

Okay, I switched to use http://php.net/manual/en/function.ldap-start-tls.php which solved the problem for me.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question php_ldap over ssl difficulties PHP: Connecting to an external LDAP system over SSL PHP date() working sporadically PHP with TLS for secure LDAP Can't bind in php against Active Directory LDAP over SSL? How to determine what version tls/ssl security protocol is connecting to LDAP (PHP)? PHP - LDAP with SSL fail to bind LDAP search query not working? ldap search filter is not working PHP problems with LDAP search
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM