The code below performs a lookup of all OrganizationalUnits
in my LDAP server however it's failing to perform the LDAP search like 40% of the time.
The only clues I have are two Apache log entries below. I'm not a PHP wizard, but assuming the second error message is caused by the failed connection leaving an empty $sr
variable.
I've run tcpdump
during the connect and PHP is connecting to the server but there is very little communication going on during the failure -- only around 1/2 as many packets transferred as opposed to a successful connect.
This only seems to happen over TLS/SSL (hecnce the putenv
last-ditch-effort). If I go clear-text the search works perfectly every time. What would cause this to not work "sometimes"? Any way to find out more info on it?
Update: I just noticed this code works 100% of the time when not using LDAPS/TLS so definitely related to SSL/TLS somehow.
<?php
putenv('TLS_REQCERT=never');
print "<html><head><title>ldap test</title></head><body>";
$ldapconn = ldap_connect("ldaps://my.ldap.com") or die("Could not connect to LDAP server.");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
if ($ldapconn)
{
$basedn = "dc=my,dc=ldap,dc=com";
$attributes = array("ou","cn");
$sr = ldap_search ($ldapconn, $basedn, "(ObjectClass=OrganizationalUnit)", $attributes);
$info = ldap_get_entries($ldapconn, $sr);
}
if ($info["count"] > 0)
{
for ($i=0; $i < $info["count"]; $i++)
{
$ou = $info[$i]["ou"][0];
print "<br><input type='radio' name='ldap_ou' value='$ou'>$ou<br>";
}
}
print "</body></html>";
?>
Apache Errors:
PHP Warning: ldap_search(): Search: Can't contact LDAP server in /var/www/test.php on line 14
PHP Warning: ldap_get_entries() expects parameter 2 to be resource, boolean given in /var/www/test.php on line 15
Update 2 (debug fail info):
...
ldap_prepare_socket: 18
ldap_connect_to_host: Trying 10.14.13.92:636
ldap_pvt_connect: fd: 18 tm: -1 async: 0
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
....
I am having the same problem. LDAP server wants TLS so we have to use ldaps to connect to the server. ldap_connect and ldap_bind works everytime. But following ldap_search fails sporadically with Can't contact LDAP Server (-1) error.
On LDAP side I can see a working bind request on my ldap server, but nothing more -.-
I am using CentOS with php7.2, does anybody had the same issues or any solution?
Okay, I switched to use http://php.net/manual/en/function.ldap-start-tls.php which solved the problem for me.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.