Thanks for the report. Could you please link to the exact place you've spotted? The PHP dependencies use same patch as before, see https://github.com/winlibs/openldap/blob/master/include/ldap_config.h#L57 . Otherwise it looks same as #70971 which was turned to the doc issue, still not closed.

Thanks.

According to a message on the OpenLDAP mailing list[1]:

> Also, this [%SYSCONFDIR%) is not an environment variable (you're
> on the unfortunate platform that makes this non-obvious), but a
> macro which should be replaced at 'make install' time.

So if there's %SYSCONFDIR% in the PHP binaries, there might be a
build problem.

Anyhow, setting the environment variable LDAPCONF should solve the
problem[2].

[1] <http://www.openldap.org/lists/openldap-software/200706/msg00121.html>
[2] <http://www.openldap.org/software/man.cgi?query=ldap.conf>

Thank you for your responses. 

I have spotted the '%SYSCONFDIR%' constant only in the binary (I cannot found the source code, from which this binary was build) which I have downloaded from [1] (the file "php_ldap.dll"). The releases [2] [3] suffers same issue.

Thanks for clarification of '%SYSCONFDIR%' expression. However I have already tried to set LDAPCONF environment variable and I was not successful to setup the CA.

Thanks,
Petr Maly

[1] http://windows.php.net/downloads/releases/php-7.0.11-nts-Win32-VC14-x86.zip
[2] http://windows.php.net/downloads/qa/php-7.1.0RC3-nts-Win32-VC14-x86.zip
[3] http://windows.php.net/downloads/snaps/php-7.1/r805580d/php-7.1-nts-windows-vc14-x86-r805580d.zip

I can confirm the issue for x86 builds (checked PHP 7.0.10 and
7.0.11), but not for x64.

There appears to be a bad build of oldap32_a(_debug).lib. In
deps-7.1-vc14-x64.7z (2016-09-26) the lib contains
`c:\openldap\sysconf\ldap.conf`, in deps-7.1-vc14-x86.7z
(2016-09.26) it contains `%SYSCONFDIR%\ldap.conf`. If I build from
winlibs/openldap, in both x86 and x64 %SYSCONFDIR% is resolved.

Anatol, can you please have a look at this issue.

Thanks Christoph, you nailed it. My bad paying more attention to 64-bit builds :) Seems bug #70971 is about same issue, whereby it was not obvious it's 32-bit only.

@petr dot maly at remotehost dot cz, please check whether this build is correct http://windows.php.net/downloads/snaps/ostc/73243/vc14/7.0/x86/nts/php_ldap.dll 

Thanks.

I have tried the provided library, but it is not working. I have connected to LDAP server using the original path for the configuration (c:\openldap\sysconf\ldap.conf) and the SSL was not even initiated. The initial SSL handshake packet was not sent by client (php_ldap.dll). 

If you are interested in wireshark captures I can provide it to you.

Thanks, 

Petr

Thanks for checking. The issue you've reported is, that the file C:\openldap\sysconf\ldap.conf doesn't get read in with x86 build. This is indeed due to an erroneous dependency build and will be fixed in future releases. The extra build I made for you uses the corrected dependency, so the config file is read in. Please verify with procmon (here https://technet.microsoft.com/de-de/sysinternals/processmonitor.aspx). With the file read in, it is up to the actual ldap.conf what to do with SSL and other things.

Thanks.

I have verified that the binary, you have provided to me, is reading the proper configuration file (c:\openldsp\sysconf\ldap.conf). However as I write in previous comment, the SSL handshake is not initiated. The configuration ldap.conf should be correct (it is working with PHP 5.6).

Thanks,
Petr

Good. Which exact PHP and OpenSSL versions do you use? Please note, that recent OpenSSL versions strengthened the behaviors by disabling many weak algorithms. It might be good the case as PHP ships default OpenSSL builds, but could also be something on the server side.

Otherwise, I'd ask you to please provide your ldap.conf and a test server, so I could debug. If you can't reveal your server, please point me to any public server that can reproduce the issue.

Thanks.

I have already faced all the problems with OpenSSL in other open source projects and many different embedded devices (because of security issues) and I can say that it is the hell. Nevertheless I use OpenSSL 1.0.2h, which is deployed together with [2].

I tried to compile php_ldap.dll few moments ago. First of all I built it from original OpenLdap sources (with few patches including the path to ldap.conf) and I was successfull to compile it together with [1]. Produced binary php_ldap.dll worked (read c:\openldap\sysconf\ldap.conf and was communicating correctly). 

Second time I compiled OpenLdap using your sources in GIT (link above). I produced openldap libs and compiled it with php [1]. I tested final binary php_ldap.dll, and it did not worked, the configuration was read, but it was not communicating - handshake was not initated.

I was compiling using PHP-SDK downloaded from [3]. However I thought that I would not have to touch the content of these dependencies, but I had to. I had to updat OpenSSL to 1.0.2h and I noticed that the old includes for openldap are used in that packages (different from your openldap sources) :-(. 

I have tested the plugin using php script from the first comment with the public "ldaps://ldap.telesec.de" ldap server (I am testing 'ldaps' all the time, not 'ldap'). And ldap.conf contain only "TLS_REQCERT never". 

Thanks,
Petr

[1] http://windows.php.net/downloads/releases/php-7.0.11-src.zip
[2] http://windows.php.net/downloads/releases/php-7.0.11-nts-Win32-VC14-x86.zip
[3] http://windows.php.net/downloads/php-sdk/deps-7.0-vc14-x86.7z

Thanks for the additional info and investigation. Now i reproduce this, indeed your snippet works on PHP5 and doesn't in PHP7. Using ldaps://ldap.telesec.de and "TLS_REQCERT never" in the ldap.conf

Please tell how you built openldap in the worky variant? Did you enable deprecated symbols? Which solutions and patches did you use? In the winlibs repo, we use own VS solutions, the patch is commited in there as well.

Thanks.

This issue should be fixed now. I've retagged openldap-2.4.4 with an updated patch. You can either use it or the prepared binaries

http://windows.php.net/downloads/php-sdk/deps/vc14/x64/openldap-2.4.44-vc14-x64.zip
http://windows.php.net/downloads/php-sdk/deps/vc14/x86/openldap-2.4.44-vc14-x86.zip

The dependency packages will be updated anytime soon.

Thanks.

I have just checked the new binaries and recompiled the extension and it is working :-). Thanks a lot.
Petr 

PS:
A little bit outdated information about my build: 
I used official openldap sources + windows makefile for VS [1] + few small patches to get working with the newest VS. I checked your fix and macros of my build and it is same.

[1] https://github.com/mbooth101/openldap

So I suppose we can close <https://bugs.php.net/70971> as well. :-)

Of course, it is same problem :-)

@Petr many thanks for the checks and for sharing your nmakefiles. I prefer makefiles as well, but we have historically VS solutions for ldap, so they're kept for a while. Probably should migrate to makefile some day.

To note is, that with vc14 issues with several libs using winsock but retaining POSIX might arise. There are some new error constants introduced, like EWOULDBLOCK, etc. Some libs emulate POSIX by using or replacing them instead of WSA* analogues. As result, there might be discrepances in error codes with winsock functions. That's a subtle change in vc14 which might cause compatibility bugs with several winsock related code.

Thanks.