PHP :: Bug #17738 :: SSL support for LDAP

Bug #17738

SSL support for LDAP

Submitted:

2002-06-13 06:01 UTC

Modified:

2016-10-29 20:12 UTC

Votes:	18
Avg. Score:	4.3 ± 0.8
Reproduced:	14 of 14 (100.0%)
Same Version:	1 (7.1%)
Same OS:	4 (28.6%)

From:

benoit at gide dot net

Assigned:

Status:

Wont fix

Package:

LDAP related

PHP Version:

4.2.1

OS:

Redhat 6.2 7.1 7.2

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	benoit at gide dot net
New email:
PHP Version:		OS:

New/Additional Comment:

[2002-06-13 06:01 UTC] benoit at gide dot net

Compiled modules:
./configure --with-apache=../apache_1.3.24 --with-openssl --with-ldap


I have a problem when i use php to bind my ldap directory over ssl

If i use on shell command
ldapsearch -x -H 'ldaps://localhost/' -b 'uid=100000, ou=company, dc=domain, dc=com'  -D 'uid=100000, ou=company, dc=mydomain, dc=com' -W
I have good result


My script is like that :

$server = "ldap://localhost" ;
$ds=ldap_connect($server);
$dn = "uid=100000, ou=company, dc=domain, dc=com";
$value = "password";

$result=@ldap_bind($ds,$dn,$value);
$dn = "ou=company, dc=domain, dc=com";
$filtre = "(cn=*DUPONT*)";
$sr = ldap_search($ds, $dn, $filtre);
$info = ldap_get_entries($ds, $sr);

for ($i=0; $i < $info["count"]; $i++) {
     print "UID: ".$info[$i]["urn"][0]."<br /><br />";
}

ldap_close($ds);



i have a result, but if i change $server = "ldap://localhost" by "ldaps://localhost) i have a error message "Can't contact LDAP server"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-06-13 10:28 UTC] sander@php.net

I don't think PHP supports LDAP over SSL. Making this a feature request, and updating summary.

[2002-06-13 10:46 UTC] sniper@php.net

Let's keep this in the right category. Easier for the 
extension maintainer(s) to find these then.

[2002-06-21 15:17 UTC] venaas@php.net

If you use the OpenLDAP 2.x.x lib, the script below
should work. At least I don't see anything wrong.
Only error I can think of is that the lib isn't
compiled with SSL, but if this was the lib used when building ldapsearch, then this should be okay too.

PHP doesn't really do anything clever with LDAP and SSL
here, it only passes the URL to the lib in ldap_connect()
and the lib will/should use SSL since the URL starts with
ldaps. This is exactly what ldapsearch does too. So I
don't really see what's wrong here.

I would try to see what LDAP library is used and check
whether it's compiled with SSL. strace/tcpdump/gdb might
be of use to see what's going on.

[2002-09-11 11:19 UTC] sniper@php.net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.

[2003-07-19 00:18 UTC] phpdeveloper at chinese dot university dot hk

i am using IIS+windows xp+php4.3.2.2 facing the same problem and can not connect to the ldap except using ldaps://host:636/ but success using ldap://host/

[2004-12-09 09:54 UTC] sami at sipponen dot com

"phpdeveloper at chinese dot university dot hk"'s  problem seems to be related an issue with PHP Windows build's "not so good documented features"... See the link below:

http://www.ldaphelp.com/viewtopic.php?t=6

It seems that there are some hard coded config file issues with PHP's ldap extension.

Copy&paste from the site which link is above:

create the directory: C:\OpenLDAP\sysconf\ and put there a ldap.conf file which contains in its first line: 
TLS_REQCERT never

[2006-10-01 02:35 UTC] michael at akatose dot de

This error not only happens with SSL (ldaps), but also when using StartTLS.

On my system, the correct CA certificate is referenced in /etc/ldap/ldap.conf and command line utilities can connect without problems:
    ~# ldapsearch -v -x -ZZ "(objectClass=*)"
    ldap_initialize( <DEFAULT> )
    filter: (objectClass=*)
    requesting: ALL
    # extended LDIF
    # ...

But the following PHP script fails (on PHP-5.1.2 from Ubuntu-6.06):
    <?php
        $server = ldap_connect("ldap://ldap.example.com");
        ldap_set_option($server, LDAP_OPT_PROTOCOL_VERSION, 3);
        $result = ldap_read($server, "dc=example,dc=com", "(objectclass=*)");
        $entry = ldap_get_entries($server, $result);
        print_r($entry);
        // everything works fine up to this point
        // no network problems, we are really talking to the server

        ldap_start_tls($server);
        // this fails:
        // Warning: ldap_start_tls() [function.ldap-start-tls]:
        // Unable to start TLS: Connect error in /var/www/ldaptest.php on line 10

        ldap_close($server);
    ?>

As you can see a "Connect error" is returned, altough this seems to be an error while checking the server certificate. I can get the command line utilities to throw the same error by making the CA certificate unreadable:
    ~# ldapsearch -v -x -ZZ "(objectClass=*)"
    ldap_initialize( <DEFAULT> )
    ldap_start_tls: Connect error (-11)


The PHP script will work, if I disable the verification of the server certificate by putting the already mentioned "TLS_REQCERT never" in /etc/ldap/ldap.conf

[2006-10-02 02:28 UTC] michael at akatose dot de

Ok, this problem vanished, as soon as I replaced the wildcard-certificate at the LDAP server (CN=*.example.com) with a "simple" certificate (CN=ldap.example.com).

I double-checked this with another wildcard-certificate, which is also accepted by the command line utilities. Again, PHP's ldap_start_tls() returns false and gives its warning "Unable to start TLS: Connect error".
A capture of the network traffic to the LDAP server reveals, that even though ldap_start_tls() returns false, the connection is encrypted afterwards.

So it seems, that the handling of the return code is wrong, when using wildcard-certificates.

[2010-05-01 19:24 UTC] geissert@php.net

-Status: No Feedback +Status: Open

[2010-05-01 19:24 UTC] geissert@php.net

Here's the bug again. See: http://bugs.debian.org/560161

[2010-05-18 12:20 UTC] mike@php.net

Maybe this helps?
http://directory.fedoraproject.org/wiki/Howto:SSL#Configure_LDAP_clients

[2016-10-29 20:12 UTC] heiglandreas@php.net

-Status: Open +Status: Wont fix

[2016-10-29 20:12 UTC] heiglandreas@php.net

We are sorry, but we can not support PHP 4 related problems anymore.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Nov 04 18:00:01 2025 UTC