php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70971 LDAP Not Reading Config File (ldap.cfg)
Submitted: 2015-11-25 14:44 UTC Modified: 2016-10-07 23:17 UTC
Votes:2
Avg. Score:4.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:-1 (-50.0%)
From: jspringe at gmail dot com Assigned: cmb (profile)
Status: Closed Package: LDAP related
PHP Version: 7.0.0RC7 OS: Windows (7/8/10)
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: jspringe at gmail dot com
New email:
PHP Version: OS:

 

 [2015-11-25 14:44 UTC] jspringe at gmail dot com
Description:
------------
LDAP extension does not appear to be reading a configuration file. In previous versions for Windows LDAP expects the configuration file to be in C:\OpenLDAP\sysconf\ldap.conf. This does not appear to work in RC7.

This means the a connection cannot be established over SSL due to not being able set configuration options such as TLS_REQCERT or TLSCACertificatePath. Most persistent changes require SSL/TLS.

If this has been changed than there is no documentation expressing the change.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-11-25 17:03 UTC] ab@php.net
-Status: Open +Status: Feedback
 [2015-11-25 17:03 UTC] ab@php.net
Thanks for the report. Could you please explain, how it is supposed to work. Any snippet? I've just compared 7.0 and 5.6 and the behavior is not different. OpenLDAP is always compiled with SSL support and either of versions trying to load any of config files. The build config of dependencies is in both cases the same and the sysconf is set to c:\\openldap\\sysconf. I need more tips from you to reproduce the behavior.

Thanks.
 [2015-11-25 19:00 UTC] jspringe at gmail dot com
-Status: Feedback +Status: Open
 [2015-11-25 19:00 UTC] jspringe at gmail dot com
Current working configuration:
    PHP 5.5.30
    Config File: C:\OpenLDAP\sysconf\ldap.cfg
        Contents: TLS_REQCERT never
Current failing configuration:
    PHP 7.0.0RC7
    Config File: C:\OpenLDAP\sysconf\ldap.cfg
        Contents: TLS_REQCERT never

Code:
    $ldap_identifier = ldap_connect('ldaps://activedirectory');

    ldap_set_option($ldap_identifier, LDAP_OPT_REFERRALS, 0);
    ldap_set_option($ldap_identifier, LDAP_OPT_PROTOCOL_VERSION, 3);

    $bind = ldap_bind($ldap_identifier, 'user', 'password');

    if ($bind !== true) {
        ldap_get_option($ldap_identifier, LDAP_OPT_DIAGNOSTIC_MESSAGE, $extended_error);
        echo $extended_error;
    } else {
        echo "Connected";
        var_dump($bind);
    }

PHP 5.5.30 Output:
    Connected
    boolean true

PHP 7.0.0RC7 Output:
    Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in ... on line 8
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate)

This was an error I received prior to creating the configuration file on 5.5.30. This is just a proof-of-concept and CURRENTLY I'm not concerned with the certificate (I actually know it's expired which is a problem I'll tackle later). Either way with the configuration file it should work the same as before or documentation needs to be updated. Also the documentation itself doesn't mention the configuration file - luckily a few comments do.
 [2015-11-26 01:49 UTC] ab@php.net
-Status: Open +Status: Feedback
 [2015-11-26 01:49 UTC] ab@php.net
Thanks for the further info. As I've mentioned, i couldn't spot any attempts to load the config file at the startup file. It likely could be, that the file is only getting loaded when PHP code starts to work. I'll probably have to setup a ldap server, lets see.

But one thing I would like to ask you before - please check the event logs. 5.5 and 7 use different OpenSSL versions. OPenSSL 1.0.2 used with 7.0 is integrated better with the Windows APIs. It could be, that your certificate gets validated live and OpenSSL just refuses it.

Thanks.
 [2015-11-26 01:53 UTC] ab@php.net
Btw the error message you posted looks pretty much like that, certificate failure. IIRC starting with even with OpenSSL 1.0.1, custom certificates might be deleted automatically from the Windows storage, as they got validated with some trusted certificate checker service.

Thanks.
 [2015-11-26 14:33 UTC] jspringe at gmail dot com
-Status: Feedback +Status: Open
 [2015-11-26 14:33 UTC] jspringe at gmail dot com
I removed the config file completely and the error triggered on 5.5.30, so it's definitely reading it in previous versions. I'm fully aware that the error I'm getting is a certificate problem. Which is why I used the directive TLS_REQCERT never. In 5.5.30 you would use the config file to add certs as well - so again - what am I suppose to do in PHP7 when I need an SSL/TLS connection?
 [2015-12-04 14:41 UTC] jspringe at gmail dot com
-Status: Open +Status: Closed
 [2015-12-04 14:41 UTC] jspringe at gmail dot com
After looking over the source for this extension and the source for OpenLDAP itself I've found what needs to be done in Windows - I'm not how this translates to Linux.

You need to set an environment variable of LDAPCONF that is equal to the path and filename of your configuration. In previous versions the extension would assume C:\openldap\sysconf\ldap.conf.
 [2015-12-09 11:29 UTC] ab@php.net
-Status: Closed +Status: Re-Opened -Type: Bug +Type: Documentation Problem
 [2015-12-09 11:29 UTC] ab@php.net
@jspringe, thanks for the further investigation. If it's a change in the OpenLDAP version, it would make sense to document it.

Thanks.
 [2015-12-09 23:46 UTC] jspringe at gmail dot com
How can I help?
 [2015-12-10 14:21 UTC] ab@php.net
If you're willing to contribute to the documentation, please visit http://doc.php.net/ for more details. You also can submit a patch over https://edit.php.net/ .

Thanks.
 [2016-03-10 16:04 UTC] alain dot vicet1 at bell dot ca
I've the same problem with Linux and xampp (xampp-linux-x64-7.0.2-1) and don't have any solution.

I've tried to export LDACONF before starting lampp withou success:
export LDAPCONF=/opt/lampp/etc/openldap/ldap.conf
sudo ./lampp start

I've tried too, change /etc/ldap/ldap.conf file whitout success: "TLS_REQCERT never" is not taken into account

Works ok with previous version of xampp (with php5)
 [2016-10-07 23:16 UTC] cmb@php.net
-Status: Re-Opened +Status: Closed -Assigned To: +Assigned To: cmb
 [2016-10-07 23:16 UTC] cmb@php.net
Apparently, this issue has been resolved with the fix for <https://bugs.php.net/73243>.
 [2016-10-07 23:17 UTC] cmb@php.net
-Type: Documentation Problem +Type: Bug
 [2016-10-07 23:17 UTC] cmb@php.net
… and has not been a doc issue at all. :-)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 30 14:01:28 2024 UTC