php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #54136 Secure SSL bind to Active Directory fails
Submitted: 2011-03-02 14:16 UTC Modified: 2017-01-09 17:03 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: kyllingpost at gmail dot com Assigned:
Status: Wont fix Package: LDAP related
PHP Version: 5.3.5 OS: Ubuntu 10.04 LTS
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: kyllingpost at gmail dot com
New email:
PHP Version: OS:

 

 [2011-03-02 14:16 UTC] kyllingpost at gmail dot com 
Description:
------------
Attempting to bind to server using SSL returns:

Warning: ldap_bind() Unable to bind to server: Can't contact LDAP server 

while ldap_connect() returns success.

Using a non-encrypted channel works, and the server responds on ssl using other libraries, including successful bind.

Test script:
---------------
<?php
$username = 'username';
$password = 'password';
$account_suffix = '@example.com';
$hostnameSSL = 'ldaps://my.example.com:636';

ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);

// Attempting fix from http://www.php.net/manual/en/ref.ldap.php#77553
putenv('LDAPTLS_REQCERT=never');

####################
# SSL bind attempt #
####################
// Attempting syntax from http://www.php.net/manual/en/function.ldap-bind.php#101445
$con =  ldap_connect($hostnameSSL);
if (!is_resource($con)) trigger_error("Unable to connect to $hostnameSSL",E_USER_WARNING);

// Options from http://www.php.net/manual/en/ref.ldap.php#73191
if (!ldap_set_option($con, LDAP_OPT_PROTOCOL_VERSION, 3))
{
	trigger_error("Failed to set LDAP Protocol version to 3",E_USER_WARNING);
}
ldap_set_option($con, LDAP_OPT_REFERRALS, 0);

if (ldap_bind($con,$username . $account_suffix, $password)) die('All went well using SSL');
ldap_close($con);


Expected result:
----------------
I expected ssl handshake, and secure bind.

E.G:

>> openssl s_client -connect my.example.com:636 -prexit

(...)
SSL handshake has read 5732 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: 1B1500000642E45E5A37A76A804365F5DBB28F6597838808B603BE45A0525CBD
    Session-ID-ctx: 
    Master-Key: 68F4DB2000D02CA5F19880DABE4602947C344C9E674A285DA3977F78F35610D46F1EA770D64F24D5C7DB5451FFB6895B
    Key-Arg   : None
    Start Time: 1299071105
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)


Actual result:
--------------
ldap_create
ldap_url_parse_ext(ldaps://my.example.com:636)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP my.example.com:636
ldap_new_socket: 25
ldap_prepare_socket: 25
ldap_connect_to_host: Trying 1.1.1.1:636
ldap_pvt_connect: fd: 25 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x22620e98 msgid 1
wait4msg ld 0x22620e98 msgid 1 (infinite timeout)
wait4msg continue ld 0x22620e98 msgid 1 all 1
** ld 0x22620e98 Connections:
* host: my.example.com  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Wed Mar  2 13:57:52 2011


** ld 0x22620e98 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x22620e98 request count 1 (abandoned 0)
** ld 0x22620e98 Response Queue:
   Empty
  ld 0x22620e98 response count 0
ldap_chkResponseList ld 0x22620e98 msgid 1 all 1
ldap_chkResponseList returns ld 0x22620e98 NULL
ldap_int_select
read1msg: ld 0x22620e98 msgid 1 all 1
ldap_err2string
[Wed Mar 02 13:57:52 2011] [error] [client ::1] PHP Warning:  ldap_bind() [<a href='function.ldap-bind'>function.ldap-bind</a>]: Unable to bind to server: Can't contact LDAP server in /public_html/test.php on line 28
[Wed Mar 02 13:57:52 2011] [error] [client ::1] PHP Stack trace:
[Wed Mar 02 13:57:52 2011] [error] [client ::1] PHP   1. {main}() /public_html/test.php:0
[Wed Mar 02 13:57:52 2011] [error] [client ::1] PHP   2. ldap_bind() /public_html/test.php:28
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 1 1
ldap_free_connection: actually freed

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-09 16:53 UTC] heiglandreas@php.net 
This issue is by now over 5 years old and targets an unsupported PHP-Version. Therefore I'm closing this. Should the issue still exist in a supported version of PHP feel free to (re)open the issue.
 [2017-01-09 17:03 UTC] heiglandreas@php.net
-Status: Open +Status: Wont fix
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Dec 22 01:01:30 2024 UTC