php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #14725 ldap_connect skips over SSL servers specifed in the form ldaps://hostname/
Submitted: 2001-12-27 16:31 UTC Modified: 2001-12-27 17:50 UTC
From: emetsger at jhu dot edu Assigned:
Status: Closed Package: LDAP related
PHP Version: 4.0.6 OS: SunOS 5.7 SPARC 106541-17
Private report: No CVE-ID: None
 [2001-12-27 16:31 UTC] emetsger at jhu dot edu
Platform: SunOS 5.7, PHP 4.0.6 (--with-ssl), OpenLDAP 2.0.14 (--with-tls)

When given an array of ldap servers like array("ldaps://hostname_a", "ldap://hostname_a"), ldap_connect doesn't even attempt a tcp connection to port 636.   

To further generalize my statement, if you specify any server with the ldaps:// URL construct, ldap_connect won't attempt a tcp connection to that server (either on port 636 or 389).

According to the ldap_connect documentation, you don't need to specify portnames when using the URL construct.   But, the only way I have found to work around this is to specify the port in order to attempt an SSL connection.

To test , change the elements in the array $LDAP_SERVER in the provided include file.  I am new to php and am not a programmer, so please go easy on my dirty code!

Thank you for such a great product!  I appreciate all the time and effort this group puts into this quality production!


My function (called with no arguments, returns an LDAP link identifier upon a successful bind):

function esm_find_ldap_server() {
        require "./ldap_constants.inc";
        // Find the appropriate ldap server
     while ( ($ldap_linkid != TRUE) and ($port_cell = each($LDAP_SERVER_PORTS)) ) {
       $try_port = $port_cell[value];
       print "Trying port $try_port<br>\n";
       reset($LDAP_SERVER);
       while ( ($ldap_linkid == 0) and ($server_cell = each($LDAP_SERVER)) ) {
         $try_server = $server_cell[value];
         print "Trying server $try_server:$try_port<br>\n";
         if ( $ldap_linkid = ldap_connect($try_server,$try_port) ) {
           print "Connection successful: LDAP link id is $ldap_linkid, attempting bind<br>\n";
                 if ( @ldap_bind($ldap_linkid, $CMS_BIND_DN, $CMS_BIND_PW) ) {
                   print "Successful bind. Returning.<br>\n";
                   return $ldap_linkid;
                 } else {
                   print "Bind failed. Continuing.<br>\n";
                   unset($ldap_linkid);
                   continue;
                 } //end inner if/else (successful bind)
            } //end first if/else (successful connection)
       } //end inner while (server selection)
     } //end outer while (port selection)
  } //end function


My include file ldap_contants.inc:
        $CMS_BASE_DN = 'dc=library,dc=johnshopkins,dc=edu';
        $CMS_BIND_RDN = 'cn=cmsproxy,ou=proxy';
        $CMS_BIND_DN = "$CMS_BIND_RDN,$CMS_BASE_DN";
        $CMS_BIND_PW = "xxxxxxx";

        $LDAP_SERVER_PORTS = array("636","389");
        // we have a problem with tcp timeouts if the host is down or doesn't send a RST 
        // will have to figure out a way around tcp timeouts
        $LDAP_SERVER = array("128.220.8.91", "128.220.8.108", "128.220.8.91");
        // for secure servers we need to either trust a self-signed cert or get a real cert for the ldap server
        // currently not used
        $LDAP_SECURE_SERVER  = array("128.220.8.108");

        //filters we use to find users
        $CMS_USER_FILTER = '(objectClass=posixAccount)';
        $CMS_USER_BASE_DN = 'ou=People,' . "$CMS_BASE_DN";

        $CMS_USER_ATTR = 'uid';
        $CMS_USER_PWATTR = 'userPassword';

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-12-27 17:23 UTC] venaas@php.net
There are several ways to use ldap_connect(). With all LDAP
APIs (I think), you should be able to specify multiple
hosts separated by space, and do something like:
ldap_connect("hosta hostb hostc", $port). If you skip the
final argument, 389 is used. If you specify 636, you are
still not using SSL.

If you use OpenLDAP 2 API (like you do), you can use URLs
instead of hosts, then the $port argument is not used.
You can then do say:
ldap_connect("ldaps://hosta ldaps://hostb:637")
to first try SSL to hosta on port 636, and next SSL to
hostb on port 637. If you are not using SSL, you can do say
ldap_connect("ldap://hosta ldap://hostb:390")
again, you can specify 636, but you're not using SSL then.
You can also mix ldap and ldaps URLs if you like.

I must confess I didn't look much at your code, but it
won't work to use an array as argument to ldap_connect(). I'm closing this case, since I don't see a bug. Please
reopen if what I wrote above doesn't work.

 [2001-12-27 17:50 UTC] emetsger at jhu dot edu
Thanks for the quick response!

I understand that ldap_connect won't take an array - my function iterates over an array of possible ldap servers and supplies ldap_connect with a scalar.

What I didn't understand was that you can specify multiple ldap servers separated by whitespace as the first argument to ldap_connect.  Thank you for the quick tutorial!

I haven't yet tried it, but I am confident that it will work!

Thanks again,
Elliot Metsger
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 26 13:01:30 2024 UTC