php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #18049 LDAP over SSL (ldaps) not working
Submitted: 2002-06-28 13:03 UTC Modified: 2002-10-16 14:40 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: twerner at fh-bingen dot de Assigned: edink (profile)
Status: Closed Package: LDAP related
PHP Version: 4.2.1 OS: Windows 2000 Advanced Server
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: twerner at fh-bingen dot de
New email:
PHP Version: OS:

 

 [2002-06-28 13:03 UTC] twerner at fh-bingen dot de
Used Software:
Windows 2000 Advanced Server
Apache 1.3.24
PHP 4.2.1 Win32

When I use ldap_connect('ldap://hostname')
everything is working fine.

But when I use ldap_connect('ldaps://hostname')
the script just hangs (no error messages), it
doesn?t even stop when the max_execution_time is over.

I don?t think that the LDAP-Server is the problem,
because I am able to connect to it successfully over
ssl with an LDAP-browser.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-06-28 13:18 UTC] twerner at fh-bingen dot de
I forgot to say that according to phpinfo()
the openssl extension is working
 [2002-06-29 04:16 UTC] sander@php.net
Please SEARCH the bugdb. This is just not implemented, see #17738
 [2002-06-29 05:41 UTC] twerner at fh-bingen dot de
Sorry, but I have to correct you.
This is implemented since a long time,
as you can see here: http://www.php.net/manual/en/function.ldap-connect.php
I can confirm that it is working with Suse Linux 7.3 and
PHP 4.0.6, which is a rather old version.
Maybe it?s just not compiled into the win32-version?
Is someone able to compile it correctly?
 [2002-06-29 10:47 UTC] sniper@php.net
This is different problem and most likely the ldap
libraries used to build the win32 ldap extension just
haven't been compiled with SSL support.

 [2002-07-22 12:05 UTC] twerner at fh-bingen dot de
Is really noone able to compile this dll with ssl-support?
 [2002-10-01 20:48 UTC] sniper@php.net
Assigning to Edin, so he remembers to look into enabling the ssl support for snapshots/releases.

 [2002-10-03 07:27 UTC] twerner at fh-bingen dot de
Thank you for compiling the dll with ssl-support.
It seems to work so far.
But now I have the problem, that PHP always wants to send a client certificate, even with "TLSVerifyClient never" in slapd.conf. In the debug-console of the LDAP-server I can read:

TLS trace: SSL3 alert read:fatal:unknown
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:964

Where can I configure, that PHP should not send a client certificate, or where do I have to put it?
 [2002-10-03 19:10 UTC] sniper@php.net
From: http://www.openldap.org/doc/admin/tls.html

"11.2.2.6. TLS_REQCERT { never | allow | try | demand }

This directive is equivalent to the server's TLSVerifyClient option. However, for clients the default value is demand and there generally
is no good reason to change this setting."

(I don't have any server setup so I can't test this myself now)

 [2002-10-12 05:35 UTC] twerner at fh-bingen dot de
In the last week I did some testing. I used PHP 4.2.3 with your php_ldap.dll on Win2000 and Apache 1.3.26. The OpenLDAP-server (slapd) was running on Linux and Win2000, but I get the same results on both platforms. I created the configuration-file "C:\OpenLDAP\sysconf\ldap.conf" (I saw that string in php_ldap.dll) on the machine, where PHP is running. In this file I put the TLS_REQCERT-directive and tested with all 4 possible values:

never, allow: seems to work
try, demand: does not work, PHP always sends a client certificate, which the LDAP-server can't accept (see above).
But there is no client certificate configured!?
 [2002-10-12 09:39 UTC] sniper@php.net
Why do you ask these questions here when you could have got the answers simply by searching with some search engine?!

http://www.openldap.org/lists/openldap-software/200108/msg00043.html

Bogusing this bug report since this really IS NOT any bug in PHP.

 [2002-10-12 10:42 UTC] twerner at fh-bingen dot de
OK, since the dll is now compiled with ssl-support, PHP is not the problem any longer.
Just one last question: Will the ssl-support for the win32-version be integrated in future php-releases?
 [2002-10-14 17:38 UTC] edink@php.net
Were you able to make it work? I'm asking since getting openldap libs to compile on windows with SSL support is a non-trivial task.
 [2002-10-16 14:40 UTC] twerner at fh-bingen dot de
It seems to work under certain circumstances as you can read in my previous post (12 Oct 5:35am). I tested it only with OpenLDAP-server, because I don't have access to an Novell Edirectory-Server at the moment. I will test it again in the future and post the results here.
 [2003-02-04 18:09 UTC] dhh at vt dot edu
The error "TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
s3_pkt.c:964" in the SSL debug output is a red herring.  PHP is not sending a client cert or doing anything with client certs.  The problem here is PHP does not trust the server, as it does not have the LDAP server's public certificate.  What you need to do is create the file "c:\OpenLDAP\sysconf\ldap.conf" with the single line "TLS_CACERT c:\path\to\server.cert" where server.cert is the cert of the LDAP directory to which you are trying to connect.  With that in place, ldaps should work.
 [2003-05-17 15:36 UTC] hsolano at zequel dot com
It is not clear, if after version 4.2.1, ldap is being compiled with ssl support for Windows. I am trying to use 4.3.1 binaries to connect to Active Directory; ldap_connect('ldap://hostname') works fine but I am not able to bind with a ldaps://hostname connection.
 [2003-08-07 03:26 UTC] hkemale at hkem dot com
i use perl LDAPS() function verify => 'none'
work fine but in php i can only use ldap:// instead of ldaps://. There is no error displayed.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Sep 18 12:01:27 2024 UTC