php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #49737 LDAP doesn't work from Apache 2.0 module but does from CLI
Submitted: 2009-10-01 15:26 UTC Modified: 2009-10-10 01:00 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: josh at endries dot org Assigned:
Status: No Feedback Package: LDAP related
PHP Version: 5.2.11 OS: RHEL4
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: josh at endries dot org
New email:
PHP Version: OS:

 

 [2009-10-01 15:26 UTC] josh at endries dot org
Description:
------------
I'm trying to connect to LDAP using SSL or TLS but it doesn't work when run through the Apache 2 module. It appears to work fine when run via the CLI. I'm using the same exact code in each script. Using strace I can see the script read ldap.conf and the CA files, but with the module (connecting to the httpd process) it doesn't read any files. It dies after trying to verify the CA. I have a real cert and my CA is in /etc/openldap/cacerts, but of course if these (or anything else) isn't read in, it wouldn't be trusted. Using TLS or SSL doesn't matter, nor does using a URI instead of hostname/port pair. I have recompiled to make sure they both use the same libraries, and I have "TLS_REQCERT never" in /etc/openldap/ldap.conf, which are the suggestions I found online.

Reproduce code:
---------------
<?php

$hostname = 'ldap.domain.org';
$port = '389';
$dn = '...';
$password = '...';

if (!is_resource(($ldap = ldap_connect($hostname, $port)))) throw new Exception("LDAP connection failed: ".ldap_error($ldap));

if (ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3) !== true) throw new Exception("Protocol version 3 not supported.");

ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);

if (ldap_start_tls($ldap) !== true) throw new Exception(ldap_error($ldap));

if (ldap_bind($ldap, $dn, $password) !== true) throw new Exception(ldap_error($ldap));

echo('ok');

Expected result:
----------------
"ok", which I do get in the CLI.

Actual result:
--------------
Warning: ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Connect error in /var/www/html/test.php on line 15

Fatal error: Uncaught exception 'Exception' with message 'Connect error' in /var/www/html/test.php:15 Stack trace: #0 {main} thrown in /var/www/html/test.php on line 15

(from the web server)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-10-01 16:08 UTC] jani@php.net
And you're absolutely sure both CLI and apache module are same version 
compiled with same options? Check this from phpinfo(). Also check the 
PHP Version..
 [2009-10-01 18:55 UTC] josh at endries dot org
Thanks for the response.

I'm sure. I've reinstalled a few times, with the same configuration as when I initially ran into this, and I even went through an upgrade from 5.2.10 to 5.2.11. The version number did change in both, but it didn't affect this issue. Comparing ldd and strings output suggests they're from the same build also. The build date, configure command, and everything else I looked at in phpinfo() for CLI and the module is identical.
 [2009-10-10 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 14 19:01:26 2024 UTC