php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #54136 Secure SSL bind to Active Directory fails
Submitted: 2011-03-02 14:16 UTC Modified: 2017-01-09 17:03 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: kyllingpost at gmail dot com Assigned:
Status: Wont fix Package: LDAP related
PHP Version: 5.3.5 OS: Ubuntu 10.04 LTS
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: kyllingpost at gmail dot com
New email:
PHP Version: OS:

 

 [2011-03-02 14:16 UTC] kyllingpost at gmail dot com
Description:
------------
Attempting to bind to server using SSL returns:

Warning: ldap_bind() Unable to bind to server: Can't contact LDAP server 

while ldap_connect() returns success.

Using a non-encrypted channel works, and the server responds on ssl using other libraries, including successful bind.

Test script:
---------------
<?php
$username = 'username';
$password = 'password';
$account_suffix = '@example.com';
$hostnameSSL = 'ldaps://my.example.com:636';

ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);

// Attempting fix from http://www.php.net/manual/en/ref.ldap.php#77553
putenv('LDAPTLS_REQCERT=never');

####################
# SSL bind attempt #
####################
// Attempting syntax from http://www.php.net/manual/en/function.ldap-bind.php#101445
$con =  ldap_connect($hostnameSSL);
if (!is_resource($con)) trigger_error("Unable to connect to $hostnameSSL",E_USER_WARNING);

// Options from http://www.php.net/manual/en/ref.ldap.php#73191
if (!ldap_set_option($con, LDAP_OPT_PROTOCOL_VERSION, 3))
{
	trigger_error("Failed to set LDAP Protocol version to 3",E_USER_WARNING);
}
ldap_set_option($con, LDAP_OPT_REFERRALS, 0);

if (ldap_bind($con,$username . $account_suffix, $password)) die('All went well using SSL');
ldap_close($con);


Expected result:
----------------
I expected ssl handshake, and secure bind.

E.G:

>> openssl s_client -connect my.example.com:636 -prexit

(...)
SSL handshake has read 5732 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: 1B1500000642E45E5A37A76A804365F5DBB28F6597838808B603BE45A0525CBD
    Session-ID-ctx: 
    Master-Key: 68F4DB2000D02CA5F19880DABE4602947C344C9E674A285DA3977F78F35610D46F1EA770D64F24D5C7DB5451FFB6895B
    Key-Arg   : None
    Start Time: 1299071105
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)


Actual result:
--------------
ldap_create
ldap_url_parse_ext(ldaps://my.example.com:636)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP my.example.com:636
ldap_new_socket: 25
ldap_prepare_socket: 25
ldap_connect_to_host: Trying 1.1.1.1:636
ldap_pvt_connect: fd: 25 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x22620e98 msgid 1
wait4msg ld 0x22620e98 msgid 1 (infinite timeout)
wait4msg continue ld 0x22620e98 msgid 1 all 1
** ld 0x22620e98 Connections:
* host: my.example.com  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Wed Mar  2 13:57:52 2011


** ld 0x22620e98 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x22620e98 request count 1 (abandoned 0)
** ld 0x22620e98 Response Queue:
   Empty
  ld 0x22620e98 response count 0
ldap_chkResponseList ld 0x22620e98 msgid 1 all 1
ldap_chkResponseList returns ld 0x22620e98 NULL
ldap_int_select
read1msg: ld 0x22620e98 msgid 1 all 1
ldap_err2string
[Wed Mar 02 13:57:52 2011] [error] [client ::1] PHP Warning:  ldap_bind() [<a href='function.ldap-bind'>function.ldap-bind</a>]: Unable to bind to server: Can't contact LDAP server in /public_html/test.php on line 28
[Wed Mar 02 13:57:52 2011] [error] [client ::1] PHP Stack trace:
[Wed Mar 02 13:57:52 2011] [error] [client ::1] PHP   1. {main}() /public_html/test.php:0
[Wed Mar 02 13:57:52 2011] [error] [client ::1] PHP   2. ldap_bind() /public_html/test.php:28
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 1 1
ldap_free_connection: actually freed

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-09 16:53 UTC] heiglandreas@php.net
This issue is by now over 5 years old and targets an unsupported PHP-Version. Therefore I'm closing this. Should the issue still exist in a supported version of PHP feel free to (re)open the issue.
 [2017-01-09 17:03 UTC] heiglandreas@php.net
-Status: Open +Status: Wont fix
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sun Dec 05 12:03:38 2021 UTC