php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60542 ldap_start_tls issue only when running script via apache not php(cli)
Submitted: 2011-12-16 00:46 UTC Modified: 2011-12-17 10:09 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: tecman77 at hotmail dot co dot uk Assigned:
Status: Closed Package: LDAP related
PHP Version: Irrelevant OS: RHEL 6.2
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: tecman77 at hotmail dot co dot uk
New email:
PHP Version: OS:

 

 [2011-12-16 00:46 UTC] tecman77 at hotmail dot co dot uk
Description:
------------
Enviroment:
RHEL 6.2
Apache/2.2.15 (Unix) - httpd-2.2.15-15.el6.x86_64
PHP 5.3.3 (cli) (built: Oct 24 2011 08:35:41) - php-cli-5.3.3-3.el6_1.3.x86_64, 
php-ldap-5.3.3-3.el6_1.3.x86_64
--
When running test script via php -f sample_ldap.php with /etc/openldap/ldap.conf 
configured with TLS_REQCERT never, script returns OK and successfully 
establishes SSL(or TLS) connection with LDAP server(W2k8 R2 DC). Running same 
script via apache ends up with ERROR and following message in apache error log:

--snip--
ldap_connect_to_host: Trying 10.1.1.10:636
ldap_pvt_connect: fd: 15 tm: -1 async: 0
TLS: could not add the certificate PEM Token #0:dc1CAchain.cert - 0 - error 
-8192:Unknown code ___f 0.
TLS: error: could not initialize moznss security context - error -8192:Unknown 
code ___f 0
TLS: can't create ssl handle.
--snip--

Test script can be easily converted to use TLS method and this one fails with 
exactly same error in error log. Running same script on CentOS 5.8 with apache 
2.2.3/PHP 5.1.6 - no issues with TLS or SSL.


Test script:
---------------
<?php
   $ldap="ldaps://ldap.company.corp:636";
   $usr="user@company.corp";
   $pwd="password111";
   ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 255);

   $ds=ldap_connect($ldap);

   $ldapbind=false;

   if ($ds) {

      if(ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3))
        if(ldap_set_option($ds, LDAP_OPT_REFERRALS, 0))

               $ldapbind = @ldap_bind($ds, $usr, $pwd);
                ldap_close($ds);
    }

	if(!$ldapbind)
      echo "ERROR";
   else
      echo "OK";
?>

Expected result:
----------------
Script returns OK if successfull bind has been made, otherwise ERROR message 
appears


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-12-17 10:09 UTC] tecman77 at hotmail dot co dot uk
It turned out to be problem with apache directive ldaptrustedglobalcert which was pointing at malformed CA file. Sorry for trouble.
 [2011-12-17 10:09 UTC] tecman77 at hotmail dot co dot uk
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sun Dec 04 09:05:54 2022 UTC