PHP :: Bug #60542 :: ldap_start_tls issue only when running script via apache not php(cli)

Bug #60542

ldap_start_tls issue only when running script via apache not php(cli)

Submitted:

2011-12-16 00:46 UTC

Modified:

2011-12-17 10:09 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

tecman77 at hotmail dot co dot uk

Assigned:

Status:

Closed

Package:

LDAP related

PHP Version:

Irrelevant

OS:

RHEL 6.2

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	tecman77 at hotmail dot co dot uk
New email:
PHP Version:		OS:

New/Additional Comment:

[2011-12-16 00:46 UTC] tecman77 at hotmail dot co dot uk

Description:
------------
Enviroment:
RHEL 6.2
Apache/2.2.15 (Unix) - httpd-2.2.15-15.el6.x86_64
PHP 5.3.3 (cli) (built: Oct 24 2011 08:35:41) - php-cli-5.3.3-3.el6_1.3.x86_64, 
php-ldap-5.3.3-3.el6_1.3.x86_64
--
When running test script via php -f sample_ldap.php with /etc/openldap/ldap.conf 
configured with TLS_REQCERT never, script returns OK and successfully 
establishes SSL(or TLS) connection with LDAP server(W2k8 R2 DC). Running same 
script via apache ends up with ERROR and following message in apache error log:

--snip--
ldap_connect_to_host: Trying 10.1.1.10:636
ldap_pvt_connect: fd: 15 tm: -1 async: 0
TLS: could not add the certificate PEM Token #0:dc1CAchain.cert - 0 - error 
-8192:Unknown code ___f 0.
TLS: error: could not initialize moznss security context - error -8192:Unknown 
code ___f 0
TLS: can't create ssl handle.
--snip--

Test script can be easily converted to use TLS method and this one fails with 
exactly same error in error log. Running same script on CentOS 5.8 with apache 
2.2.3/PHP 5.1.6 - no issues with TLS or SSL.


Test script:
---------------
<?php
   $ldap="ldaps://ldap.company.corp:636";
   $usr="user@company.corp";
   $pwd="password111";
   ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 255);

   $ds=ldap_connect($ldap);

   $ldapbind=false;

   if ($ds) {

      if(ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3))
        if(ldap_set_option($ds, LDAP_OPT_REFERRALS, 0))

               $ldapbind = @ldap_bind($ds, $usr, $pwd);
                ldap_close($ds);
    }

	if(!$ldapbind)
      echo "ERROR";
   else
      echo "OK";
?>

Expected result:
----------------
Script returns OK if successfull bind has been made, otherwise ERROR message 
appears

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-12-17 10:09 UTC] tecman77 at hotmail dot co dot uk

It turned out to be problem with apache directive ldaptrustedglobalcert which was pointing at malformed CA file. Sorry for trouble.

[2011-12-17 10:09 UTC] tecman77 at hotmail dot co dot uk

-Status: Open +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Mar 18 21:01:29 2025 UTC