PHP :: Bug #80405 :: LDAPCONF=/etc/ldap/ldap.conf not respected

[2020-11-23 10:29 UTC] alisun at shitmail dot de

Description:
------------
Problem: $LDAPCONF is not read properly.

cat /etc/ldap/ldap.conf
TLS_CACERT=/some/path
TLS_KEY=/some/other/path
TLS_CERT=/some/otherpath
TLS_REQCERT=demand

Ex 1: no explicit environment variables, should respect /etc/ldap/ldap.conf?
Does not :D

sudo  -u www-data php -a<<eof
\$dn="someDN";
\$p="somePw";
\$ldaphost = "someHost";
\$ldapport = somePort;
\$ldapconn = ldap_connect(\$ldaphost, \$ldapport);
ldap_set_option(\$ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_start_tls(\$ldapconn);
eof
PHP Warning:  ldap_start_tls(): Unable to start TLS: Connect error in php shell code on line 1

Ex 2: set LDAPCONF explicity, should respect /etc/ldap/ldap.conf?
Does not either

export LDAPCONF=/etc/ldap/ldap.conf                                        
sudo  -Eu www-data php -a<<eof
\$dn="someDN";
\$p="somePw";
\$ldaphost = "someHost";
\$ldapport = somePort;
\$ldapconn = ldap_connect(\$ldaphost, \$ldapport);
ldap_set_option(\$ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_start_tls(\$ldapconn);
eof
PHP Warning:  ldap_start_tls(): Unable to start TLS: Connect error in php shell code on line 1

Ex 3: use $LDAPCONF content via environment variables
Works

export LDAPTLS_CACERT=/some/path
export LDAPTLS_KEY=/some/other/path
export LDAPTLS_CERT=/some/otherpath
export LDAPTLS_REQCERT=demand

sudo  -Eu wwwcloud php -a<<eof                  

\$dn="uid=nextcloud,ou=people,dc=physsolutions,dc=org";
\$p=">.D+c'k_]^F4F8(d";
\$ldaphost = "ldap.physsolutions.org";
\$ldapport = 389;
\$ldapconn = ldap_connect(\$ldaphost, \$ldapport);
ldap_set_option(\$ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_start_tls(\$ldapconn);
eof
# no error

Ex 4: use $HOME/.ldaprc
Works

cp /etc/ldap/ldap.conf ~www-data/.ldaprc
sudo  --set-home -u www-data php -a<<eof
\$dn="someDN";
\$p="somePw";
\$ldaphost = "someHost";
\$ldapport = somePort;
\$ldapconn = ldap_connect(\$ldaphost, \$ldapport);
ldap_set_option(\$ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_start_tls(\$ldapconn);
eof
# no error

Ex 5: use $CWD/ldaprc
Works

cp /etc/ldap/ldap.conf ldaprc
sudo -u www-data php -a<<eof
\$dn="someDN";
\$p="somePw";
\$ldaphost = "someHost";
\$ldapport = somePort;
\$ldapconn = ldap_connect(\$ldaphost, \$ldapport);
ldap_set_option(\$ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_start_tls(\$ldapconn);
eof
# no error

[2021-06-24 10:09 UTC] cmb@php.net

-Package: *General Issues +Package: LDAP related

[2021-09-09 14:52 UTC] cmb@php.net

-Assigned To: +Assigned To: mcmic

[2021-09-09 14:52 UTC] cmb@php.net

Maybe Côme can clarify?

[2021-09-09 15:13 UTC] mcmic@php.net

Unless I missed it I see no configuration file reading in our code, so I think this is supposed to be done by the libldap library.

We do have a test for this, which uses LDAPCONF: https://github.com/php/php-src/blob/master/ext/ldap/tests/ldap_connect_ldap_conf.phpt

So this is expected to work, at least for URI.

If the original poster is still around, could you output the result of 
var_dump(
 ldap_get_option($link, LDAP_OPT_X_TLS_REQUIRE_CERT, $value),
 $value);
For each case, and maybe the same with the other TLS related vars.

Patches

Pull Requests

History

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 01:01:28 2024 UTC