php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80405 LDAPCONF=/etc/ldap/ldap.conf not respected
Submitted: 2020-11-23 10:29 UTC Modified: 2021-09-09 15:13 UTC
From: alisun at shitmail dot de Assigned: mcmic (profile)
Status: Assigned Package: LDAP related
PHP Version: 7.4.12 OS: linux
Private report: No CVE-ID: None
 [2020-11-23 10:29 UTC] alisun at shitmail dot de
Description:
------------
Problem: $LDAPCONF is not read properly.

cat /etc/ldap/ldap.conf
TLS_CACERT=/some/path
TLS_KEY=/some/other/path
TLS_CERT=/some/otherpath
TLS_REQCERT=demand

Ex 1: no explicit environment variables, should respect /etc/ldap/ldap.conf?
Does not :D

sudo  -u www-data php -a<<eof
\$dn="someDN";
\$p="somePw";
\$ldaphost = "someHost";
\$ldapport = somePort;
\$ldapconn = ldap_connect(\$ldaphost, \$ldapport);
ldap_set_option(\$ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_start_tls(\$ldapconn);
eof
PHP Warning:  ldap_start_tls(): Unable to start TLS: Connect error in php shell code on line 1

Ex 2: set LDAPCONF explicity, should respect /etc/ldap/ldap.conf?
Does not either

export LDAPCONF=/etc/ldap/ldap.conf                                        
sudo  -Eu www-data php -a<<eof
\$dn="someDN";
\$p="somePw";
\$ldaphost = "someHost";
\$ldapport = somePort;
\$ldapconn = ldap_connect(\$ldaphost, \$ldapport);
ldap_set_option(\$ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_start_tls(\$ldapconn);
eof
PHP Warning:  ldap_start_tls(): Unable to start TLS: Connect error in php shell code on line 1

Ex 3: use $LDAPCONF content via environment variables
Works

export LDAPTLS_CACERT=/some/path
export LDAPTLS_KEY=/some/other/path
export LDAPTLS_CERT=/some/otherpath
export LDAPTLS_REQCERT=demand

sudo  -Eu wwwcloud php -a<<eof                  

\$dn="uid=nextcloud,ou=people,dc=physsolutions,dc=org";
\$p=">.D+c'k_]^F4F8(d";
\$ldaphost = "ldap.physsolutions.org";
\$ldapport = 389;
\$ldapconn = ldap_connect(\$ldaphost, \$ldapport);
ldap_set_option(\$ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_start_tls(\$ldapconn);
eof
# no error

Ex 4: use $HOME/.ldaprc
Works

cp /etc/ldap/ldap.conf ~www-data/.ldaprc
sudo  --set-home -u www-data php -a<<eof
\$dn="someDN";
\$p="somePw";
\$ldaphost = "someHost";
\$ldapport = somePort;
\$ldapconn = ldap_connect(\$ldaphost, \$ldapport);
ldap_set_option(\$ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_start_tls(\$ldapconn);
eof
# no error

Ex 5: use $CWD/ldaprc
Works

cp /etc/ldap/ldap.conf ldaprc
sudo -u www-data php -a<<eof
\$dn="someDN";
\$p="somePw";
\$ldaphost = "someHost";
\$ldapport = somePort;
\$ldapconn = ldap_connect(\$ldaphost, \$ldapport);
ldap_set_option(\$ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_start_tls(\$ldapconn);
eof
# no error


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-06-24 10:09 UTC] cmb@php.net
-Package: *General Issues +Package: LDAP related
 [2021-09-09 14:52 UTC] cmb@php.net
-Assigned To: +Assigned To: mcmic
 [2021-09-09 14:52 UTC] cmb@php.net
Maybe Côme can clarify?
 [2021-09-09 15:13 UTC] mcmic@php.net
Unless I missed it I see no configuration file reading in our code, so I think this is supposed to be done by the libldap library.

We do have a test for this, which uses LDAPCONF: https://github.com/php/php-src/blob/master/ext/ldap/tests/ldap_connect_ldap_conf.phpt

So this is expected to work, at least for URI.

If the original poster is still around, could you output the result of 
var_dump(
 ldap_get_option($link, LDAP_OPT_X_TLS_REQUIRE_CERT, $value),
 $value);
For each case, and maybe the same with the other TLS related vars.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Nov 23 09:01:28 2024 UTC