Hello,
I have been working on this problem for some time now and I can't seem to resolve it. Everything I have found on google and php.net says I can connect to an LDAP server with SSL by setting "TLS_REQCERT never" in ldap.conf. I want to eliminate certs from the picture for now just to confirm I can make the connection which is why I have "TLS_REQCERT never" set.
I added that setting to my ldap.conf and my test code now works from the command line but it does not work when I call it from a browser. Here is my test:
<?php
$ldaphost = "ldaps://my.ldap.server";
//ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
// Connecting to LDAP
$ldapconn = ldap_connect($ldaphost)
or die("Could not connect to {$ldaphost}");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
echo var_dump(@ldap_bind($ldapconn, "cn=Keithl, ou=Users, o=LH"));
?>
This returns true when called from the command line:
[www]/www/doc/ktlwiki > php ldap-test.php
bool(true)
But when I load the same code through a browser it fails.
I'm using php 5.2.6, openldap 2.4.11 and openssl 0.9.8i on Solaris 10. I built everything from source, PHP has LDAP and SSL support compiled in.
My openldap install is in /opt. Trussing the command line process and the apache process shows similar results:
Command line:
26651: open("/opt/lib/libldap-2.4.so.2", O_RDONLY) = 3
26651: open("ldap-test.php", O_RDONLY) = 4
26651: resolvepath("/www/doc/INTRA/ktlwiki/ldap-test.php", "/www/doc/INTRA/ktlwiki/ldap-test.php", 1024) = 36
26651: open("/opt/etc/openldap/ldap.conf", O_RDONLY) = 4
Apache process:
24656: open("/opt/lib/libldap-2.4.so.2", O_RDONLY) = 6
24818: open("/www/doc/INTRA/ktlwiki/ldap-test.php", O_RDONLY) = 45
24818: open("/opt/etc/openldap/ldap.conf", O_RDONLY) = 4
Any idea why the same code served by apache would ignore the TLS_REQCERT setting?!
TIA
Keith
--------------------------------------------------------------------------------
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
