ldap connect issues

"Dead Letter.Office" <Dead.Letter.Office@xxxxxxxxxx> · Wed, 17 Apr 2013 08:19:27 +1000

I'm a little hesitant to log a bug for this as it may be the way I'm doing things, but here's the "issue":

Summary:

Secondary
 requests to AJAX PHP Script that performs ldap_connect/ldap_bind 
requests to 1+ directories often results in "LDAP Can't contact LDAP 
server". It appears PHP doesn't even attempt a communication attempt. A restart of apache2 service often allows connection.

Versions & Extension Config:

- openSUSE 12.3 (x86_64)
- apache2-2.2.22-10.4.1.x86_64
- PHP Version 5.4.14
- PHP API: 20100412
- PHP Extension: 20100525
- PHP Extension Build: API20100525,NTS
- LDAP Support: enabled
- RCS Version: $Id$
- Total Links: 0/unlimited
- API Version: 3001
- Vendor Name: OpenLDAP
- Vendor Version: 20433
- SASL Support: Enabled
- ldap.max_links: Unlimited
- OpenSSL support: enabled
- OpenSSL Library Version: OpenSSL 1.0.1e 11 Feb 2013
- OpenSSL Header Version: OpenSSL 1.0.1e 11 Feb 2013

eDirectory Versions & Configuration:

eDirectory 8.7.3 (or greater)
Default LDAP configuration (i.e. no restrictions on bind limits, result sizes, etc....)

Details:

Here's
 the architecture.... A main php script (system_view.php) that does AJAX
 call to another php script (system_view_ajax.php) for a JSON result 
(used by d3js.org JS). The system_view_ajax.php creates a connection, 
does a bind, and queries for some information from LDAP ("DirA") based 
on search criteria from system_view.php. Depending on the information 
from this query result, additional connections, binds, and queries to 1 -
 2 additional directories may be actioned (normally 2 additional 
directories). During each query, a set of arrays are generated before 
being reorganised and converted to JSON at the completion of the 
queries.

There are a stack of Constants and array variables set 
in an included script, but the LDAP_URIS would result in a string 
similar to "ldaps://10.x.x.x:636 ldaps://10.x.x.x:636 
ldaps://10.x.x.x:636 ldaps://10.x.x.x:636".... SSL shouldn't be an issue
 as Apache2 has LDAPVerifyServerCert Off, but even with 389 I still 
strike the same issue.

I'm using the eDirectory admin account which has no limits on connections.

system_view_ajax.php Code Snippets:

//*******************************************************************************
// CM Search
//*******************************************************************************
$TREE = "CM";
if (${"CONST_" . $TREE . "_SEARCH"})
{
    $po_count = 0;
    $co_count = 0;
    //*******************************************************************************
    // Connect to LDAP
    //*******************************************************************************
    ${"ldapconn" . strtolower($TREE)} = ldap_connect(constant("CONST_" . strtoupper($TREE) . "_LDAP_URIS"));
    if (${"ldapconn" . strtolower($TREE)})
    {
        //*******************************************************************************
        // Set LDAP Options
        //*******************************************************************************
        ldap_set_option(${"ldapconn" . strtolower($TREE)}, LDAP_OPT_PROTOCOL_VERSION, 3);
        //*******************************************************************************
        // Bind to LDAP
        //*******************************************************************************

     $ldapbind = ldap_bind(${"ldapconn" . strtolower($TREE)}, 
constant("CONST_" . strtoupper($TREE) . "_LDAP_USR"), constant("CONST_" .
 strtoupper($TREE) . "_LDAP_PWD"));
        if ($ldapbind)
        {
....
.... do query and array stuff ....
....
        }
        //*******************************************************************************
        // Bind Error
        //*******************************************************************************
        else
        {

         $errors[] = array("Description" => "Could not bind as " . 
constant("CONST_" . strtoupper($TREE) . "_LDAP_USR") . " - LDAP " . 
ldap_error(${"ldapconn" . strtolower($TREE)}) . " " . strtoupper($TREE) .
 " " . constant("CONST_" . strtoupper($TREE) . "_LDAP_URIS") . ". You 
may have to wait 5-10 minutes or ask Ben Walter to restart Apache.", 
"Code" => ldap_errno(${"ldapconn" . strtolower($TREE)}));
        }
        //*******************************************************************************
        // Unbind from LDAP
        //*******************************************************************************
        $ldapunbind = ldap_unbind(${"ldapconn" . strtolower($TREE)});
    }
    //*******************************************************************************
    // Connection Error
    //*******************************************************************************
    else
    {

     $errors[] = array("Description" => "Could not connect to " . 
strtoupper($TREE) . " " . constant("CONST_" . strtoupper($TREE) . 
"_LDAP_URIS") . " - LDAP " . ldap_error(${"ldapconn" . 
strtolower($TREE)}) . ". You may have to wait 5-10 minutes or ask Ben 
Walter to restart Apache.", "Code" => ldap_errno(${"ldapconn" . 
strtolower($TREE)}));
    }
    //*******************************************************************************
    // Cleanup LDAP connection
    //*******************************************************************************
    unset(${"ldapconn" . strtolower($TREE)});
}
//*******************************************************************************
// Search Error
//*******************************************************************************
else
{

 $errors[] = array("Description" => "Searching of parent directory 
disabled. This was unexpected.", "Code" => CENITEX_SEARCH_DISABLED);
}

//*******************************************************************************
// Remote Search
//*******************************************************************************
foreach ($remote_array as $TREE => $d3group)
{
    //*******************************************************************************
    // Check if we should search Search
    //*******************************************************************************
    if (${"CONST_" . $TREE . "_SEARCH"})
    {
        $po_count = 0;
        $co_count = 0;
        //*******************************************************************************
        // Connect to LDAP
        //*******************************************************************************
        ${"ldapconn" . strtolower($TREE)} = ldap_connect(constant("CONST_" . strtoupper($TREE) . "_LDAP_URIS"));
        if (${"ldapconn" . strtolower($TREE)})
        {
            //*******************************************************************************
            // Set LDAP Options
            //*******************************************************************************
            ldap_set_option(${"ldapconn" . strtolower($TREE)}, LDAP_OPT_PROTOCOL_VERSION, 3);
            //*******************************************************************************
            // Bind to LDAP
            //*******************************************************************************

         $ldapbind = ldap_bind(${"ldapconn" . strtolower($TREE)}, 
constant("CONST_" . strtoupper($TREE) . "_LDAP_USR"), constant("CONST_" .
 strtoupper($TREE) . "_LDAP_PWD"));
            if ($ldapbind)
            {
....
.... do query and array stuff ....
....
            }
            //*******************************************************************************
            // Bind Error
            //*******************************************************************************
            else
            {

             $errors[] = array("Description" => "Could not bind as " .
 constant("CONST_" . strtoupper($TREE) . "_LDAP_USR") . " - LDAP " . 
ldap_error(${"ldapconn" . strtolower($TREE)}) . " " . strtoupper($TREE) .
 " " . constant("CONST_" . strtoupper($TREE) . "_LDAP_URIS") . ". You 
may have to wait 5-10 minutes or ask Ben Walter to restart Apache.", 
"Code" => ldap_errno(${"ldapconn" . strtolower($TREE)}));
            }
            //*******************************************************************************
            // Unbind from LDAP
            //*******************************************************************************
            $ldapunbind = ldap_unbind(${"ldapconn" . strtolower($TREE)});
        }
        //*******************************************************************************
        // Connection Error
        //*******************************************************************************
        else
        {

         $errors[] = array("Description" => "Could not connect to " .
 strtoupper($TREE) . " " . constant("CONST_" . strtoupper($TREE) . 
"_LDAP_URIS") . " - LDAP " . ldap_error(${"ldapconn" . 
strtolower($TREE)}) . ". You may have to wait 5-10 minutes or ask Ben 
Walter to restart Apache.", "Code" => ldap_errno(${"ldapconn" . 
strtolower($TREE)}));
        }
        //*******************************************************************************
        // Cleanup LDAP connection
        //*******************************************************************************
        unset(${"ldapconn" . strtolower($TREE)});
    }
}
....
.... process arrays and return JSON ....
....

Error:

After
 the first AJAX call (which seems to work flawlessly), additional AJAX 
calls result in a bind error when it loops through the remote tree 
set.... "ERROR -1: Could not bind as cn=admin,o=admin - LDAP Can't 
contact LDAP server CLM ldaps://10.x.x.x:636 ldaps://10.x.x.x:636 
ldaps://10.x.x.x:636 ldaps://10.x.x.x:636. You may have to wait 5-10 
minutes or ask Ben Walter to restart Apache."

Would be nice to raise connections to ldap and maintain them, but being AJAX calls to this script, not sure of best way....

Thoughts?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php