#48866 [Com]: ldap.conf TLS_REQCERT directive fails for ldaps

Thu, 06 Aug 2009 23:30:14 -0700 

 ID:               48866
 Comment by:       mahida at usq dot edu dot au
 Reported By:      dev at lechat dot org
 Status:           Feedback
 Bug Type:         LDAP related
 Operating System: windows server 2003 R2 SE SP2
 PHP Version:      5.3.0
 New Comment:

PHP 5.1.6,Red Hat 4.1.2-44,httpd-2.2.3-22.el5, mysql-5.0.45-7.el5

We have the same problem for above. We manually copied the LDAP server
certificate and it worked. But the LDAPS bind is so unstable. Sometime
it binds and sometime it fails.

Standard LDAP connection works as expected.


Previous Comments:
------------------------------------------------------------------------

[2009-08-05 21:59:26] j...@php.net

Does this happen also with PHP 5.2.10 ?

------------------------------------------------------------------------

[2009-07-09 09:35:06] dev at lechat dot org

Description:
------------
Dealing with a secure ldap connection :
Since php 5.3, the
'TLS_REQCERT never' (means do not check certificate validity, and
process the request anymore)
directive in C:\OpenLDAP\sysconf\ldap.conf are not applied when trying
to bind an ldapS server that emit a certificate with an invalid CA.

The result is that the ldapS bind fails because php refuse the
certificate.

By using a filMonitor program, I saw that since php 5.3 php_ldap.dll,
the ldap conf file is now 'c:\ldap.conf' rather than
C:\OpenLDAP\sysconf\ldap.conf. I tried to put directive in this file
too. I can see that the file is open and read, but the directive
'TLS_REQCERT never' is not applied. Bind fails.


On the same server this is perfectly working with php < 5.3 (until
5.2.9-1 as fas as I know).

Note that standard ldap connection works as expected with 5.3

Reproduce code:
---------------
$ldapConnect = ldap_connect('ldaps://ldaps.myserver.com:3269');
ldap_set_option($ldapConnect, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapConnect, LDAP_OPT_REFERRALS, 0);
$ldapBind = ldap_bind($ldapConnect, $username,$password);
$filter="(| (employeeid=$user)(name=$user)(cn=$user)
(userprincipalname=$u...@mydomain) ) ";
$ldapSearch = ldap_search($ldapConnect, $baseDn, $filter);
$ldapEntries = ldap_get_entries($ldapConnect, $ldapSearch);
ldap_free_result($ldapSearch);
ldap_unbind($ldapConnect);

Expected result:
----------------
ldap_get_entries returns ldap entries that match whith the filter, as
expected.

Actual result:
--------------
None, cannot bind.


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=48866&edit=1

Reply via email to