#48866 [Opn->Fbk]: ldap.conf TLS_REQCERT directive fails for ldaps

Fri, 07 Aug 2009 03:30:26 -0700 

 ID:               48866
 Updated by:       j...@php.net
 Reported By:      dev at lechat dot org
-Status:           Open
+Status:           Feedback
 Bug Type:         LDAP related
 Operating System: windows server 2003 R2 SE SP2
 PHP Version:      5.3.0


Previous Comments:
------------------------------------------------------------------------

[2009-08-07 08:04:47] dev at lechat dot org

Hi,
I didn't try 5.2.10.
I will make a try in one week
when i Will be back from holidays (-;
At this point I'll give you a feedback
if the problem occurs or not with 5.2.10.

------------------------------------------------------------------------

[2009-08-05 21:59:26] j...@php.net

Does this happen also with PHP 5.2.10 ?

------------------------------------------------------------------------

[2009-07-09 09:35:06] dev at lechat dot org

Description:
------------
Dealing with a secure ldap connection :
Since php 5.3, the
'TLS_REQCERT never' (means do not check certificate validity, and
process the request anymore)
directive in C:\OpenLDAP\sysconf\ldap.conf are not applied when trying
to bind an ldapS server that emit a certificate with an invalid CA.

The result is that the ldapS bind fails because php refuse the
certificate.

By using a filMonitor program, I saw that since php 5.3 php_ldap.dll,
the ldap conf file is now 'c:\ldap.conf' rather than
C:\OpenLDAP\sysconf\ldap.conf. I tried to put directive in this file
too. I can see that the file is open and read, but the directive
'TLS_REQCERT never' is not applied. Bind fails.


On the same server this is perfectly working with php < 5.3 (until
5.2.9-1 as fas as I know).

Note that standard ldap connection works as expected with 5.3

Reproduce code:
---------------
$ldapConnect = ldap_connect('ldaps://ldaps.myserver.com:3269');
ldap_set_option($ldapConnect, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapConnect, LDAP_OPT_REFERRALS, 0);
$ldapBind = ldap_bind($ldapConnect, $username,$password);
$filter="(| (employeeid=$user)(name=$user)(cn=$user)
(userprincipalname=$u...@mydomain) ) ";
$ldapSearch = ldap_search($ldapConnect, $baseDn, $filter);
$ldapEntries = ldap_get_entries($ldapConnect, $ldapSearch);
ldap_free_result($ldapSearch);
ldap_unbind($ldapConnect);

Expected result:
----------------
ldap_get_entries returns ldap entries that match whith the filter, as
expected.

Actual result:
--------------
None, cannot bind.


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=48866&edit=1

Reply via email to