'Re: Unable to bind to active directory using TLS'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openldap-technical
Subject:    Re: Unable to bind to active directory using TLS
From:       Harish Chakravarthy <harishvc () gmail ! com>
Date:       2009-09-29 19:25:14
Message-ID: eefa9c230909291225m37200b3eqd5eb96628c70e438 () mail ! gmail ! com
[Download RAW message or body]

["attachment.htm" (text/html)]

Hello Everyone,<div><br></div><div>My problem is solved, yeah \
!.</div><div><br></div><div>The openssl libraries used by Apache mod_ssl and Php were \
different versions. I had to recompile Apache and Php to use the same version and \
everything worked!.</div> <div><br></div><div>-Harish</div><div><br><br><div \
class="gmail_quote">On Sun, Sep 27, 2009 at 5:46 PM, Harish Chakravarthy <span \
dir="ltr">&lt;<a href="mailto:harishvc@gmail.com">harishvc@gmail.com</a>&gt;</span> \
wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px \
#ccc solid;padding-left:1ex;">Hello Everyone,<br><br>Below is my Php test script \
(minor modifications to Zdenek&#39;s script) . This test script works from command \
line but not from the web. &quot;TLS connect failed!&quot; is my error message when I \
execute the script via web. Any assistance is welcome.<br>

<br>Also my environment is Php using  OpenLDAP on Solaris 10 connecting to Active \
Directory.<br><br>&lt;?php<br>define(&#39;MYLDAP_HOST&#39;, \
&#39;ldap://my.server&#39;);<br>define(&#39;MYLDAP_PORT&#39;, \
389);<br>define(&#39;MYLDAP_BINDDN&#39;, \
&#39;CN=something,OU=Users,OU=Administration,DC=edu&#39;);<br>

define(&#39;MYLDAP_PSWD&#39;, &#39;something);<br><br># Required for working via \
command line<br>putenv(&#39;LDAPTLS_REQCERT=never&#39;) or die(&#39;Failed to setup \
the env&#39;);<div class="im"><br><br>$ldapConn = ldap_connect(MYLDAP_HOST, \
MYLDAP_PORT);<br>

if (!$ldapConn) {<br>       exit(&quot;Unable to connect to LDAP \
server&quot;);<br>}<br>if (!ldap_set_option($ldapConn, LDAP_OPT_PROTOCOL_VERSION, 3)) \
{<br>       exit(&quot;Unable to set protocol version to v3&quot;);<br>

}<br></div>$tls = ldap_start_tls($ldapConn);<br>if (!$tls) { exit(&quot;TLS connect \
failed!&quot;); }<div class="im"><br>$ldapBind = ldap_bind($ldapConn, MYLDAP_BINDDN, \
MYLDAP_PSWD);<br>if (!$ldapBind) {<br>       exit(&quot;LDAP Bind failed&quot;);<br>

}<br><br></div>echo &quot;Works!&lt;br/&gt;&quot;;<br><br>ldap_unbind($ldapConn);<br><br>return \
0;<br>?&gt;<br><font color="#888888"><br>-Harish</font><div><div></div><div \
class="h5"><br><br><br><div class="gmail_quote"> On Sat, Sep 26, 2009 at 1:04 AM, \
Zdenek Styblik <span dir="ltr">&lt;<a href="mailto:stybla@turnovfree.net" \
target="_blank">stybla@turnovfree.net</a>&gt;</span> wrote:<br> <blockquote \
class="gmail_quote" style="border-left:1px solid rgb(204, 204, 204);margin:0pt 0pt \
0pt 0.8ex;padding-left:1ex"><div>Harish Chakravarthy wrote:<br> &gt; Here is more \
information<br> &gt; 1. I am binding to Active Directory from Solaris 10<br>
&gt; 2. My php_info gives configure options as &#39;./configure&#39;<br>
&gt; &#39;--prefix=/home/local/php-5.2.9&#39; \
&#39;--with-apxs2=/path/apache2/bin/apxs&#39;<br> &gt; &#39;--with-ldap&#39; \
&#39;--with-ldap-sasl&#39; &#39;--with-openssl=/usr/local/ssl&#39;<br> &gt; \
&#39;--with-mysql=/usr/local/mysql/&#39; &#39;--with-gd&#39;<br> &gt; 3. The PATH \
&amp; LD_LIBRARY_PATH listed via php_info on the browser has<br> &gt; exactly the \
same settings as my user account (that executes the script<br> &gt; from command \
line)<br> &gt; 4. I have a ldap.conf file inside /opt/csw/etc/openldap . However \
this<br> &gt; file is not being used by the script (command line or web). I rename \
the<br> &gt; file and nothing changes!.<br>
&gt; 5. I have apache compiled for mod_ssl<br>
&gt;<br>
&gt; Should I recompile Apache with mod_ldap or any additional modules - I<br>
&gt; using a PHP script on my webserver to gather login &amp; password to<br>
&gt; authenticated against Active Directory?.<br>
&gt;<br>
&gt; Thanks again for your time.<br>
&gt;<br>
&gt; -Harish<br>
&gt;<br>
&gt;<br>
<br>
</div>Also, does TLS work with LDAP itself?<br>
There is also comment at <a href="http://php.net" target="_blank">php.net</a> which \
says:<br> <br>
&gt; If your version was linked against the OpenLDAP libraries, you may<br>
&gt; want to look at the ldap.conf file for more information about specifying<br>
&gt; SSL/TLS behavior. Apparently, the settings in ldap.conf make a different<br>
&gt; in the way SSL/TLS is handled by PHP.<br>
<br>
Please, check &gt;&gt; <a \
href="http://marc.info/?l=php-windows&amp;m=116127873321748&amp;w=2" \
target="_blank">http://marc.info/?l=php-windows&amp;m=116127873321748&amp;w=2</a><br> \
<div><br> Zdenek<br>
<br>
--<br>
Zdenek Styblik<br>
Net/Linux admin<br>
OS TurnovFree.net<br>
email: <a href="mailto:stybla@turnovfree.net" \
                target="_blank">stybla@turnovfree.net</a><br>
jabber: <a href="mailto:stybla@jabber.turnovfree.net" \
target="_blank">stybla@jabber.turnovfree.net</a><br> <br>
&gt;<br>
&gt;<br>
&gt;<br>
</div><div>&gt; On Thu, Sep 24, 2009 at 5:59 AM, Zdenek Styblik &lt;<a \
href="mailto:stybla@turnovfree.net" target="_blank">stybla@turnovfree.net</a><br> \
</div><div><div></div><div>&gt; &lt;mailto:<a href="mailto:stybla@turnovfree.net" \
target="_blank">stybla@turnovfree.net</a>&gt;&gt; wrote:<br> &gt;<br>
&gt;     Harish Chakravarthy wrote:<br>
&gt;     &gt; Hello Everyone,<br>
&gt;     &gt;<br>
&gt;     &gt; Greetings.<br>
&gt;     &gt;<br>
&gt;     &gt; I am unable to bind to active directory using TLS. I get the \
following<br> &gt;     &gt; error while executing my script via the browser<br>
&gt;     &gt;<br>
&gt;     &gt; /*PHP Warning:  ldap_start_tls() [&lt;a<br>
&gt;     &gt; href=&#39;function.ldap-start-tls&#39;&gt;function.ldap-start-tls&lt;/a&gt;]: \
Unable to<br> &gt;     &gt; start TLS: Connect error*/<br>
&gt;     &gt;<br>
&gt;     &gt; The same script when executed from the command line works!.<br>
&gt;     &gt;<br>
&gt;     &gt; I have compiled PHP with flags --with-ldap  --with-ldap-sasl<br>
&gt;     &gt; --with-openssl  .<br>
&gt;     &gt;<br>
&gt;     &gt; Can you help me further trouble shoot this problem?.<br>
&gt;     &gt;<br>
&gt;     &gt; Thanks<br>
&gt;     &gt; Harish<br>
&gt;     &gt;<br>
&gt;     &gt;<br>
&gt;     &gt;<br>
&gt;<br>
&gt;     And what has &lt;?php php_info() ?&gt; to say? I think there might be two \
.ini<br> &gt;     files - one for command line and one for httpd php module. So, this \
one<br> &gt;     for httpd might be missing:<br>
&gt;     extension=openssl.so<br>
&gt;     extension=ldap.so<br>
&gt;     &lt;whatever is needed&gt;<br>
&gt;<br>
&gt;     Regards,<br>
&gt;     Zdenek<br>
&gt;<br>
&gt;     --<br>
&gt;     Zdenek Styblik<br>
&gt;     Net/Linux admin<br>
&gt;     OS TurnovFree.net<br>
</div></div>&gt;     email: <a href="mailto:stybla@turnovfree.net" \
target="_blank">stybla@turnovfree.net</a> &lt;mailto:<a \
href="mailto:stybla@turnovfree.net" target="_blank">stybla@turnovfree.net</a>&gt;<br> \
<div>&gt;     jabber: <a href="mailto:stybla@jabber.turnovfree.net" \
target="_blank">stybla@jabber.turnovfree.net</a><br> </div><div><div></div><div>&gt;  \
&lt;mailto:<a href="mailto:stybla@jabber.turnovfree.net" \
target="_blank">stybla@jabber.turnovfree.net</a>&gt;<br> &gt;<br>
&gt;<br>
</div></div></blockquote></div><br>
</div></div></blockquote></div><br></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic