[prev in list] [next in list] [prev in thread] [next in thread]
List: openldap-technical
Subject: Re: Unable to bind to active directory using TLS
From: Harish Chakravarthy <harishvc () gmail ! com>
Date: 2009-09-29 19:25:14
Message-ID: eefa9c230909291225m37200b3eqd5eb96628c70e438 () mail ! gmail ! com
[Download RAW message or body]
["attachment.htm" (text/html)]
Hello Everyone,<div><br></div><div>My problem is solved, yeah \
!.</div><div><br></div><div>The openssl libraries used by Apache mod_ssl and Php were \
different versions. I had to recompile Apache and Php to use the same version and \
everything worked!.</div> <div><br></div><div>-Harish</div><div><br><br><div \
class="gmail_quote">On Sun, Sep 27, 2009 at 5:46 PM, Harish Chakravarthy <span \
dir="ltr"><<a href="mailto:harishvc@gmail.com">harishvc@gmail.com</a>></span> \
wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px \
#ccc solid;padding-left:1ex;">Hello Everyone,<br><br>Below is my Php test script \
(minor modifications to Zdenek's script) . This test script works from command \
line but not from the web. "TLS connect failed!" is my error message when I \
execute the script via web. Any assistance is welcome.<br>
<br>Also my environment is Php using OpenLDAP on Solaris 10 connecting to Active \
Directory.<br><br><?php<br>define('MYLDAP_HOST', \
'ldap://my.server');<br>define('MYLDAP_PORT', \
389);<br>define('MYLDAP_BINDDN', \
'CN=something,OU=Users,OU=Administration,DC=edu');<br>
define('MYLDAP_PSWD', 'something);<br><br># Required for working via \
command line<br>putenv('LDAPTLS_REQCERT=never') or die('Failed to setup \
the env');<div class="im"><br><br>$ldapConn = ldap_connect(MYLDAP_HOST, \
MYLDAP_PORT);<br>
if (!$ldapConn) {<br> exit("Unable to connect to LDAP \
server");<br>}<br>if (!ldap_set_option($ldapConn, LDAP_OPT_PROTOCOL_VERSION, 3)) \
{<br> exit("Unable to set protocol version to v3");<br>
}<br></div>$tls = ldap_start_tls($ldapConn);<br>if (!$tls) { exit("TLS connect \
failed!"); }<div class="im"><br>$ldapBind = ldap_bind($ldapConn, MYLDAP_BINDDN, \
MYLDAP_PSWD);<br>if (!$ldapBind) {<br> exit("LDAP Bind failed");<br>
}<br><br></div>echo "Works!<br/>";<br><br>ldap_unbind($ldapConn);<br><br>return \
0;<br>?><br><font color="#888888"><br>-Harish</font><div><div></div><div \
class="h5"><br><br><br><div class="gmail_quote"> On Sat, Sep 26, 2009 at 1:04 AM, \
Zdenek Styblik <span dir="ltr"><<a href="mailto:stybla@turnovfree.net" \
target="_blank">stybla@turnovfree.net</a>></span> wrote:<br> <blockquote \
class="gmail_quote" style="border-left:1px solid rgb(204, 204, 204);margin:0pt 0pt \
0pt 0.8ex;padding-left:1ex"><div>Harish Chakravarthy wrote:<br> > Here is more \
information<br> > 1. I am binding to Active Directory from Solaris 10<br>
> 2. My php_info gives configure options as './configure'<br>
> '--prefix=/home/local/php-5.2.9' \
'--with-apxs2=/path/apache2/bin/apxs'<br> > '--with-ldap' \
'--with-ldap-sasl' '--with-openssl=/usr/local/ssl'<br> > \
'--with-mysql=/usr/local/mysql/' '--with-gd'<br> > 3. The PATH \
& LD_LIBRARY_PATH listed via php_info on the browser has<br> > exactly the \
same settings as my user account (that executes the script<br> > from command \
line)<br> > 4. I have a ldap.conf file inside /opt/csw/etc/openldap . However \
this<br> > file is not being used by the script (command line or web). I rename \
the<br> > file and nothing changes!.<br>
> 5. I have apache compiled for mod_ssl<br>
><br>
> Should I recompile Apache with mod_ldap or any additional modules - I<br>
> using a PHP script on my webserver to gather login & password to<br>
> authenticated against Active Directory?.<br>
><br>
> Thanks again for your time.<br>
><br>
> -Harish<br>
><br>
><br>
<br>
</div>Also, does TLS work with LDAP itself?<br>
There is also comment at <a href="http://php.net" target="_blank">php.net</a> which \
says:<br> <br>
> If your version was linked against the OpenLDAP libraries, you may<br>
> want to look at the ldap.conf file for more information about specifying<br>
> SSL/TLS behavior. Apparently, the settings in ldap.conf make a different<br>
> in the way SSL/TLS is handled by PHP.<br>
<br>
Please, check >> <a \
href="http://marc.info/?l=php-windows&m=116127873321748&w=2" \
target="_blank">http://marc.info/?l=php-windows&m=116127873321748&w=2</a><br> \
<div><br> Zdenek<br>
<br>
--<br>
Zdenek Styblik<br>
Net/Linux admin<br>
OS TurnovFree.net<br>
email: <a href="mailto:stybla@turnovfree.net" \
target="_blank">stybla@turnovfree.net</a><br>
jabber: <a href="mailto:stybla@jabber.turnovfree.net" \
target="_blank">stybla@jabber.turnovfree.net</a><br> <br>
><br>
><br>
><br>
</div><div>> On Thu, Sep 24, 2009 at 5:59 AM, Zdenek Styblik <<a \
href="mailto:stybla@turnovfree.net" target="_blank">stybla@turnovfree.net</a><br> \
</div><div><div></div><div>> <mailto:<a href="mailto:stybla@turnovfree.net" \
target="_blank">stybla@turnovfree.net</a>>> wrote:<br> ><br>
> Harish Chakravarthy wrote:<br>
> > Hello Everyone,<br>
> ><br>
> > Greetings.<br>
> ><br>
> > I am unable to bind to active directory using TLS. I get the \
following<br> > > error while executing my script via the browser<br>
> ><br>
> > /*PHP Warning: ldap_start_tls() [<a<br>
> > href='function.ldap-start-tls'>function.ldap-start-tls</a>]: \
Unable to<br> > > start TLS: Connect error*/<br>
> ><br>
> > The same script when executed from the command line works!.<br>
> ><br>
> > I have compiled PHP with flags --with-ldap --with-ldap-sasl<br>
> > --with-openssl .<br>
> ><br>
> > Can you help me further trouble shoot this problem?.<br>
> ><br>
> > Thanks<br>
> > Harish<br>
> ><br>
> ><br>
> ><br>
><br>
> And what has <?php php_info() ?> to say? I think there might be two \
.ini<br> > files - one for command line and one for httpd php module. So, this \
one<br> > for httpd might be missing:<br>
> extension=openssl.so<br>
> extension=ldap.so<br>
> <whatever is needed><br>
><br>
> Regards,<br>
> Zdenek<br>
><br>
> --<br>
> Zdenek Styblik<br>
> Net/Linux admin<br>
> OS TurnovFree.net<br>
</div></div>> email: <a href="mailto:stybla@turnovfree.net" \
target="_blank">stybla@turnovfree.net</a> <mailto:<a \
href="mailto:stybla@turnovfree.net" target="_blank">stybla@turnovfree.net</a>><br> \
<div>> jabber: <a href="mailto:stybla@jabber.turnovfree.net" \
target="_blank">stybla@jabber.turnovfree.net</a><br> </div><div><div></div><div>> \
<mailto:<a href="mailto:stybla@jabber.turnovfree.net" \
target="_blank">stybla@jabber.turnovfree.net</a>><br> ><br>
><br>
</div></div></blockquote></div><br>
</div></div></blockquote></div><br></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic