LDAP and PHP connection failure

Question

I am trying to connect to a secure LDAP server (using LDAPs) via PHP, but I am having problems with it. I get the following error

Warning: ldap_bind()

Answer 1

On UNIX "man ldap.conf" = ... SYNOPSIS /usr/local/etc/openldap/ldap.conf ...

Write TLS_REQCERT never in /usr/local/etc/openldap/ldap.conf and set ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)

This work in my project on Nginx+PHP-fpm: nginx/1.6.0 php55-5.5.15 php55-ldap-5.5.15 openldap-client-2.4.39_1

Answer 2

What saved my day after reading and trying out solutions from allover the web and SO, was to use a ldaps uri without the port specified in it.

So instead of this: ldaps://example.com:636 I had to use this: ldaps://example.com and it now works like a charm.

I was setting this up on Ubuntu 16.04 with PHP7.3 runing through Nginx and php-fpm.

A full code example:

try{
    $ldapUri = "ldaps://example.com";
    $ldapUsername = 'username';
    $ldapPassword = 'password';
    $ldapConn = ldap_connect($ldapUri);
    if($ldapConn){
        ldap_set_option($ldapConn,LDAP_OPT_NETWORK_TIMEOUT,10);

        if(!ldap_set_option($ldapConn,LDAP_OPT_PROTOCOL_VERSION,3)){
           print 'Failed to set ldap protocol to version 3<br>';
        }
        ldap_set_option($ldapConn, LDAP_OPT_REFERRALS,0);
        $ldapBind = ldap_bind($ldapConn, $ldapUsername, $ldapPass);
        if ($ldapBind) {
           echo "LDAP bind successful...";
           //DO LDAP search and stuff
           ldap_unbind($ldapConn);
        } else {
           echo "LDAP bind failed...";
        }
    }
}catch(Exception $e){
    print($e->getMessage();
}

Answer 3

Try to enable "anonymous binds" on your LDAP-Server or use a correct bind (username / password).

like cn=ldapauthuser,ou=accounts,dc=example,dc=com

Answer 4

Although old, I have encountered the same issue and wanted to provide some insight for future readers.

Part of the problem was out-of-date OpenSSL libraries, 0.9.6 vs 1.0.0 (which worked).

After updating OpenSSL on the server, it was noted that PHP lost support for OpenSSL.

You can check support for modules with the following from the command line:

php -m 

Or

echo phpinfo(INFO_MODULES);

From the browser.

Also, there have been a lot of issues with SSL Support for LDAP when using the OCI8/Oracle LDAP libs in my professional experience. On Debian platforms, Libldap-2.4.2-dev packages work best.

Additionally, you should look at the connection logs on the LDAP server. I can almost guarantee that you will see an error referring to SSLv3 and missing a CA for the certificate.

By default, PHP looks for the CA file on UNIX systems in, make sure it is readable by the PHP invoker (user via cli, Apache user, etc..):

/etc/pki/CA

This is not necessarily a PHP issue, but a configuration issue with Secure LDAP. Please see this PHP bug report and this OpenLDAP thread.

The OpenLDAP thread above has a snippet of a working OpenLDAP config for reference.

Some other things to check is your services definitions in /etc/services. Make sure you have the following:

ldaps           636/tcp                         # LDAP over SSL
ldaps           636/udp

Answer 5

The problem is not related to the actual binding process (invalid credentials) as the warning would be a different one if the LDAP server could not authenticate your credentials. But as Paul Dixon noted the use of ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3) should be required - even though I don't think that this is the cause of your problems.

• Which LDAP server type are you connecting to? OpenLDAP, Active Directory or something else?
• What's the operating system of the computer running your PHP program?
• Are you using a self-signed SSL certificate on the LDAP server and is the certificate authority for the given certificate trusted by the machine running your PHP program?
• Which port does the LDAP server run on? 636 would be the "official" port for LDAPS. Perhaps you can add the port explicitly to the server address: ldaps://<<server>>:636.

ext/ldap has some issues with SSL/TLS secured connections. You can try to add

TLS_REQCERT never

to the ldap.conf (/etc/ldap.conf or /etc/ldap/ldap.conf on *nix-based systems) or for Windows machines create a ldap.conf with the above content in C:\OpenLDAP\sysconf\ldap.conf (the path must be an exact match as it's hard-coded into the extension).

Answer 6

I think you just need to set the ldap protocol version to be 3

echo "<h3>LDAP query test</h3>";
echo "Connecting ...";

$ldap_server = 'ldaps://server';
$ldap_port = '636';

$ds = ldap_connect($ldap_server, $ldap_port);

if ($ds) 
{
    //add this
    if (!ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)) 
    {
        fatal_error("Failed to set LDAP Protocol version to 3, TLS not supported.");
    }
    echo "<br><br>Binding ..."; 
    $r=ldap_bind($ds);     // this is an "anonymous" bind, typically
                       // read-only access
    echo "Bind result is " . $r . "<br />";

    echo "Searching for (sn=S*) ...";
    // Search surname entry
    $sr=ldap_search($ds, "ou=people,o=server.ca,o=server", "uid=username*");  
    echo "Search result is " . $sr . "<br />";

    echo "Number of entires returned is " . ldap_count_entries($ds, $sr) . "<br />";

    echo "Getting entries ...<p>";
    $info = ldap_get_entries($ds, $sr);
    echo "Data for " . $info["count"] . " items returned:<p>";

    print_r($info);
    //    for ($i=0; $i<$info["count"]; $i++) {
    //        echo "dn is: " . $info[$i]["dn"] . "<br />";
    //        echo "first cn entry is: " . $info[$i]["cn"][0] . "<br />";
    //        echo "first email entry is: " . $info[$i]["mail"][0] . "<br /><hr />";
    //    }

    echo "Closing connection";
    ldap_close($ds);

} 
else 
{
    echo "<h4>Unable to connect to LDAP server</h4>";
}