更新
我已经能够使用一个简单的PHP脚本来尝试LDAP绑定的小规模重现问题。 从那个脚本我得到更多的debugging输出,让我确定实际的问题。 所以我正在重写这个问题。
我正在尝试在我的Debian Wheezy服务器上设置一个LDAP环境。
我想要使用有效的SSL证书来保护与服务器的通信(意思是,它不是自签名的)。
我正在使用自编译的OpenLDAP版本,因为Debian版本库中的最新版本不支持SHA2密码散列。
我可以使用这个简单的PHP脚本来尝试绑定到我的LDAP服务器。
<?php error_reporting(E_ALL); ini_set('display_errors', 'On'); /* if I remove this, it doesn't work */ putenv('LDAPTLS_CACERT=/path/to/my/root.ca'); $uri='ldaps://localhost'; if (!ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7) ) { die('log level option failed\n'); } $ldap = ldap_connect($uri) or die ('connect failed'); if ( !ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3) ) { die('protocol version set failed\n'); } if ( !ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0) ) { die('referrals option set failed\n'); } $dn = 'cn=root,dc=domain,dc=tld'; $pw = '...'; $bind = ldap_bind($ldap, $dn, $pw); if ($bind) { echo 'bind succeeded\n'; } else { echo 'bind failed\n'; } ldap_close($ldap); echo '<p>blubb</p>'; ?> 绑定失败,脚本在我的apache错误日志中产生以下消息:
ldap_create ldap_url_parse_ext(ldaps://localhost) ldap_bind_s ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:636 ldap_new_socket: 20 ldap_prepare_socket: 20 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_pvt_connect: fd: 20 tm: -1 async: 0 TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). ldap_err2string
所以这显然是一个证书问题。 我猜,由于某种原因,PHP ldap库没有find/使用我的ldap.conf (位于/usr/local/etc/openldap ),因此不使用在那里提供的TLS_CACERT。
我尝试将/usr/local/etc/openldap/ldap.conf到/etc/openldap/ldap.conf ,通常是默认位置。 可悲的是也没有工作。
更新我能够通过把它工作
putenv('LDAPTLS_CACERT=/path/to/my/root.ca');
在我的脚本里面。 这certificatephp不使用我的ldap.conf 。 将这个环境variables放在我的phpldapadminconfiguration中是否合理?
其他非php的LDAP客户端工具,如ldapsearch完美的工作。
有没有人有一个想法是什么可能导致的PHP LDAP数据库客户端库不能find/使用我的ldap.conf ?
cat /usr/local/etc/openldap/slapd.conf include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args # self-compiled to enable SHA2 password hash support modulepath /usr/local/lib moduleload pw-sha2.so database bdb suffix "dc=domain,dc=tld" rootdn "cn=root,dc=domain,dc=tld" cachesize 2000 # Use this command to generate a SHA512 hash: # slappasswd -o module-path=/usr/local/lib -o module-load=pw-sha2.so -h "{SSHA512}" rootpw {SSHA512}... directory /var/ldap mode 0600 # Indices to maintain index objectClass eq index cn pres,eq ############################################################################### # Logging stuff ############################################################################### loglevel 488 ############################################################################### # TLS stuff ############################################################################### TLSCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS TLSCertificateFile path to certificate file TLSCertificateKeyFile path to key file TLSCACertificateFile path to CA certificate file TLSVerifyClient never ############################################################################### # LDAP security stuff ############################################################################### password-hash {SSHA512} security update_tls=256 ssf=256 require authc bind ############################################################################### # ACLs ############################################################################### # enable users to change their own password. Everyone else can only use it for auth #access to * by * access to attrs=userPassword by self write by * auth
ps aux | grep slapd ldap 4801 0.0 0.0 73612 7924 ? Ssl 07:19 0:00 /usr/local/bin/slapd -h ldaps://127.0.0.1:636 -g ldap -u ldap -f /usr/local/etc/openldap/slapd.conf
cat /usr/local/etc/openldap/ldap.conf BASE dc=domain,dc=tld URI ldaps://127.0.0.1:636 #TLS_REQCERT never TLS_CACERT path to CA certificate file
<?php $config->custom->debug['level'] = 255; $config->custom->debug['syslog'] = true; $config->custom->appearance['friendly_attrs'] = array( 'facsimileTelephoneNumber' => 'Fax', 'gid' => 'Group', 'mail' => 'Email', 'telephoneNumber' => 'Telephone', 'uid' => 'User Name', 'userPassword' => 'Password' ); $config->custom->modify_member['attr'] = 'dn'; $servers = new Datastore(); $servers->newServer('ldap_pla'); $servers->setValue('server','name','domain.tld LDAP server'); /* according to documentation port must be provided in URI and server->port * must be 0 when using ldaps */ $servers->setValue('server','host','ldaps://127.0.0.1:636'); $servers->setValue('server','port',0); $servers->setValue('server','base',array('dc=domain,dc=tld')); $servers->setValue('login','auth_type','session'); $servers->setValue('login','bind_id','cn=root,dc=domain,dc=tld'); /* no need to enable this, if ldap is running on port 636 with ldaps:// */ $servers->setValue('server','tls',false); $servers->setValue('login','anon_bind',false); ?>
slapcat dn: dc=domain,dc=tld dc: domain objectClass: dcObject objectClass: organizationalUnit structuralObjectClass: organizationalUnit entryUUID: c2dc8e83-77a6-47ca-b245-f74636aca48f creatorsName: cn=root,dc=domain,dc=tld createTimestamp: 20140928123911Z ou: domain.tld entryCSN: 20140929080227.350590Z#000000#000#000000 modifiersName: cn=root,dc=domain,dc=tld modifyTimestamp: 20140929080227Z
为了确保这不是SSLconfiguration问题,我调用了:
openssl s_client -connect localhost:636 -CAfile /path/to/CA_certificate.file -verify 5 CONNECTED(00000003) depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority verify return:1 depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA verify return:1 depth=0 description = BNw48VehLnkei38O, C = DE, CN = domain.tld, emailAddress = [email protected] verify return:1 --- Certificate chain 0 s:/description=<stripped>/C=DE/CN=domain.tld/[email protected] i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- <stripped> -----END CERTIFICATE----- subject=/description=BNw48VehLnkei38O/C=DE/CN=domain.tld/[email protected] issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA --- No client certificate CA names sent --- SSL handshake has read 5739 bytes and written 891 bytes --- New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : AES256-GCM-SHA384 Session-ID: <stripped> Session-ID-ctx: Master-Key: <stripped> Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: <stripped> Start Time: 1412055431 Timeout : 300 (sec) Verify return code: 0 (ok)
ldapsearch完美的作品:
su www-data -c 'ldapsearch -H "ldaps://localhost" -b "dc=domain,dc=tld" -s base "dc=domain,dc=tld" -D "cn=root,dc=domain,dc=tld" -w"<stripped>" -v -d256' ldap_initialize( ldaps://localhost:636/??base ) filter: dc=domain,dc=tld requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <dc=domain,dc=tld> with scope baseObject # filter: dc=domain,dc=tld # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1
这些是我使用的相关软件包的版本:
slapd -V @(#) $OpenLDAP: slapd 2.4.39 (Sep 28 2014 22:28:35)
php --version PHP 5.4.4-14+deb7u14 (cli) (built: Aug 21 2014 08:36:44)
apache2 -v Server version: Apache/2.2.22 (Debian) Server built: Jul 24 2014 15:34:00
cat /usr/share/phpldapadmin/VERSION RELEASE-1.2.2
对不起,这个很长的问题。 我希望有人能够帮助我,因为我几乎没有想法。
提前感谢任何帮助!
好的,我能解决它。
我需要一个从/usr/local/etc/openlad/ldap.conf到/etc/ldap/ldap.conf的符号链接