我正在尝试使用PHP通过LDAP编辑Active Directory中的用户。 我的testing机器使用一个简单的WAMP设置,并没有连接到Windows域。 这台机器可以连接到域控制器上的LDAP就好,没有encryption。 经过反复尝试,我无法通过SSL进行连接,但是我能够使用TLS(ldap_start_tls)来更改用户密码,这是终极目标。 在testing框上没有问题。
实际的networking服务器虽然是域的成员,它拒绝工作。 与TLS的连接失败,并且域控制器报告schannel致命警报48,这意味着在cert链中存在不受信任的根CA. 我已经在Web服务器上安装了证书,并在Web服务器和DC上都安装了根CA证书,但无济于事。 我不确定该从哪里出发。
我究竟做错了什么? 为什么通过TLS的LDAP可以在域外的计算机上正常工作,但不在域的一部分上?
最近我一直在比较所有3台机器上的证书和链。 我发现的唯一区别是工作(非域)Web服务器和DC上的链是三个步骤:COMODO – > COMODO RSA域validation安全服务器CA – >我的证书域上的Web服务器是除了一切都向下移动一层,顶层证书说“USER信任”
这种差异是否导致了这个问题?
在非工作的Web服务器上validation原始证书文件上的命令:颁发者:
CN=COMODO RSA Domain Validation Secure Server CA O=COMODO CA Limited L=Salford S=Greater Manchester C=GB Subject: CN=cjtrainor.com OU=COMODO SSL Unified Communications OU=Domain Control Validated Cert Serial Number: bd4d0f693ab0104ac9f1b45003d6138d dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwRevocationFreshnessTime: 3 Days, 16 Hours, 4 Minutes, 14 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwRevocationFreshnessTime: 3 Days, 16 Hours, 4 Minutes, 14 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB NotBefore: 6/8/2015 8:00 PM NotAfter: 11/1/2015 7:59 PM Subject: CN=cjtrainor.com, OU=COMODO SSL Unified Communications, OU=Domain Con trol Validated Serial: bd4d0f693ab0104ac9f1b45003d6138d SubjectAltName: DNS Name=cjtrainor.com, DNS Name=NewServer.cjtrainor.local, DN S Name=cjtrainor.local 41 fb 61 2e db f5 76 49 05 1e a9 73 66 cc 10 4a 71 6c 9a 15 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) CRL (null): Issuer: CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limite d, L=Salford, S=Greater Manchester, C=GB 61 3b b6 5c 6f df 50 e7 9f 64 21 09 ab 11 8a f5 bc 11 5f 6c Issuance[0] = 1.3.6.1.4.1.6449.1.2.2.7 Issuance[1] = 2.23.140.1.2.1 Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB NotBefore: 2/11/2014 8:00 PM NotAfter: 2/11/2029 7:59 PM Subject: CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited , L=Salford, S=Greater Manchester, C=GB Serial: 2b2e6eead975366c148a6edba37c8c07 33 9c dd 57 cf d5 b1 41 16 9b 61 5f f3 14 28 78 2d 1d a6 39 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) CRL (null): Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salfor d, S=Greater Manchester, C=GB ca e2 4c d2 71 15 63 f3 a9 0f 6a fb 8c 60 7f 73 6b b9 b6 79 Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB NotBefore: 1/18/2010 8:00 PM NotAfter: 1/18/2038 7:59 PM Subject: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford , S=Greater Manchester, C=GB Serial: 4caaf9cadb636fe01ff74ed85b03869d af e5 d2 44 a8 d1 19 42 30 ff 47 9f e2 f8 97 bb cd 7a 8c b4 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing Application[4] = 1.3.6.1.5.5.7.3.8 Time Stamping Application[5] = 1.3.6.1.4.1.311.10.3.4 Encrypting File System Application[6] = 1.3.6.1.5.5.7.3.6 IP security tunnel termination Application[7] = 1.3.6.1.5.5.7.3.7 IP security user Exclude leaf cert: 80 98 de 5e 8f 00 8a b8 19 21 23 cd 96 bd f4 ae a8 5c 9e cc Full chain: 9c 7b 73 21 92 d4 b7 70 36 52 f5 e8 9f cb 16 25 a6 6a b9 77 ------------------------------------ Verified Issuance Policies: 1.3.6.1.4.1.6449.1.2.2.7 2.23.140.1.2.1 Verified Application Policies: 1.3.6.1.5.5.7.3.1 Server Authentication 1.3.6.1.5.5.7.3.2 Client Authentication Cert is an End Entity certificate Leaf certificate revocation check passed CertUtil: -verify command completed successfully.
在正在运行的Web服务器上validation命令:
Issuer: CN=COMODO RSA Domain Validation Secure Server O=COMODO CA Limited L=Salford S=Greater Manchester C=GB Name Hash(sha1): 7ae13ee8a0c42a2cb428cbe7a605461 Name Hash(md5): 737301010f9ec759d54329bbb1553aa2 Subject: CN=cjtrainor.com OU=COMODO SSL Unified Communications OU=Domain Control Validated Name Hash(sha1): d75889ccf0886cb2b6873fedbdcf079 Name Hash(md5): a584a7d4ec9fb308a698d4921379f5bd Cert Serial Number: bd4d0f693ab0104ac9f1b45003d613 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x2000000 dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXC HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERR ChainContext.dwRevocationFreshnessTime: 19 Hours, SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRE SimpleChain.dwRevocationFreshnessTime: 19 Hours, 1 CertContext[0][0]: dwInfoStatus=102 dwErrorStatus= Issuer: CN=COMODO RSA Domain Validation Secure S L=Salford, S=Greater Manchester, C=GB NotBefore: 6/8/2015 8:00 PM NotAfter: 11/1/2015 7:59 PM Subject: CN=cjtrainor.com, OU=COMODO SSL Unified trol Validated Serial: bd4d0f693ab0104ac9f1b45003d6138d SubjectAltName: DNS Name=cjtrainor.com, DNS Name S Name=cjtrainor.local 159a6c714a10cc6673a91e054976f5db2e61fb41 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ CRL (null): Issuer: CN=COMODO RSA Domain Validation Secure d, L=Salford, S=Greater Manchester, C=GB ThisUpdate: 7/8/2015 8:26 PM NextUpdate: 7/12/2015 8:26 PM bf512c78f12e36d6fd4b8d7430d38b516c49368c Issuance[0] = 1.3.6.1.4.1.6449.1.2.2.7 Issuance[1] = 2.23.140.1.2.1 Application[0] = 1.3.6.1.5.5.7.3.1 Server Authen Application[1] = 1.3.6.1.5.5.7.3.2 Client Authen CertContext[0][1]: dwInfoStatus=102 dwErrorStatus= Issuer: CN=COMODO RSA Certification Authority, O S=Greater Manchester, C=GB NotBefore: 2/11/2014 8:00 PM NotAfter: 2/11/2029 7:59 PM Subject: CN=COMODO RSA Domain Validation Secure , L=Salford, S=Greater Manchester, C=GB Serial: 2b2e6eead975366c148a6edba37c8c07 39a61d2d782814f35f619b1641b1d5cf57dd9c33 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ CRL (null): Issuer: CN=COMODO RSA Certification Authority, d, S=Greater Manchester, C=GB ThisUpdate: 7/8/2015 10:49 PM NextUpdate: 7/12/2015 10:49 PM 291aa1576538dd0005d5daf2bfc9c9695ad3d668 Application[0] = 1.3.6.1.5.5.7.3.1 Server Authen Application[1] = 1.3.6.1.5.5.7.3.2 Client Authen CertContext[0][2]: dwInfoStatus=10c dwErrorStatus= Issuer: CN=COMODO RSA Certification Authority, O S=Greater Manchester, C=GB NotBefore: 1/18/2010 8:00 PM NotAfter: 1/18/2038 7:59 PM Subject: CN=COMODO RSA Certification Authority, , S=Greater Manchester, C=GB Serial: 4caaf9cadb636fe01ff74ed85b03869d b48c7acdbb97f8e29f47ff304219d1a844d2e5af Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ Application[0] = 1.3.6.1.5.5.7.3.1 Server Authen Application[1] = 1.3.6.1.5.5.7.3.2 Client Authen Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing Application[4] = 1.3.6.1.5.5.7.3.8 Time Stamping Application[5] = 1.3.6.1.4.1.311.10.3.4 Encrypti Application[6] = 1.3.6.1.5.5.7.3.6 IP security t Application[7] = 1.3.6.1.5.5.7.3.7 IP security u Exclude leaf cert: 184db2fbca0995333804bb28f9d0cb6026978692 Full chain: 7dd2a6cd15b069fb11faca26f40bf48b2d7197a4 ------------------------------------ Verified Issuance Policies: 1.3.6.1.4.1.6449.1.2.2.7 2.23.140.1.2.1 Verified Application Policies: 1.3.6.1.5.5.7.3.1 Server Authentication 1.3.6.1.5.5.7.3.2 Client Authentication Cert is an End Entity certificate Leaf certificate revocation check passed CertUtil: -verify command completed successfully.