使用PHP安全绑定到Active Directory的问题

I seem to be unable to use php to securely bind to Active Directory. Unencrypted connections work fine. Using other clients are able to securely bind, e.g. connecting using LDAPAdmin over SSL. What is the problem here? Is there some LDAP SSL module that I'm missing? How to securely bind to the server using php?

I noticed from phpinfo() that cURL has support for ldap/ldaps - what is a good example on utilizing this to perform secure bind in php? Is this a viable workaround?

phpinfo();

ldap
LDAP Support    enabled
RCS Version     $Id: ldap.c 293036 2010-01-03 09:23:27Z sebastian $
Total Links     0/unlimited
API Version     3001
Vendor Name     OpenLDAP
Vendor Version  20421
SASL Support    Enabled 

Attempting to bind to an Active Directory server using PHP Version 5.3.2-1ubuntu4.7 from Ubuntu 10.04 repo

$username = 'user';
$password = 'passwd';
$account_suffix = '@example.com';
$hostnameSSL = 'ldaps://ldap.example.com:636';
$hostnameTLS = 'ldap.example.com';
$portTLS = 389;

ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);

// Attempting fix from http://www.php.net/manual/en/ref.ldap.php#77553
putenv('LDAPTLS_REQCERT=never');

####################
# SSL bind attempt #
####################
// Attempting syntax from http://www.php.net/manual/en/function.ldap-bind.php#101445
$con =  ldap_connect($hostnameSSL);
if (!is_resource($con)) trigger_error("Unable to connect to $hostnameSSL",E_USER_WARNING);

// Options from http://www.php.net/manual/en/ref.ldap.php#73191
if (!ldap_set_option($con, LDAP_OPT_PROTOCOL_VERSION, 3))
{
    trigger_error("Failed to set LDAP Protocol version to 3, TLS not supported",E_USER_WARNING);
}
ldap_set_option($con, LDAP_OPT_REFERRALS, 0);

if (ldap_bind($con,$username . $account_suffix, $password)) die('All went well using SSL');
ldap_close($con);

####################
# TLS bind attempt #
####################
$con =  ldap_connect($hostnameTLS,$portTLS);
ldap_set_option($con, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($con, LDAP_OPT_REFERRALS, 0);
$encrypted = (ldap_start_tls($con));
if ($encrypted) ldap_bind($con,$username . $account_suffix, $password); // Unecrypted works, but don't want logins sent in cleartext
ldap_close($con);

#####################
# SASL bind attempt #
#####################
$con =  ldap_connect($hostnameTLS,$portTLS);
ldap_set_option($con, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($con, LDAP_OPT_REFERRALS, 0);
ldap_sasl_bind($con, NULL, $password, 'DIGEST-MD5', NULL, $username. $account_suffix);
ldap_close($con);

All of the above fails. Errors from log:

ldap_create
ldap_url_parse_ext(ldaps://ldap.example.com:636)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.example.com:636
ldap_new_socket: 27
ldap_prepare_socket: 27
ldap_connect_to_host: Trying 1.1.1.1:636
ldap_pvt_connect: fd: 27 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x215380c0 msgid 1
wait4msg ld 0x215380c0 msgid 1 (infinite timeout)
wait4msg continue ld 0x215380c0 msgid 1 all 1
** ld 0x215380c0 Connections:
* host: ldap.example.com  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Thu Mar 10 11:15:53 2011


** ld 0x215380c0 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x215380c0 request count 1 (abandoned 0)
** ld 0x215380c0 Response Queue:
   Empty
  ld 0x215380c0 response count 0
ldap_chkResponseList ld 0x215380c0 msgid 1 all 1
ldap_chkResponseList returns ld 0x215380c0 NULL
ldap_int_select
read1msg: ld 0x215380c0 msgid 1 all 1
ldap_err2string
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP Warning:  ldap_bind() [<a href='function.ldap-bind'>function.ldap-bind</a>]: Unable to bind to server: Can't contact LDAP server in /..test.php on line 28
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP Stack trace:
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP   1. {main}() /..test.php:0
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP   2. ldap_bind() /..test.php:28
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 1 1
ldap_free_connection: actually freed
ldap_create
ldap_err2string
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP Warning:  ldap_start_tls() [<a href='function.ldap-start-tls'>function.ldap-start-tls</a>]: Unable to start TLS: Not Supported in /..test.php on line 37
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP Stack trace:
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP   1. {main}() /..test.php:0
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP   2. ldap_start_tls() /..test.php:37
ldap_create
ldap_sasl_interactive_bind_s: user selected: DIGEST-MD5
ldap_err2string
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP Warning:  ldap_sasl_bind() [<a href='function.ldap-sasl-bind'>function.ldap-sasl-bind</a>]: Unable to bind to server: Not Supported in /..test.php on line 47
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP Stack trace:
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP   1. {main}() /..test.php:0
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP   2. ldap_sasl_bind() /..test.php:47

Looking at ssl response:

>> openssl s_client -connect my.example.com:636 -prexit

(...)
SSL handshake has read 5732 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: 111111111111111111111111
    Session-ID-ctx: 
    Master-Key: AAAAAAAAAAAAAAAAAAAAA
    Key-Arg   : None
    Start Time: 1299071105
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)

Results from 'strace php test.php' :

    write(2, "  refcnt: 2  status: Connected
", 31  refcnt: 2  status: Connected
    ) = 31
    write(2, "  last used: Tue Mar 15 10:59:19"..., 39  last used: Tue Mar 15 10:59:19 2011

    ) = 39
    write(2, "
", 1
    )                       = 1
    write(2, "** ld 0x954e0b8 Outstanding Requ"..., 38** ld 0x954e0b8 Outstanding Requests:
    ) = 38
    write(2, " * msgid 1,  origid 1, status In"..., 41 * msgid 1,  origid 1, status InProgress
    ) = 41
    write(2, "   outstanding referrals 0, pare"..., 43   outstanding referrals 0, parent count 0
    ) = 43
    write(2, "  ld 0x954e0b8 request count 1 ("..., 45  ld 0x954e0b8 request count 1 (abandoned 0)
    ) = 45
    write(2, "** ld 0x954e0b8 Response Queue:
", 32** ld 0x954e0b8 Response Queue:
    ) = 32
    write(2, "   Empty
", 9   Empty
    )               = 9
    write(2, "  ld 0x954e0b8 response count 0
", 32  ld 0x954e0b8 response count 0
    ) = 32
    write(2, "ldap_chkResponseList ld 0x954e0b"..., 48ldap_chkResponseList ld 0x954e0b8 msgid 1 all 1
    ) = 48
    write(2, "ldap_chkResponseList returns ld "..., 47ldap_chkResponseList returns ld 0x954e0b8 NULL
    ) = 47
    write(2, "ldap_int_select
", 16ldap_int_select
    )       = 16
    poll([{fd=3, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, -1) = 1 ([{fd=3, revents=POLLIN}])
    write(2, "read1msg: ld 0x954e0b8 msgid 1 a"..., 37read1msg: ld 0x954e0b8 msgid 1 all 1
    ) = 37
    read(3, "", 8)                          = 0
    write(2, "ldap_err2string
", 16ldap_err2string
    )       = 16
    write(2, "PHP Warning:  ldap_bind(): Unabl"..., 158PHP Warning:  ldap_bind(): Unable to bind to server: Can't contact LDAP server in

And I do have the /etc/ldap.conf fix with 'TLS_REQCERT never' - even though this fix is for a different error, which gives a fairly clear error message.

douqian2957
douqian2957 您的问题是整个互联网上最实用的手册!你让我今天一整天都感觉很好。但有一点可以改变。运行putenv('LDAPTLS_REQCERT=从不');对我的Windows机器上的sasl没有任何影响。
接近 4 年之前 回复
dongmu5815
dongmu5815 我试图升级到10.10,它发布了PHPVersion=>5.3.3-1ubuntu9.3-我仍然得到与上面相同的结果。
9 年多之前 回复
duanmu2941
duanmu2941 它有一些帮助,因为我试图在不同的机器上运行它,对着相同的ldap服务器,并且SSL绑定工作。这是一个使用php5.2的centos5服务器。调试输出也有一些TLS行,在ubuntu安装程序中缺少这些行。ubuntu的错误是什么,仍然没有我
9 年多之前 回复
douduo2407
douduo2407 您的示例在我的操作上运行得很好,在OSX上使用PHP5.3.3-dev,所以我认为问题不在您的代码中,如果这有帮助...
9 年多之前 回复

5个回答



由于我的代码在CentOS上运行良好,我得出的结论是问题不是特定于编程的。 我还没有能够在我的Ubuntu环境中运行它,但我认为这是我服务器软件中的一个错误。</ p>
</ div>

展开原文

原文

As my code is working fine with CentOS, I conclude that the problem is not programming specific. I have not been able to get it running in my Ubuntu environment as of yet, but I assume this is a bug in my server software.



您是否在PHP.net页面上看到关于某些证书存储上缺少权限的注释:</ p>

http://de3.php.net/manual/ en / function.ldap-connect.php </ p>


bleathem 27-Feb-2008 10:30
每个人都发布关于获取ldaps://工作的帖子 在一个WAMP / AD堆栈中,我很难找到如何在RHEL 5.1中获得它(带有所有股票rpms)。 好老的strace做了诀窍并帮助我找到了问题...原来php正在/ etc / pki / CA中寻找CA文件,而我对该文件夹没有正确的权限。 chmod'ing到755解决了我的“无法联系LDAP服务器”的消息。</ p>
</ blockquote>

所以也许这就是你的问题。 如果不是,你应该尝试使用strace或wireshark来捕获系统调用和网络传输,并找出问题所在。 其中一个将清楚地显示出来。</ p>
</ div>

展开原文

原文

Did you see the comment on the PHP.net page about missing permissions on some cert store that does this:

http://de3.php.net/manual/en/function.ldap-connect.php

bleathem 27-Feb-2008 10:30 Everyone is posting about getting ldaps:// working in a WAMP/AD stack, I had a tough time finding how to get it going in RHEL 5.1 (w/ all stock rpms). Good old strace did the trick and helped me find the problem... Turns out php was looking for the CA file in /etc/pki/CA, and I didn't have the correct permissions on the folder. chmod'ing it to 755 solved my "Can't contact LDAP server" message.

So maybe thats your issue too. If not you should give either strace or wireshark a try to catch the syscalls and network transmissions and figure out what goes wrong. One of the two will show it clearly.

dprh34164
dprh34164 strace中没有任何内容表示访问文件的权限问题。 我尝试在运行PHP 5.2的Centos 5上运行我的代码,该代码在同一个ldap服务器上工作正常。 但是出货的Ubuntu PHP版本在10.04版本中为桌面和服务器版本+ 10.10桌面版本提供了问题。 这几乎就像对ssl的支持完全没有从库中找到..任何好的方法来检查它?
9 年多之前 回复

this is how i do it:

<?php
    $username = ''; // username to check
    $password = ''; // password to check

/**
 * Is it an Active Directory?
 *
 * <pre>
 * true = yes
 *        set the following values:
 *        SDB_AUTH_LDAP_HOST
 *        SDB_AUTH_LDAP_SSL
 *        SDB_AUTH_LDAP_BASE
 *        SDB_AUTH_LDAP_SEARCH
 *        SDB_AUTH_LDAP_USERDOMAIN
 * false = no, you have to supply an hostname
 *         and configure the following values:
 *         SDB_AUTH_LDAP_HOST
 *         SDB_AUTH_LDAP_PORT
 *         SDB_AUTH_LDAP_SSL
 *         SDB_AUTH_LDAP_BASE
 *         SDB_AUTH_LDAP_SEARCH
 *         SDB_AUTH_LDAP_USERDOMAIN
 * </pre>
 * @see SDB_AUTH_LDAP_HOST
 */
define('SDB_AUTH_IS_AD', true);
/**
 * Domain name of the LDAP Host or of the AD-Domain
 */
define('SDB_AUTH_LDAP_HOST', 'your-domain.tld');
/**
 * LDAP Port?
 *
 * if {@link SDB_AUTH_IS_AD} = true, then the port will be read form DNS.
 */
define('SDB_AUTH_LDAP_PORT', '389');
/**
 * Use LDAPS (true) oder LDAP (false) connection?
 */
define('SDB_AUTH_LDAP_SSL', false);
/**
 * LDAP Base
 */
define('SDB_AUTH_LDAP_BASE', 'CN=Users,DC=your-domain.tld,DC=de');
/**
 * LDAP Search, to find a user
 *
 * %s will be replaced by the username.<br>
 * z.B. CN=%s
 */
define('SDB_AUTH_LDAP_SEARCH', '(&(sAMAccountName=%s)(objectclass=user)(objectcategory=person))');
/**
 * Die LDAP Domain des Benutzers
 *
 * if the username doesnt contain a domain append this domain to it.<br>
 * in case this is empty, nothing will be appended.
 */
define('SDB_AUTH_LDAP_USERDOMAIN', 'your-domain.tld');
/**
 * Path to LDAP Search
 *
 * Will give back better error messages
 * ( leave empty in case you don't want to have it. )
 */
define('SDB_AUTH_LDAP_SEARCHBIN', '/usr/bin/ldapsearch');




        $ldap_error_codes=array(
        '525' => 'Username doesnt exist.',
        '52e' => 'Wrong password.',
        '530' => 'You cannot login at this time.',
        '531' => 'You cannot login from this host.',
        '532' => 'Your password was expired.',
        '533' => 'Your account has been deactivated.',
        '701' => 'Your account was expired.',
        '773' => 'Please set another password (at your workstation) before you login.',
        '775' => 'Your account has been locked.',
        );


  if(SDB_AUTH_LDAP_SSL) $dcs=dns_get_record("_ldaps._tcp.".SDB_AUTH_LDAP_HOST, DNS_SRV); else $dcs=dns_get_record("_ldap._tcp.".SDB_AUTH_LDAP_HOST, DNS_SRV);
  shuffle($dcs);

  $_LDAP_ATTRS=array('cn', 'sn', 'description', 'givenName', 'distinguishedName', 'displayName', 'memberOf', 'name', 'sAMAccountName', 'sAMAccountType', 'objectClass', 'objectCategory');
  if(SDB_AUTH_LDAP_USERDOMAIN!='' && strstr($username, '@')===false) {
        $username=$username.'@'.SDB_AUTH_LDAP_USERDOMAIN;
  }
  $status=array();
  $status['CN']='';
  $status['displayName']='';
  $status['description']='';
  $status['distinguishedName']='';
  $status['groups']=array();
  $status['RC']=array();
  $status['connected']=false;
  $status['user_exists']=false;
  $status['is_in_team']=false;

foreach($dcs as $_LDAP_HOST) {
$_LDAP_PORT=$_LDAP_HOST['port'];
$_LDAP_HOST=$_LDAP_HOST['target'];
// check connection first ( http://bugs.php.net/bug.php?id=15637 )
$sock=@fsockopen($_LDAP_HOST, $_LDAP_PORT, $errno, $errstr, 1);
@fclose($sock);
if($errno!=0) continue;

// then do a "connect"... ( the real connect happens with bind )
$ds=@ldap_connect(( SDB_AUTH_LDAP_SSL ? "ldaps://" : "ldap://" ).$_LDAP_HOST.":".$_LDAP_PORT."/");
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
// are we connected? actually, this will always return true
if(is_resource($ds)) {
    $status['connected']=true;
    // login sucessful? actually also connection test
    if(@ldap_bind($ds, $username, $password)) {
        // search
        $sr=ldap_search($ds, SDB_AUTH_LDAP_BASE, sprintf(SDB_AUTH_LDAP_SEARCH, $usernode), $_LDAP_ATTRS);
        // suche successful?
        if(is_resource($sr)) {

            // fetch entries
            $info = ldap_get_entries($ds, $sr);
            if(isset($info['count']) && $info['count']>0) {
                $status['user_exists']=true;
            }
            // close search result
            ldap_free_result($sr);
            $status['CN']=$info[0]['cn'][0];
            $status['description']=$info[0]['description'][0];
            $status['displayName']=$info[0]['displayname'][0];
            $status['distinguishedName']=$info[0]['distinguishedname'][0];
            // is the user in the dexteam?
            for($i=0; $i<$info[0]['memberof']['count']; $i++) {
                $status['groups'][]=$info[0]['memberof'][$i];
                // IS IN TEAM CHECK 
                if(substr($info[0]['memberof'][$i], 0, strlen('CN=DexTeam,'))=='CN=DexTeam,') $status['is_in_team']=true; 
            }

            $status['RC']['code']=ldap_errno($ds);
            $status['RC']['string']=ldap_error($ds);
            ldap_close($ds);
            break;
        }
        else {
            $status['RC']['code']=ldap_errno($ds);
            $status['RC']['string']=ldap_error($ds);
            ldap_close($ds);
            break;
        }
    }
    else {
        $status['RC']['code']=ldap_errno($ds);
        $status['RC']['string']=ldap_error($ds);
        // do we want better error messages?
        if(SDB_AUTH_LDAP_SEARCHBIN!='' && is_executable(SDB_AUTH_LDAP_SEARCHBIN)) {
            $status['RC']['ldapsearchrc']='';
            $status['RC']['ldapsearchtxt']=array();
            exec(SDB_AUTH_LDAP_SEARCHBIN.' -x -H '.escapeshellarg(( SDB_AUTH_LDAP_SSL ? "ldaps://" : "ldap://" ).$_LDAP_HOST.":".$_LDAP_PORT."/").' -D '.escapeshellarg($username).' -w '.escapeshellarg($password).' 2>&1', $status['RC']['ldapsearchtxt'], $status['RC']['ldapsearchrc']);
            if($status['RC']['ldapsearchrc']!=0) {
                if(preg_match("/data ([^, ]+),/", $status['RC']['ldapsearchtxt'][1], $matches)) {
                    if(isset($ldap_error_codes[$matches[1]])) {
                        $status['RC']['code']=$matches[1];
                        $status['RC']['string']=$ldap_error_codes[$matches[1]];
                    }
                }
                unset($status['RC']['ldapsearchrc']);
                unset($status['RC']['ldapsearchtxt']);
            }
        }
        ldap_close($ds);
        break;
    }
}
else {
    continue;
}
}

did you enable the certificate? i know there was a problem, when the certifiacte gets refused. edit the "/etc/ldap/ldap.conf" and add "TLS_REQCERT never"

#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
TLS_REQCERT never

however, to me it works with ldap and ldaps:

  • it might be a configuration issue with the ad configuration. maybe lower certain security limitations...
  • OR it might be also a php / ldap lib issue. Try to update to newer versions :)
douxi8119
douxi8119 您的方法与我在“SSL绑定尝试”中尝试的方法完全相同 - 这在我的服务器环境中对我不起作用。
9 年多之前 回复



通过阅读以下PHP错误线程,我终于能够在我的Windows机器上运行:
http://bugs.php.net/bug.php?id=48866 </ p>

不幸的是,这是Windows特定的,但它让我至少在我的测试中朝着正确的方向前进(我知道它现在可以在我的网络服务器上使用PHP ...只要我有ldap.conf 配置正确)。 在使用PHP 5.3的Windows上,我需要将ldap.conf文件添加到我的C:驱动器的根目录中(我在网上看到的其他示例已经将它放在C:\ openldap \ sysconf中,但它无效)。</ p >

TLS仍然无法正常工作(它给我“无法启动tls:无法联系LDAP服务器”消息),但SSL似乎确实有效,我能够更新 我的测试脚本中的帐户密码。</ p>

我猜测ldap.conf文件只需要在我的网络服务器上进行类似设置,我希望能够开展业务(我是 只是不确定那个已经存在的那个是我需要修改的那个还是我需要创建一个额外的那个)。 我会看看我是否可以在这方面报道。</ p>
</ div>

展开原文

原文

I was finally able to get things working on my Windows machine by reading the following PHP bug thread: http://bugs.php.net/bug.php?id=48866

Unfortunately, this is Windows specific but it got me at least going in the right direction now in my testing (I know it should work from PHP now on my web server...so long as I have ldap.conf configured correctly). On Windows with PHP 5.3 I needed to add the ldap.conf file into the root of my C: drive (other examples I had seen online had been placing it in C:\openldap\sysconf which wasn't working).

TLS still doesn't work exactly (it gives me a "unable to start tls: can't contact LDAP server" message), but SSL does appear to be working and I was able to update a password for an account in my test script.

I'm guessing the ldap.conf file just needs to be setup similarly on my web server and I should hopefully be in business (I'm just not sure if the one that's already there is the one I need to modify or if I need to create an additional one). I'll see if I can report back on that front.

dongzhun4898
dongzhun4898 在Windows上,您还应该能够:putenv('LDAPTLS_REQCERT = never'); 而不是ldap.conf修复。 我也能在CentOS上运行它,所以我怀疑在某个地方为Ubuntu构建的apache / ldap / php中存在一个错误。
9 年多之前 回复
douganggu4392
douganggu4392 我只需要一个小小的打嗝就可以在我的网络服务器上运行。 首先,我发现ldap.conf文件直接位于/ etc中(/ etc / openldap中有另一个文件,但我认为这只是一个示例文件),并添加了TLS_REQCERT从不声明并重新启动Apache。 但是,这仍然给我带来了问题,但它似乎与我的Windows机器不同(当我尝试运行脚本时它会挂起)。 这个问题是由于我的csf防火墙阻止了传出的636端口。 一旦我打开它,它工作正常。 不知道Ubuntu有什么用,但我让它在RHEL / CentOS上工作。
9 年多之前 回复



您的Active Directory是否启用了LDAPS? 如果是这样,请将CA密钥的受信任根目录添加到受信任的根密钥库中。 </ p>
</ div>

展开原文

原文

Does your Active Directory have LDAPS enabled? If so, get the Trusted Root of the CA's key into the trusted root keystore.

duanhanzi8328
duanhanzi8328 缺少CA密钥的解决方法是设置/etc/ldap.conf指令:TLS_REQCERT never - 这不是问题
9 年多之前 回复
Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问