2015-02-23 151 views
2

我有一個外部web服務器,我正在遷移。我試圖通過LDAP在內部服務器上對Active Directory進行身份驗證。我能夠使用相同的代碼連接並從舊服務器(Ubuntu 8)進行身份驗證,但無法在新服務器上進行身份驗證(Redhat 7)。PHP LDAP連接無法聯繫LDAP服務器

外部服務器當前正在運行Redhat 7,運行PHP 5.4.16且啓用了LDAP支持(php-ldap)。

內部服務器當前是具有LDAP和Active Directory的Windows Server 2008框。

下面的代碼是我使用的當前PHP能夠連接舊服務器,但在新服務器上有問題。它基本上使用PHP的LDAP連接字符串並嘗試綁定。我用標識符替換了一些個人信息。 (用戶名,子域名等)

<?php 

$adServer = "ldaps://subdomain.domain.edu"; 

$ldap = ldap_connect($adServer); 
$username = 'USERNAME'; 
$password = 'PASS'; 

$ldaprdn = 'DOMAIN' . "\\" . $username; 

ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); 
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); 

$bind = @ldap_bind($ldap, $ldaprdn, $password); 


if ($bind) { 
    $filter="(sAMAccountName=$username)"; 
    $result = ldap_search($ldap,"dc=subdomain,dc=domain,dc=edu",$filter); 
    ldap_sort($ldap,$result,"sn"); 
    $info = ldap_get_entries($ldap, $result); 
    for ($i=0; $i<$info["count"]; $i++) 
    { 
     if($info['count'] > 1) 
      break; 
     echo "<p>You are accessing <strong> ". $info[$i]["sn"][0] .", " . $info[$i]["givenname"][0] ."</strong><br /> (" . $info[$i]["samaccountname"][0] .")</p>\n"; 
     echo '<pre>'; 
     var_dump($info); 
     echo '</pre>'; 
     $userDn = $info[$i]["distinguishedname"][0]; 
    } 
    @ldap_close($ldap); 
} else { 
    $msg = "Invalid email address/password"; 
    echo $msg; 
} 

?> 

在新服務器上,我能夠連接到LDAP服務器就好使用該ldapsearch命令:

ldapsearch -x -LLL -h sub-domain.domain.edu -D 'CN=DOMAIN\USERNAME' -w 'PASS' -b "dc=subdomain,dc=domain,dc=edu" -s sub "(objectClass=user)" givenName

這裏是我的ldap.conf的文件(/etc/openldap/ldap.conf,新的服務器)

# 
# LDAP Defaults 
# 

# See ldap.conf(5) for details 
# This file should be world readable but not world writable. 

#BASE dc=example,dc=com 
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 

#SIZELIMIT  12 
#TIMELIMIT  15 
#DEREF   never 

#TLS_CACERTDIR /etc/openldap/certs 

# Turning this off breaks GSSAPI used with krb5 when rdns = false 
SASL_NOCANON on 
TLS_REQCERT never 

這是我在錯誤日誌(新服務器)獲取:

ldap_create 
ldap_url_parse_ext(ldaps://subdomain.domain.edu) 
ldap_bind_s 
ldap_simple_bind_s 
ldap_sasl_bind_s 
ldap_sasl_bind 
ldap_send_initial_request 
ldap_new_connection 1 1 0 
ldap_int_open_connection 
ldap_connect_to_host: TCP subdomain.domain.edu:636 
ldap_new_socket: 10 
ldap_prepare_socket: 10 
ldap_connect_to_host: Trying XXX.18X.XX.19:636 
ldap_pvt_connect: fd: 10 tm: -1 async: 0 
attempting to connect: 
connect errno: 13 
ldap_close_socket: 10 
ldap_new_socket: 10 
ldap_prepare_socket: 10 
ldap_connect_to_host: Trying XXX.18X.XX.24:636 
ldap_pvt_connect: fd: 10 tm: -1 async: 0 
attempting to connect: 
connect errno: 13 
ldap_close_socket: 10 
ldap_new_socket: 10 
ldap_prepare_socket: 10 
ldap_connect_to_host: Trying XXX.18X.XX.41:636 
ldap_pvt_connect: fd: 10 tm: -1 async: 0 
attempting to connect: 
connect errno: 13 
ldap_close_socket: 10 
ldap_new_socket: 10 
ldap_prepare_socket: 10 
ldap_connect_to_host: Trying 2002:XXXX:XXXX::XXXX:XXXX 636 
ldap_pvt_connect: fd: 10 tm: -1 async: 0 
attempting to connect: 
connect errno: 13 
ldap_close_socket: 10 
ldap_err2string 
[Mon Feb 23 15:20:28.689775 2015] [:error] [pid 12299] [client 10.25.XX.XX:53630] PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /var/www/html/index2.php on line 19 

回答

6

經過幾天的搜索後,我想出了答案。 SELinux的。更具體地說,設置了SELinux Booleanshttpd_can_network_connect是我們正在尋找的一個:

httpd_can_network_connect (HTTPD Service):: Allow HTTPD scripts and modules to connect to the network.

此命令可以用來開啓:

setsebool -P httpd_can_network_connect on

我解決了這個通過尋找這個答案:

LDAP works with PHP CLI but not through apache