1. 首頁
  2. 問答
  3. Zend/Apache的LDAP失敗

Zend/Apache的LDAP失敗

2012-01-19 55 views
0

我有一個非常簡單的php ldap腳本,只有在Zend和Apache運行時才失敗。當我從命令行運行這個腳本時,它會通過。運行strace,我可以看到行爲改變的地方,但我不知道爲什麼。我已經確認正在讀取相同的ldap.conf,並且正在加載相同的ldap.so。Zend/Apache的LDAP失敗

我相信這是由於證書問題,但我的設置應該忽略證書問題。

版本信息(這似乎是從PHP和Apache運行之間是相同的):

OpenSSL: 0.9.8o 01 Jun 2010 
OpenLdap: $Id: ldap.c 313665 2011-07-25 11:42:53Z felipe $ 
Zend:  5.5 
PHP:  5.3.8 


<?php 
     ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7); 
     putenv('LDAPTLS_REQCERT=never'); 
     $ds = ldap_connect("ldaps://myserver.com:636"); 
     $db = ldap_bind($ds, 'user', 'pass'); 
?>

在我的ldap.conf,我只有 「TLS_REQCERT從不」。我意識到這是重複以上。

當apache下運行,我從LDAP以下跟蹤:

ldap_create 
ldap_url_parse_ext(ldaps://myserver.com:636) 
ldap_bind_s 
ldap_simple_bind_s 
ldap_sasl_bind_s 
ldap_sasl_bind 
ldap_send_initial_request 
ldap_new_connection 1 1 0 
ldap_int_open_connection 
ldap_connect_to_host: TCP myserver.com:636 
ldap_new_socket: 20 
ldap_prepare_socket: 20 
ldap_connect_to_host: Trying <myip>:636 
ldap_pvt_connect: fd: 20 tm: -1 async: 0 
TLS trace: SSL_connect:before/connect initialization 
TLS trace: SSL_connect:SSLv2/v3 write client hello A 
TLS trace: SSL_connect:SSLv3 read server hello A 
TLS certificate verification: depth: 0, err: 20, subject: /CN=mycn.com, 
    issuer: /CN=Collaboration Services CA 
TLS certificate verification: Error, unable to get local issuer certificate 
TLS trace: SSL_connect:SSLv3 read server certificate A 
TLS trace: SSL_connect:SSLv3 read server certificate request A 
TLS trace: SSL_connect:SSLv3 read server done A 
TLS trace: SSL_connect:SSLv3 write client certificate A 
TLS trace: SSL_connect:SSLv3 write client key exchange A 
TLS trace: SSL_connect:error in SSLv3 write finished A 
TLS trace: SSL_connect:error in SSLv3 write finished A 
TLS: can't connect: error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable. 
ldap_err2string

當使用命令行對同一PHP可執行文件運行相同的腳本,我得到:

ldap_create 
ldap_url_parse_ext(ldaps://myserver.com:636) 
ldap_bind_s 
ldap_simple_bind_s 
ldap_sasl_bind_s 
ldap_sasl_bind 
ldap_send_initial_request 
ldap_new_connection 1 1 0 
ldap_int_open_connection 
ldap_connect_to_host: TCP myserver.com:636 
ldap_new_socket: 4 
ldap_prepare_socket: 4 
ldap_connect_to_host: Trying <my ip>:636 
ldap_pvt_connect: fd: 4 tm: -1 async: 0 
TLS trace: SSL_connect:before/connect initialization 
TLS trace: SSL_connect:SSLv2/v3 write client hello A 
TLS trace: SSL_connect:SSLv3 read server hello A 
TLS certificate verification: depth: 0, err: 20, subject: /CN=myserver.com, issuer: /CN=Collaboration Services CA 
TLS certificate verification: Error, unable to get local issuer certificate 
TLS trace: SSL_connect:SSLv3 read server certificate A 
TLS trace: SSL_connect:SSLv3 read server certificate request A 
TLS trace: SSL_connect:SSLv3 read server done A 
TLS trace: SSL_connect:SSLv3 write client certificate A 
TLS trace: SSL_connect:SSLv3 write client key exchange A 
TLS trace: SSL_connect:SSLv3 write change cipher spec A 
TLS trace: SSL_connect:SSLv3 write finished A 
TLS trace: SSL_connect:SSLv3 flush data 
TLS trace: SSL_connect:SSLv3 read finished A 
ldap_open_defconn: successful 
ldap_send_server_request

來源

2012-01-19 AdamC

+0

你看到的是OpenSSL有問題。比較'phpinfo()'顯示的OpenSSL信息和'php -i'顯示的信息,我懷疑你會看到不同的信息 - 可能是因爲ini文件不同,或者終端中使用的PHP/OpenSSL版本可能是完全的與Apache不同。如果您使用上述命令的相應LDAP和OpenSSL相關輸出來編輯問題,我們可以看看潛在的原因/解決方案... – DaveRandom

+0

謝謝,我按照您的建議做了,我找不到任何區別。相同的ini文件,相同版本的openssl(OpenSSL 0.9.8o),ldap,php等。 – AdamC

+0

什麼是您的操作系統? – DaveRandom

回答

1

我終於當檢查運行strace的結果顯示它沒有打開我的ldap.conf文件的權限時解決了這個問題。開放權限解決了問題。但是,該文件不應該被需要,因爲它只與環境變量具有相同的設置:

putenv('LDAPTLS_REQCERT = never');

來源

2012-01-23 20:15:39 AdamC

相關問題

 相關問題