I have the following code
public function openConnection()
{
$this->ldapServerHandle = ldap_connect(ConfigH::getConfig()->ldap->host);
$bindDN = ConfigH::getConfig()->ldap->serviceAccount->bindDN;
if ($this->ldapServerHandle) {
$this->ldapBindHandle = ldap_bind(
$this->ldapServerHandle,
$bindDN,
ConfigH::getConfig()->ldap->serviceAccount->password
);
if (!$this->ldapBindHandle) {
$errorMsg = "LDAP::__construct(): Could not bind the service account ".$bindDN;
LoggerH::emergency($errorMsg);
throw new LDAPException($errorMsg);
}
} else {
$errorMsg = "LDAP::__construct(): Could not connect to the LDAP server ".ConfigH::getConfig()->ldap->host;
LoggerH::emergency($errorMsg);
throw new LDAPException($errorMsg);
}
}
The issue
I have this error causing me headaches since this morning:
Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server [...]
Everything worked fine on Windows, when I executed the code on our CentOS production server, it stopped working.
What I have already checked
OpenLDAP is installed and enabled
The LDAP server is reachable from the CentOS server (Kerberos is experiencing no issues on the same machine)
What I have already tried
Re-installed the php-ldap extension
Checked the credentials and the address a milion times
Additional information
ConfigH::getConfig()->ldap->host returns something like "adserver.ourcompany.com", which is the address of our LDAP server
ConfigH::getConfig()->ldap->serviceAccount->bindDN returns a valid bind DN
ConfigH::getConfig()->ldap->serviceAccount->password returns the password of the service account
The solution
Who uses CentOS gets SELinux, yay.
After digging even deeper in Google (such as page 4 of results) and Stackoverflow, I found the issue to be caused by SELinux restricting httpd to communicate over some ports despite the firewall being configured to allow it, including the LDAP one(s).
To allow httpd to communicate over these ports, run the following command
setsebool -P httpd_can_network_connect 1
(Original solution here (WhoIsRich's answer))
Related
This is not about 'localhost'. Both the command line version of 'mysql' as well as a script I wrote in Perl (using perl-DBD-MySQL) can login, get to this database and work with it. Only PHP gives the permission denied error, and that error is not reported in any of the various log files. I even went as far as creating a simple test user in the database to avoid any issues with special characters in the password:
create user 'web'#'%' identified by 'Iamnotarobot';
and again the command line can login with this credential but PHP says permission denied.
I don't know what is throwing the error so I can't address it. I'm literally lost.
Relevant info:
RHEL 8 = 4.18.0
php 7.2.11
nginx 1.14.1
And here's the actual code that's failing:
<?php
$host="core";
$user="web";
$pass="Iamnotarobot";
$db="mydb";
$conn = new mysqli($host,$user,$pass,$db);
if( $conn->connect_errno ) {
exit($conn->connect_errno);
}
?>
It turned out to be an selinux issue. Here's how I fixed it:
setsebool -P httpd_can_network_connect_db 1
Now with setenforce back to '1', the page can connect to the database.
Check with php-mysql package installation.
If perl can connect remotely and php could not...the issue is with php-mysql installation only.
I am trying to connect the active directory or LDAP of window with an application (GLPI) made in PHP.
Connection parameters:
Connecting with the server:
$ds = ldap_connect($host, $port) // return true
#ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
#ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
#ldap_set_option($ds, LDAP_OPT_DEREF, $deref_options);
Relate connection to server and user and password
ldap_bind ($ds, $ login, $ password)
returns me:
"Can not contact LDAP server"
I want to know what can happen with that error message, since in the first method it returns true to me, which means that if it connects to the server.
RootDN This is fine and has all the permissions the user I am using.
The default server is fine and I did ping andtelnet.
Note: I already downloaded LDAPExplorer and established connection without problem.
Does the missing : $ds = ldap_connect ... like how it is in your code?
It should be something like :
$ds = ldap_connect($host, $port);
#ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
#ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
#ldap_set_option($ds, LDAP_OPT_DEREF, $deref_options);
ldap_bind ($ds, $login, $password)
ldap_connect does not connect to the server as is clearly stated in the docs. It merely creates a resource and checks whether the given values are plausible. The actual connection is established with the first command that requires a connection to the server. In this case the ldap_bind.
BTW: The "first method" does not return true but a resource-handle. Only when you pass something absolutely not parseable it will return false. But never true
I'd recommend using an LDAP-URI instead of the $host, $port variation as the PHP-library has to do that otherwise internaly. And it's the only way to f.e. establish an LDAPS-connection.
Ok, the solution to my problem is to upgrade from GLPI version 9.3.0 to 9.3.3.
Suggestions:
For users, what could happen to this, verify the messages that GLPI has informs about pending installation packages. So I opted for the update and the connection worked without problem.
For users who can not update version, verify that apache packages are pending to install or update, also in the installation process in the setup, be very careful installing the entire list that seems pending.
To fix some errors by installing version 9.3.3:
chown -R apache: apache glpi / files
chmod -R 755 glpi / files
chown -R apache: apache config
chmod -R 755 glpi / config
also:
setsebool -P httpd_can_network_connect_db 1
Thank you.
I am trying to scan uploaded files on PHP server using clamAV. I've installed ClamAV on my server (Centos 7). Currently, I am using PHP 7, so I am using Clamd socket connection to scan uploaded files. I've enabled PHP sockets, clamd.sock file is present at /var/run/clamd.scan/ folder with apache owner.
My Socket connection code -
$socket = socket_create(AF_UNIX, SOCK_STREAM, 0);
if(socket_connect($socket, '/var/run/clamd.scan/clamd.sock')) {
return $socket;
}
When I try to run above code on the browser I am getting error as socket_connect(): unable to connect [13]: Permission denied, But if I run the PHP code through command line with a user as root it is working fine.
I know there is some issue with SELinux policy with Centos as if I disable SELinux policy everything is working fine from the browser as well. I have checked httpd_can_network_connect --> on and antivirus_can_scan_system --> on both are on.
The issue is with accessing anything inside /var/run/ folder for apache user, there is something (some policy) from SELinux which is stopping apache to connect to clamd socket file. Any ideas?
After debugging, got to know that this is SELinux policy issue.
You need to enable daemons_enable_cluster_mode policy in SELinux.
To Enable daemons_enable_cluster_mode:
setsebool -P daemons_enable_cluster_mode 1
This will allow executing ClamAV scan through another service like Apache in my case.
I have a laravel 5 app. With the code below, I am able to successfully authenticate with active directory when on localhost and having the company network cabled plugged to my computer.
public static function connect_ldap($username, $password)
{
$ldapServer = DirectorySetting::where('config_key', 'LdapServerAddress')->value('config_value');
$conn = ldap_connect($ldapServer, 389);
if(!$conn) return false;
ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3);
$bindServerLDAP = #ldap_bind($conn, $username, $password);
if(!$bindServerLDAP) return false;
return $conn;
}
How ever, our test and production server is on Microsoft Azure. When I try to authenticate. I get the error below:
Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /var/www/html/test_ldap.php on line 70
Error Binding to LDAP: No additional information is available
Observation
ldap_connect is successful
I can successfully ping the ldap server address
ldap_bind is unsuccessful. Enabling verbose here doesn't help either. It just tells me that No additional information is available
The system teams says they have created a link between the on premise and azure active dir
My server is CentOS 7, I have enabled the variables httpd_can_network_connect and httpd_can_connect_ldap like below:
sudo setsebool -P httpd_can_network_connect on
sudo setsebool -P httpd_can_connect_ldap on
I have equally added in /etc/openldap/ldap.conf, the variable below:
TLS_REQCERT never
Even with this, it doesn't work.
What could be wrong?
I have installed FreeTDS 0.91, ODBC, on a Cpanel server running Centos 6.5x64. Everything appears to be running fine and I can connect to the remote MSSQL 2012 server using:
/usr/local/freetds/bin/tsql -S sqlserver -U test -P mypassword
and succesfully execute queries in the database.
I can also connect through:
isql -v sqlserverdatasource test mypasswordhere
But for some reason /usr/local/freetds/bin/tsql -LH server.ip.here
returns no information or errors which doesn't make much sense when it is proven I can connect with the other methods above.
So now when running a test script from a cpanel account on the machine I get:
Unknown host machine name (severity 2)
Here is the test script:
//Database connection function.
function getConnection() {
try {
//$dbconnect = new PDO("sqlserver:Server=server.ip.here,1433;Database=dbname", "user", "password");
$dbconnect = new PDO("dblib:host=server.ip.here,1433;dbname=dbname", 'user', 'password');
} catch (PDOException $e) {
echo "CONNECTION ERROR.<br>Error message:<br><br>" . $e->getMessage();
die();
}
if (!$dbconnect) {
die('Cant connect to database. Please try again later!');
}
else{
echo "i'm in!";
return $dbconnect;
}
}
The first commented line is the old one using sqlserv which I found did not work at all from what i can tell because of the x64 OS. I have also tried with "" around user and pass as well as no marks at all.
php -m does show PDO and pdo-dblib.
Any ideas where I can look next?
Update: This was fixed. I missed in freetds.conf:
[global]
# TDS protocol version
tds version = 8.0
It was originally set to 4.5 instead of 8.
The fix for me was with three steps:
First, I edited /etc/freetds/freetds.conf and changed the tds version like this:
tds version = 8.0
The second step was not entering port number. The port was already 1433, and not specifying it fixed the exact same issue on my case.
Lastly, to connect properly, I had to restart networking as #user1054844 mentioned as this:
/etc/init.d/networking restart
After all these steps, I was able to connect and work with the SQL Server database.
You actually did not need ODBC at all since your connect script is using pdo_dblib not odbc. You can just install FreeTDS than enable pdo_dblib via the compile time flag in rawopts and rebuild via EasyApache. Of course cPanel specifics for this are a bit different.
I just did this for a friend and decided to document it since it is hard to find accurate clear information for FreeTds and pdo_dblib on cPanel.
Guide is here: FreeTDS And pDO_dblib On cPanel