Can't connect LDAP over SSL [duplicate] - php

I'm having issues using Windows to connect to a secure LDAP server, and I see the same thing everywhere online with no solution thats worked so far.
I have tried using both IIS and WAMPSERVER. I have put libeay32.dll and ssleay32.dll in my SYSTEM32 directory and enabled the LDAP extension.
Here is my code:
putenv('LDAPTLS_REQCERT=never');
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
$resource = ldap_connect("ldaps://{redacted}/", 636) or die ("Could not connect.");
ldap_set_option($resource, LDAP_OPT_PROTOCOL_VERSION, 3)
$bound = ldap_bind($resource, "{redacted}\ldap", "****");
echo ldap_error($resource);
I get Can't contact LDAP server from ldap_error and the PHP warning Warning: ldap_bind() [function.ldap-bind]: Unable to bind to server: Can't contact LDAP server in C:\wamp\www\ldapTest.php
The server I am attempting to connect to is running Active Directory and I have confirmed that I can connect by using other LDAP tools. I know this server has an issue with it's certificate - the LDAP tool I am using says The server you are trying to connect to is using a certificate which could not be verified! - Issuer certificate not found
My suspicion is that the bad certificate is causing the bind issue which is why I've tried the LDAPTLS_REQCERT=never.

I can't recall where I found this one article; however I found out that by default even if you specify the TLS_REQCERT never it is ignored.
What I found out / then forgot about and found out again is you need to do the following (for windows machines)
Create the following directory structure on your drive c in the root
c:\OpenLDAP\sysconf (create the two folders)
Inside the sysconf folder create a text file called "ldap.conf"
In the text file you created put the following on the first line and then save
"TLS_REQCERT never" (Without the quotes)
Restart Apache and it should work now.
Give it a try. and good luck!

You can try changing the following line:
$resource = ldap_connect("ldaps://{redacted}/", 636)
To use your port number directly in the URI instead
$resource = ldap_connect("ldaps://{redacted}:636")
This has been known to work when the other will not.

Related

LDAP CHANGE PASSWORD PHP

I want to change user's password [unicodePwd] on Windows Active Directory using PHP LDAP.
I am using Windows Active Directory via PHP LDAP.
I don't have any issues connection to it.
I don't have any issues collecting data.
I don't have any issues changing attributes using ldap_mod_replace or ldap_modify
except for the "unicodePwd".
*note that this works
$user['telephonenumber'] = '1234567890';
*note that this does'nt work
$user['unicodePwd'] = mb_convert_encoding('my_new_password', "UTF-16LE");
// CODE
$result = ldap_modify($ldap, $dn, $user);
return ldap_error($ldap);
// CODE
// ERROR ON CHANGING unicodePwd
ldap_modify(): Modify: Server is unwilling to perform
// NO ERROR FOR telephonenumber
06/11/2018 Problem,
I can't setup my server to have ldap over ssl.
Already tried installing AD CS, nothing worked so far. Still configuring my server any idea about installing CA(Certificate Authority) to be used in LDAP over SSL?
06/20/2018 Problem, NEW PROBLEM
Already setup LDAP OVER SSL, i can also use ldap using the
cmd->ldp; port 389, and 636 with ssl is good.
but when i run it in my php using port 636 or ldaps://servername this is the error,
ldap_bind(): Unable to bind to server: Can't contact LDAP server
You need to be on a secured connection to modify a password (and probably other security related options).
Add the following before you call ldap_bind():
ldap_start_tls($ldap);
This is a good idea even if you aren't trying to change a password as otherwise your bind operation is cleartext and can be sniffed.
If you see this error:
Warning: ldap_start_tls(): Unable to start TLS: Connect error in ...
You can workaround the issue by adding the following line before you call ldap_connect:
putenv('LDAPTLS_REQCERT=never');
WARNING: This disables checking the validity of the LDAP server certificate! Ideally you should add the server certificate (or its signing CA) to your trusted store.

Firebird php Failed to locate host machine

I try to run an ibase_connect to an firebird database.
The database is NOT on my localhost. It run on an network windows server.
I have windows too and have an connection to the shared folder:
Z:\Folder_WITH_DB.
I have XAMPP installed with
ibase extension
pdo firebird extension.
I copied the fbclient.dll into my XAMPP/php folder.
But if i run this code:
$db = 'Z:/Folder_WITH_DB/database.fdb';
$username='SYSDBA';
$password='masterkey';
$dbh = ibase_connect ( $db, $username, $password ) or die ("error in db connect");
gives this error
Warning: ibase_connect(): Unable to complete network request to host "Z". Failed to locate host machine. in xxx/index.php on line xx
firebird.log:
INET/INET_connect: gethostbyname (Z) failed, error code = 11004
I added gds_db 3050/tcp to the service file on my localhost and the server (have restarted both) and it is the same error.
Windows Firewall is deactivated on server. Service for firebird server and firebird guardian is running.
Firebird can only use a database file local to the database server. You can't connect to a Firebird database on a network share*. You need to connect to the Firebird server instead.
So if the database of 'Z:/Folder_WITH_DB/database.fdb' is on server firebirdsrv in folder D:\data\database.fdb, then you need to connect to firebirdsrv/3050:D:\data\database.fdb. I strongly suggest to remove the networkshare.
*: Technically a share can be used, but it is disabled by default because accessing a database from multiple servers through a network share can corrupt a database.

PHP on IIS - unable to bind to Active Directory over LDAPS

I'm working on a small password reset script for our users, using PHP5 on an IIS7.5 server. I have LDAP over SSL enabled on our Active Directory controllers, and tested that it is working properly using ldp.exe
Here's the code to connect to the server:
$ldap_server = "ldaps://AD02.district.local";
$ldap_port = "636";
$ldap_user = "service_lookup#district.local";
$ldap_pass = "(goes here)";
$ds = ldap_connect($ldap_server,$ldap_port);
ldap_bind($ds,$ldap_user,$ldap_pass);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
However, when I execute the script, I get the following error:
Warning: ldap_bind() [function.ldap-bind]: Unable to bind to server:
Can't contact LDAP server in D:\Sites\Lookup\search.php on line 11
If I set $ldap_server to use ldap:// instead of ldaps://, it'll connect (even with the port set to 636), but the actual reset function does not work ("server is unwilling to perform").
Is there a way to troubleshoot this further? Or does anyone know what may be wrong?dd
I know this is an old question. But today I encountered the same problem.
I had to apply the following solution to make it work:
Create a folder: C:\OpenLDAP\sysconf
Create a file 'ldap.conf' in C:\OpenLDAP\sysconf.
Make the content of the file: 'TLS_REQCERT never' (no quotes).
Save.
It should work now. According to the manual, “TLS_REQCERT never” prevents the server from requesting and/or checking any server certificate.

How to perform a LDAP SASL bind to Active Directory using GSS-API mech in PHP from Windows?

I have an Active Directory server and a Windows WAMP server hosting PHP web applications that need to be able to authenticate to Active Directory using Kerberos.
I was able to easily connect and bind to the Active Directory host using some sample PHP code, but I'm not sure how to do so with Kerberos. I have see many forums and blogs detailing how to do this on *NIX machines, but that doesn't help me with my situation.
I did use Wireshark and Fiddler to confirm that there is no Kerberos or NTLM negotiating happening.
Sample code I used to connect and bind to LDAP:
<?php
$ldaphost = "example.domain.com";
$ldapport = 389;
$ldapuser = "user";
$ldappass = "password";
$ldapconn = ldap_connect( $ldaphost, $ldapport )
or die( "Unable to connect to the LDAP server {$ldaphost}" );
if ($ldapconn)
{
$ldapbind = ldap_bind($ldapconn, $ldapuser, $ldappass);
if ($ldapbind)
{
echo "LDAP connection successful";
}
else
{
echo "LDAP connction failed";
}
}
?>
Any help will be greatly appreciated, thanks!
Update: I've been wrestling with this all day and I think I need to use ldap_sasl_bind(), possibly using GSSAPI as the mechanism... No matter what parameters I put in to ldap_sasl_bind(), I get the following error: 'Unable to bind to server: Unknown authentication method'
I'm not sure how to implement GSSAPI, but some examples I've seen show using ldap_start_tls(), but I keep getting a 'Unable to start TLS: Server is unavailable' error.
I don't know if anyone knows anything about ldap_sasl_bind() (which is undocumented by PHP) or ldap_start_tls, but if this is the way I should be going, please point me in the right direction.
I cannot help with the Kerberos issue yet, as I am still struggling with it myself. However, I can point you in the right direction for TLS. TLS will at least prevent your credentials from being transmitted over the network in clear text. TLS requires proper configuration of OpenLDAP. At the very least, you can configure your client to not request or check any server certificates. You do this by adding the following line to the top of your ldap.conf configuration file.
TLS_REQCERT never
Your ldap.conf file should be located in C:\ or C:\openldap\sysconf, depending on your version of PHP and OpenLDAP. The file most likely does not yet exist in your setup. You may also be able to set the configuration via an environment variable as well putenv(TLS_REQCERT=never);, but I have not tried that myself, and there appear to be mixed results reported by others.
What you need to do: Make sure that the LDAP interface in PHP is compiled against SASL, supports GSS-API mech and either uses keytabs or the Windows-own SSPI interface. Good luck.
I solved this problem on windows by creating executable based on c++ ldap_bind_s. I use this executable as a command line with the parameters: host, username,password. This is the only way I got it work for GSSAPI.
WINLDAPAPI ULONG LDAPAPI ldap_bind_s(
LDAP *ld,
const PSTR dn,
const PCHAR cred,
ULONG method
);
I used LDAP_AUTH_NEGOTIATE.

LDAPS not connecting with PHP

I'm having issues using Windows to connect to a secure LDAP server, and I see the same thing everywhere online with no solution thats worked so far.
I have tried using both IIS and WAMPSERVER. I have put libeay32.dll and ssleay32.dll in my SYSTEM32 directory and enabled the LDAP extension.
Here is my code:
putenv('LDAPTLS_REQCERT=never');
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
$resource = ldap_connect("ldaps://{redacted}/", 636) or die ("Could not connect.");
ldap_set_option($resource, LDAP_OPT_PROTOCOL_VERSION, 3)
$bound = ldap_bind($resource, "{redacted}\ldap", "****");
echo ldap_error($resource);
I get Can't contact LDAP server from ldap_error and the PHP warning Warning: ldap_bind() [function.ldap-bind]: Unable to bind to server: Can't contact LDAP server in C:\wamp\www\ldapTest.php
The server I am attempting to connect to is running Active Directory and I have confirmed that I can connect by using other LDAP tools. I know this server has an issue with it's certificate - the LDAP tool I am using says The server you are trying to connect to is using a certificate which could not be verified! - Issuer certificate not found
My suspicion is that the bad certificate is causing the bind issue which is why I've tried the LDAPTLS_REQCERT=never.
I can't recall where I found this one article; however I found out that by default even if you specify the TLS_REQCERT never it is ignored.
What I found out / then forgot about and found out again is you need to do the following (for windows machines)
Create the following directory structure on your drive c in the root
c:\OpenLDAP\sysconf (create the two folders)
Inside the sysconf folder create a text file called "ldap.conf"
In the text file you created put the following on the first line and then save
"TLS_REQCERT never" (Without the quotes)
Restart Apache and it should work now.
Give it a try. and good luck!
You can try changing the following line:
$resource = ldap_connect("ldaps://{redacted}/", 636)
To use your port number directly in the URI instead
$resource = ldap_connect("ldaps://{redacted}:636")
This has been known to work when the other will not.

Categories