As the title suggests, I have an Arduino sketch set up to reach out to my web server using SSL, intending to retrieve an output value from a php script. It was working up until around 2am MST on Thursday, September 19th 2019, but sometime over the next eight hours, it stopped. My hosting provider made significant updates that morning and I think there's now an incompatibility somewhere. Below, I'm not including all of the code, just the pieces that should be relevant. I've excluded the pieces about establishing a connection to wifi, my NTP configuration and the pieces about using the returned value in NeoPixel. I set client.setInsecure because my cert changes pretty frequently, and so does the fingerprint. This also worked prior to server maintenance. The fingerprint displayed is an older one. It's possible that some of this code is unnecessary, but I found that if I took out the lines dealing with fingerprint, the connection failed.
If I reach the URL from a browser, I get the correct number returned, but with the Arduino, I'm getting the DOCTYPE line instead. I originally had HTTP/1.0 in my code, and it was working. After the issue started, neither works, 1.0 or 2.0.
My hosting provider says the following:
Apache Version 2.4.39
PHP Version 7.3.8
Instead of getting a simple number back, I'm getting this:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
Sketch:
#include <ESP8266WiFi.h>
#include <WiFiClientSecure.h>
const char* host = "battletech-live.net";
const int httpsPort = 443;
String url = "/assets/scripts/php/checkTasks.php?action=getRows&uid=esp8266";
// SHA1 fingerprint of the certificate
char fingerprint[] PROGMEM = "44 DD B9 73 04 F8 EE 6B 0A 01 76 F2 98 34 F7 DE 43 60 11 54";
void setup() {
Serial.begin(115200);
WiFiClientSecure client;
client.setInsecure();
if (client.connect(host, httpsPort)) {
Serial.println("connected");
String request = String("GET ") + url + " HTTP/1.0 \r\n" +
"Host: " + host + "\r\n" +
"Connection: close\r\n\r\n";
client.print(request);
String line = client.readStringUntil('\n');
Serial.println(line);
} else {
Serial.println("connected failed");
}
}
void loop() {
getPendingTasks();
}
void getPendingTasks() {
WiFiClientSecure client;
client.setInsecure();
client.setFingerprint(fingerprint);
if (client.connect(host, httpsPort)) {
String request = String("GET ") + url + " HTTP/1.0 \r\n" +
"Host: " + host + "\r\n" +
"Connection: close\r\n\r\n";
client.print(request);
String line = client.readStringUntil('\n');
Serial.println(line);
}
}
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 4 years ago.
Improve this question
So I wanted to do some home automation, so I assigned an esp8266 to each of the rooms of my house, all of them are connected to a single wifi as clients with static ip addresses, so I can control my lights by sending get request to each esps IP, so my problem is that I want to make a webserver running on an arduino or esp8266 so that it could save the states of all the lights of the house. I can easily do this on wammp where php will handle all the get requests made by the client esps and save the data in a database, but can a webserver(on esp or arduino) handle those get requests and save the states in some memory.
Yes, you can run a webserver with Arduino. This is the example from https://www.arduino.cc/en/Tutorial/WebServer
/*
Web Server
A simple web server that shows the value of the analog input pins.
using an Arduino Wiznet Ethernet shield.
Circuit:
* Ethernet shield attached to pins 10, 11, 12, 13
* Analog inputs attached to pins A0 through A5 (optional)
created 18 Dec 2009
by David A. Mellis
modified 9 Apr 2012
by Tom Igoe
modified 02 Sept 2015
by Arturo Guadalupi
*/
#include <SPI.h>
#include <Ethernet.h>
// Enter a MAC address and IP address for your controller below.
// The IP address will be dependent on your local network:
byte mac[] = {
0xDE, 0xAD, 0xBE, 0xEF, 0xFE, 0xED
};
IPAddress ip(192, 168, 1, 177);
// Initialize the Ethernet server library
// with the IP address and port you want to use
// (port 80 is default for HTTP):
EthernetServer server(80);
void setup() {
// Open serial communications and wait for port to open:
Serial.begin(9600);
while (!Serial) {
; // wait for serial port to connect. Needed for native USB port only
}
// start the Ethernet connection and the server:
Ethernet.begin(mac, ip);
server.begin();
Serial.print("server is at ");
Serial.println(Ethernet.localIP());
}
void loop() {
// listen for incoming clients
EthernetClient client = server.available();
if (client) {
Serial.println("new client");
// an http request ends with a blank line
boolean currentLineIsBlank = true;
while (client.connected()) {
if (client.available()) {
char c = client.read();
Serial.write(c);
// if you've gotten to the end of the line (received a newline
// character) and the line is blank, the http request has ended,
// so you can send a reply
if (c == '\n' && currentLineIsBlank) {
// send a standard http response header
client.println("HTTP/1.1 200 OK");
client.println("Content-Type: text/html");
client.println("Connection: close"); // the connection will be closed after completion of the response
client.println("Refresh: 5"); // refresh the page automatically every 5 sec
client.println();
client.println("<!DOCTYPE HTML>");
client.println("<html>");
// output the value of each analog input pin
for (int analogChannel = 0; analogChannel < 6; analogChannel++) {
int sensorReading = analogRead(analogChannel);
client.print("analog input ");
client.print(analogChannel);
client.print(" is ");
client.print(sensorReading);
client.println("<br />");
}
client.println("</html>");
break;
}
if (c == '\n') {
// you're starting a new line
currentLineIsBlank = true;
} else if (c != '\r') {
// you've gotten a character on the current line
currentLineIsBlank = false;
}
}
}
// give the web browser time to receive the data
delay(1);
// close the connection:
client.stop();
Serial.println("client disconnected");
}
}
Save the states in a global variable and initialize them in setup(). When a client sends its request, it has to send its id or ip and the server can response with the state.
I need to resolve dns.
Here is my cmd command:
host -a google.com 8.8.8.8
or
(host -a s4.artemisweb.jp ns0.domain_name.com
host -a s4.artemisweb.jp 77.88.8.1)
and it returns something like that:
root#min /etc # host -a google.com 8.8.8.8
Trying "google.com"
;; Truncated, retrying in TCP mode.
Trying "google.com"
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6364
;; flags: qr rd ra; QUERY: 1, ANSWER: 24, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;google.com. IN ANY
;; ANSWER SECTION:
google.com. 300 IN A 74.125.232.103
google.com. 300 IN A 74.125.232.96
google.com. 300 IN A 74.125.232.102
google.com. 300 IN A 74.125.232.97
for my further work i need
74.125.232.103 74.125.232.96 etc. ip addresses.(answer section)
Actually php has
$result = dns_get_record("php.net", DNS_ANY, $authns, $addtl);
but I also have second parameter
"8.8.8.8" or "ns0.domain_name.com or 77.88.8.1"
(and with this additional parameters "host" command returns different IP) and there is no place for it in command above.
Use nslookup instead simplier output and each ip has Address: at the front so easy to regex
[root#sid ~]# nslookup www.google.com
Server: 10.0.0.253
Address: 10.0.0.253#53
Non-authoritative answer:
Name: www.google.com
Address: 74.125.24.99
Name: www.google.com
Address: 74.125.24.147
Name: www.google.com
Address: 74.125.24.104
Name: www.google.com
Address: 74.125.24.103
Name: www.google.com
Address: 74.125.24.106
Name: www.google.com
Address: 74.125.24.105
Here is the answer:
$resolver = new Net_DNS_Resolver();
$resolver->debug = 1; // Turn on debugging output to show the query
$resolver->usevc = 1; // Force the use of TCP instead of UDP
$resolver->nameservers = array( // Set the IP addresses
'198.41.0.4', // of the nameservers
'192.228.79.201' // to query.
);
$response = $resolver->query('example.com');
if (! $response) {
echo "\n";
echo "ANCOUNT is 0, therefore the query() 'failed'\n";
echo "See Net_DNS_Resolver::rawQuery() to receive this packet\n";
}
?>
I have recently started practicing with sockets on PHP and got an issue for which I find no documentation. Similar cases I've seen in C++, but not a clear answer to this. The code:
do {
$input = socket_read($client, 12,PHP_BINARY_READ);
echo $input;
} while(TRUE);
Is supposed to block on the socket (code for creation, bind, etc not included) and get either 12 bytes or whatever information is available from the other side.
Oddly I just get a '1' in the variable $input if 12 bytes are read. If I send from the client side more than 12 bytes then I receive '1[REST_OF_DATA]' in the value of $input.
Any idea why this is happening?
If I change this to more data and to PHP_NORMAL_READ then I correctly receive the data.
PHP manual online does not say anything abou socket_read returning '1'..
**EDIT: Ok thanks for yout early answers :). I am saving to a file and reading (not echoing to browser) expecting any character. I think I may have just discovered something that could be good if someone with knowledge of C++ sockets can verify. Anyways, my read code actually was this (not what I posted above):
do {
$input = ($seq_id == 0) ? socket_read($client, 12,PHP_BINARY_READ) : socket_read($client,1024,PHP_BINARY_READ);
echo $input;
} while(TRUE);
I was expecting 12 bytes at the first read, then chunks of 1024, reason for that condition check. The weird '1' comes from this. If I replace that with the line I posted above the data is read normally. In fact, even reading like this:
$input = ($seq_ID == 0) ? socket_read($client,12,PHP_BINARY_READ) : socket_read($client, 12,PHP_BINARY_READ);
Results in : 1st read = '1' 2nd read = correct data, 3rd read = correct data..
The 12 you specify is the maximum length to read, so 12 can mean a return string of a size from 0-12 characters (binary string in PHP, 1 char = 1 byte).
Additionally as that can be binary, I suggest you use var_dump and a hexdump of the return string value to actually find out how many bytes were returned, echo might hide some control characters, your browser might hide whitespace.
For the comments above, yes $seq_id should increment. I just wanted to shorten the code. So now, the answer is not important for me anymore but remains an enigma, after upgrading my Ubuntu version this month I have been unable to replicate the error with the same script:
<?php
set_time_limit(0);
$address = "192.168.1.1";
$port = 3320;
$server_users = 3;
$mysock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP) or die("Could not create socket\n");
$bind_result = socket_bind($mysock,$address, $port) or die("Could not bind to address\n");
$listen_result = socket_listen($mysock, $server_users) or die("Could not set up socket listener\n");
$client = socket_accept($mysock) or die("Could not accept the connection to socket\n");
$seq_id =0;
do {
$input = ($seq_id == 0) ? socket_read($client, 12,PHP_BINARY_READ) : socket_read($client,1024,PHP_BINARY_READ);
echo $input;
} while(TRUE);
?>
I execute it in terminal:
$php -q myscript.php
And test it using netcat:
$netcat 192.168.1.1 3320
Note that the question is about socket_read returning 1 as it results, which is not documented anywhere
I seem to be unable to use php to securely bind to Active Directory. Unencrypted connections work fine. Using other clients are able to securely bind, e.g. connecting using LDAPAdmin over SSL. What is the problem here? Is there some LDAP SSL module that I'm missing? How to securely bind to the server using php?
I noticed from phpinfo() that cURL has support for ldap/ldaps - what is a good example on utilizing this to perform secure bind in php? Is this a viable workaround?
phpinfo();
ldap
LDAP Support enabled
RCS Version $Id: ldap.c 293036 2010-01-03 09:23:27Z sebastian $
Total Links 0/unlimited
API Version 3001
Vendor Name OpenLDAP
Vendor Version 20421
SASL Support Enabled
Attempting to bind to an Active Directory server using PHP Version 5.3.2-1ubuntu4.7 from Ubuntu 10.04 repo
$username = 'user';
$password = 'passwd';
$account_suffix = '#example.com';
$hostnameSSL = 'ldaps://ldap.example.com:636';
$hostnameTLS = 'ldap.example.com';
$portTLS = 389;
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
// Attempting fix from http://www.php.net/manual/en/ref.ldap.php#77553
putenv('LDAPTLS_REQCERT=never');
####################
# SSL bind attempt #
####################
// Attempting syntax from http://www.php.net/manual/en/function.ldap-bind.php#101445
$con = ldap_connect($hostnameSSL);
if (!is_resource($con)) trigger_error("Unable to connect to $hostnameSSL",E_USER_WARNING);
// Options from http://www.php.net/manual/en/ref.ldap.php#73191
if (!ldap_set_option($con, LDAP_OPT_PROTOCOL_VERSION, 3))
{
trigger_error("Failed to set LDAP Protocol version to 3, TLS not supported",E_USER_WARNING);
}
ldap_set_option($con, LDAP_OPT_REFERRALS, 0);
if (ldap_bind($con,$username . $account_suffix, $password)) die('All went well using SSL');
ldap_close($con);
####################
# TLS bind attempt #
####################
$con = ldap_connect($hostnameTLS,$portTLS);
ldap_set_option($con, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($con, LDAP_OPT_REFERRALS, 0);
$encrypted = (ldap_start_tls($con));
if ($encrypted) ldap_bind($con,$username . $account_suffix, $password); // Unecrypted works, but don't want logins sent in cleartext
ldap_close($con);
#####################
# SASL bind attempt #
#####################
$con = ldap_connect($hostnameTLS,$portTLS);
ldap_set_option($con, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($con, LDAP_OPT_REFERRALS, 0);
ldap_sasl_bind($con, NULL, $password, 'DIGEST-MD5', NULL, $username. $account_suffix);
ldap_close($con);
All of the above fails. Errors from log:
ldap_create
ldap_url_parse_ext(ldaps://ldap.example.com:636)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.example.com:636
ldap_new_socket: 27
ldap_prepare_socket: 27
ldap_connect_to_host: Trying 1.1.1.1:636
ldap_pvt_connect: fd: 27 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x215380c0 msgid 1
wait4msg ld 0x215380c0 msgid 1 (infinite timeout)
wait4msg continue ld 0x215380c0 msgid 1 all 1
** ld 0x215380c0 Connections:
* host: ldap.example.com port: 636 (default)
refcnt: 2 status: Connected
last used: Thu Mar 10 11:15:53 2011
** ld 0x215380c0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x215380c0 request count 1 (abandoned 0)
** ld 0x215380c0 Response Queue:
Empty
ld 0x215380c0 response count 0
ldap_chkResponseList ld 0x215380c0 msgid 1 all 1
ldap_chkResponseList returns ld 0x215380c0 NULL
ldap_int_select
read1msg: ld 0x215380c0 msgid 1 all 1
ldap_err2string
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP Warning: ldap_bind() [<a href='function.ldap-bind'>function.ldap-bind</a>]: Unable to bind to server: Can't contact LDAP server in /..test.php on line 28
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP Stack trace:
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP 1. {main}() /..test.php:0
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP 2. ldap_bind() /..test.php:28
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 1 1
ldap_free_connection: actually freed
ldap_create
ldap_err2string
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP Warning: ldap_start_tls() [<a href='function.ldap-start-tls'>function.ldap-start-tls</a>]: Unable to start TLS: Not Supported in /..test.php on line 37
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP Stack trace:
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP 1. {main}() /..test.php:0
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP 2. ldap_start_tls() /..test.php:37
ldap_create
ldap_sasl_interactive_bind_s: user selected: DIGEST-MD5
ldap_err2string
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP Warning: ldap_sasl_bind() [<a href='function.ldap-sasl-bind'>function.ldap-sasl-bind</a>]: Unable to bind to server: Not Supported in /..test.php on line 47
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP Stack trace:
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP 1. {main}() /..test.php:0
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP 2. ldap_sasl_bind() /..test.php:47
Looking at ssl response:
>> openssl s_client -connect my.example.com:636 -prexit
(...)
SSL handshake has read 5732 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 111111111111111111111111
Session-ID-ctx:
Master-Key: AAAAAAAAAAAAAAAAAAAAA
Key-Arg : None
Start Time: 1299071105
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Results from 'strace php test.php' :
write(2, " refcnt: 2 status: Connected\n", 31 refcnt: 2 status: Connected
) = 31
write(2, " last used: Tue Mar 15 10:59:19"..., 39 last used: Tue Mar 15 10:59:19 2011
) = 39
write(2, "\n", 1
) = 1
write(2, "** ld 0x954e0b8 Outstanding Requ"..., 38** ld 0x954e0b8 Outstanding Requests:
) = 38
write(2, " * msgid 1, origid 1, status In"..., 41 * msgid 1, origid 1, status InProgress
) = 41
write(2, " outstanding referrals 0, pare"..., 43 outstanding referrals 0, parent count 0
) = 43
write(2, " ld 0x954e0b8 request count 1 ("..., 45 ld 0x954e0b8 request count 1 (abandoned 0)
) = 45
write(2, "** ld 0x954e0b8 Response Queue:\n", 32** ld 0x954e0b8 Response Queue:
) = 32
write(2, " Empty\n", 9 Empty
) = 9
write(2, " ld 0x954e0b8 response count 0\n", 32 ld 0x954e0b8 response count 0
) = 32
write(2, "ldap_chkResponseList ld 0x954e0b"..., 48ldap_chkResponseList ld 0x954e0b8 msgid 1 all 1
) = 48
write(2, "ldap_chkResponseList returns ld "..., 47ldap_chkResponseList returns ld 0x954e0b8 NULL
) = 47
write(2, "ldap_int_select\n", 16ldap_int_select
) = 16
poll([{fd=3, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, -1) = 1 ([{fd=3, revents=POLLIN}])
write(2, "read1msg: ld 0x954e0b8 msgid 1 a"..., 37read1msg: ld 0x954e0b8 msgid 1 all 1
) = 37
read(3, "", 8) = 0
write(2, "ldap_err2string\n", 16ldap_err2string
) = 16
write(2, "PHP Warning: ldap_bind(): Unabl"..., 158PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in
And I do have the /etc/ldap.conf fix with 'TLS_REQCERT never' - even though this fix is for a different error, which gives a fairly clear error message.
Did you see the comment on the PHP.net page about missing permissions on some cert store that does this:
http://de3.php.net/manual/en/function.ldap-connect.php
bleathem 27-Feb-2008 10:30
Everyone is posting about getting ldaps:// working in a WAMP/AD stack, I had a tough time finding how to get it going in RHEL 5.1 (w/ all stock rpms). Good old strace did the trick and helped me find the problem... Turns out php was looking for the CA file in /etc/pki/CA, and I didn't have the correct permissions on the folder. chmod'ing it to 755 solved my "Can't contact LDAP server" message.
So maybe thats your issue too. If not you should give either strace or wireshark a try to catch the syscalls and network transmissions and figure out what goes wrong. One of the two will show it clearly.
this is how i do it:
<?php
$username = ''; // username to check
$password = ''; // password to check
/**
* Is it an Active Directory?
*
* <pre>
* true = yes
* set the following values:
* SDB_AUTH_LDAP_HOST
* SDB_AUTH_LDAP_SSL
* SDB_AUTH_LDAP_BASE
* SDB_AUTH_LDAP_SEARCH
* SDB_AUTH_LDAP_USERDOMAIN
* false = no, you have to supply an hostname
* and configure the following values:
* SDB_AUTH_LDAP_HOST
* SDB_AUTH_LDAP_PORT
* SDB_AUTH_LDAP_SSL
* SDB_AUTH_LDAP_BASE
* SDB_AUTH_LDAP_SEARCH
* SDB_AUTH_LDAP_USERDOMAIN
* </pre>
* #see SDB_AUTH_LDAP_HOST
*/
define('SDB_AUTH_IS_AD', true);
/**
* Domain name of the LDAP Host or of the AD-Domain
*/
define('SDB_AUTH_LDAP_HOST', 'your-domain.tld');
/**
* LDAP Port?
*
* if {#link SDB_AUTH_IS_AD} = true, then the port will be read form DNS.
*/
define('SDB_AUTH_LDAP_PORT', '389');
/**
* Use LDAPS (true) oder LDAP (false) connection?
*/
define('SDB_AUTH_LDAP_SSL', false);
/**
* LDAP Base
*/
define('SDB_AUTH_LDAP_BASE', 'CN=Users,DC=your-domain.tld,DC=de');
/**
* LDAP Search, to find a user
*
* %s will be replaced by the username.<br>
* z.B. CN=%s
*/
define('SDB_AUTH_LDAP_SEARCH', '(&(sAMAccountName=%s)(objectclass=user)(objectcategory=person))');
/**
* Die LDAP Domain des Benutzers
*
* if the username doesnt contain a domain append this domain to it.<br>
* in case this is empty, nothing will be appended.
*/
define('SDB_AUTH_LDAP_USERDOMAIN', 'your-domain.tld');
/**
* Path to LDAP Search
*
* Will give back better error messages
* ( leave empty in case you don't want to have it. )
*/
define('SDB_AUTH_LDAP_SEARCHBIN', '/usr/bin/ldapsearch');
$ldap_error_codes=array(
'525' => 'Username doesnt exist.',
'52e' => 'Wrong password.',
'530' => 'You cannot login at this time.',
'531' => 'You cannot login from this host.',
'532' => 'Your password was expired.',
'533' => 'Your account has been deactivated.',
'701' => 'Your account was expired.',
'773' => 'Please set another password (at your workstation) before you login.',
'775' => 'Your account has been locked.',
);
if(SDB_AUTH_LDAP_SSL) $dcs=dns_get_record("_ldaps._tcp.".SDB_AUTH_LDAP_HOST, DNS_SRV); else $dcs=dns_get_record("_ldap._tcp.".SDB_AUTH_LDAP_HOST, DNS_SRV);
shuffle($dcs);
$_LDAP_ATTRS=array('cn', 'sn', 'description', 'givenName', 'distinguishedName', 'displayName', 'memberOf', 'name', 'sAMAccountName', 'sAMAccountType', 'objectClass', 'objectCategory');
if(SDB_AUTH_LDAP_USERDOMAIN!='' && strstr($username, '#')===false) {
$username=$username.'#'.SDB_AUTH_LDAP_USERDOMAIN;
}
$status=array();
$status['CN']='';
$status['displayName']='';
$status['description']='';
$status['distinguishedName']='';
$status['groups']=array();
$status['RC']=array();
$status['connected']=false;
$status['user_exists']=false;
$status['is_in_team']=false;
foreach($dcs as $_LDAP_HOST) {
$_LDAP_PORT=$_LDAP_HOST['port'];
$_LDAP_HOST=$_LDAP_HOST['target'];
// check connection first ( http://bugs.php.net/bug.php?id=15637 )
$sock=#fsockopen($_LDAP_HOST, $_LDAP_PORT, $errno, $errstr, 1);
#fclose($sock);
if($errno!=0) continue;
// then do a "connect"... ( the real connect happens with bind )
$ds=#ldap_connect(( SDB_AUTH_LDAP_SSL ? "ldaps://" : "ldap://" ).$_LDAP_HOST.":".$_LDAP_PORT."/");
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
// are we connected? actually, this will always return true
if(is_resource($ds)) {
$status['connected']=true;
// login sucessful? actually also connection test
if(#ldap_bind($ds, $username, $password)) {
// search
$sr=ldap_search($ds, SDB_AUTH_LDAP_BASE, sprintf(SDB_AUTH_LDAP_SEARCH, $usernode), $_LDAP_ATTRS);
// suche successful?
if(is_resource($sr)) {
// fetch entries
$info = ldap_get_entries($ds, $sr);
if(isset($info['count']) && $info['count']>0) {
$status['user_exists']=true;
}
// close search result
ldap_free_result($sr);
$status['CN']=$info[0]['cn'][0];
$status['description']=$info[0]['description'][0];
$status['displayName']=$info[0]['displayname'][0];
$status['distinguishedName']=$info[0]['distinguishedname'][0];
// is the user in the dexteam?
for($i=0; $i<$info[0]['memberof']['count']; $i++) {
$status['groups'][]=$info[0]['memberof'][$i];
// IS IN TEAM CHECK
if(substr($info[0]['memberof'][$i], 0, strlen('CN=DexTeam,'))=='CN=DexTeam,') $status['is_in_team']=true;
}
$status['RC']['code']=ldap_errno($ds);
$status['RC']['string']=ldap_error($ds);
ldap_close($ds);
break;
}
else {
$status['RC']['code']=ldap_errno($ds);
$status['RC']['string']=ldap_error($ds);
ldap_close($ds);
break;
}
}
else {
$status['RC']['code']=ldap_errno($ds);
$status['RC']['string']=ldap_error($ds);
// do we want better error messages?
if(SDB_AUTH_LDAP_SEARCHBIN!='' && is_executable(SDB_AUTH_LDAP_SEARCHBIN)) {
$status['RC']['ldapsearchrc']='';
$status['RC']['ldapsearchtxt']=array();
exec(SDB_AUTH_LDAP_SEARCHBIN.' -x -H '.escapeshellarg(( SDB_AUTH_LDAP_SSL ? "ldaps://" : "ldap://" ).$_LDAP_HOST.":".$_LDAP_PORT."/").' -D '.escapeshellarg($username).' -w '.escapeshellarg($password).' 2>&1', $status['RC']['ldapsearchtxt'], $status['RC']['ldapsearchrc']);
if($status['RC']['ldapsearchrc']!=0) {
if(preg_match("/data ([^, ]+),/", $status['RC']['ldapsearchtxt'][1], $matches)) {
if(isset($ldap_error_codes[$matches[1]])) {
$status['RC']['code']=$matches[1];
$status['RC']['string']=$ldap_error_codes[$matches[1]];
}
}
unset($status['RC']['ldapsearchrc']);
unset($status['RC']['ldapsearchtxt']);
}
}
ldap_close($ds);
break;
}
}
else {
continue;
}
}
did you enable the certificate? i know there was a problem, when the certifiacte gets refused. edit the "/etc/ldap/ldap.conf" and add "TLS_REQCERT never"
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_REQCERT never
however, to me it works with ldap and ldaps:
it might be a configuration issue with the ad configuration. maybe lower certain security limitations...
OR it might be also a php / ldap lib issue. Try to update to newer versions :)
I was finally able to get things working on my Windows machine by reading the following PHP bug thread:
http://bugs.php.net/bug.php?id=48866
Unfortunately, this is Windows specific but it got me at least going in the right direction now in my testing (I know it should work from PHP now on my web server...so long as I have ldap.conf configured correctly). On Windows with PHP 5.3 I needed to add the ldap.conf file into the root of my C: drive (other examples I had seen online had been placing it in C:\openldap\sysconf which wasn't working).
TLS still doesn't work exactly (it gives me a "unable to start tls: can't contact LDAP server" message), but SSL does appear to be working and I was able to update a password for an account in my test script.
I'm guessing the ldap.conf file just needs to be setup similarly on my web server and I should hopefully be in business (I'm just not sure if the one that's already there is the one I need to modify or if I need to create an additional one). I'll see if I can report back on that front.
Does your Active Directory have LDAPS enabled? If so, get the Trusted Root of the CA's key into the trusted root keystore.
As my code is working fine with CentOS, I conclude that the problem is not programming specific. I have not been able to get it running in my Ubuntu environment as of yet, but I assume this is a bug in my server software.
What saved my day after reading and trying out solutions from allover the web and SO, was to use a ldaps uri without the port specified in it.
So instead of this: ldaps://example.com:636 I had to use this: ldaps://example.com and it now works like a charm.
I was setting this up on Ubuntu 16.04 with PHP7.3 runing through Nginx and php-fpm.
A full code example:
try{
$ldapUri = "ldaps://example.com";
$ldapUsername = 'username';
$ldapPassword = 'password';
$ldapConn = ldap_connect($ldapUri);
if($ldapConn){
ldap_set_option($ldapConn,LDAP_OPT_NETWORK_TIMEOUT,10);
if(!ldap_set_option($ldapConn,LDAP_OPT_PROTOCOL_VERSION,3)){
print 'Failed to set ldap protocol to version 3<br>';
}
ldap_set_option($ldapConn, LDAP_OPT_REFERRALS,0);
$ldapBind = ldap_bind($ldapConn, $ldapUsername, $ldapPass);
if ($ldapBind) {
echo "LDAP bind successful...";
//DO LDAP search and stuff
ldap_unbind($ldapConn);
} else {
echo "LDAP bind failed...";
}
}
}catch(Exception $e){
print($e->getMessage();
}