Working on an EL7 system with PHP 5.6 and openldap 2.4.40.
I'm able to query the remote ldaps server using ldapsearch:
ldapsearch -H ldaps://ldap.example.com -D
"CN=serviceaccount,OU=Services,DC=example,DC=com" -x -w "sapass" -LLL
-b "DC=example,DC=com" cn="acoder"
This returns expected data on user acoder.
Moving to PHP, I'm attempting to bind to the same server using the same credentials and pass (sapass) above.
// server settings
$srvc_id = 'serviceaccount';
$srvc_pass = "somepass";
$ldap_host = "ldaps://ldap.example.com";
$srvc_dn = "CN=$srvc_id,OU=Services,DC=example,DC=com";
$user_filter = "(uid=$form_user)";
$ldap_conn = ldap_connect($ldap_host);
if ($ldap_conn)
{
echo "<p>Connected to \$ldap_host $ldap_host at line ";
$r = ldap_bind($ldap_conn, $srvc_dn, $srvc_pass);
if (!$r)
{
echo "<p>failed to bind with service account credentials.";
} else {
echo "<p>binded OK.";
}
}
If I temporarily add this to /etc/openldap/ldap.conf, the script works:
TLS_REQCERT never
Once I comment that out, the script fails with "Can't contact LDAP server".
If I add TLS_CACERTDIR /etc/openldap/certs to ldap.conf, the script works fine when called from command line.
TLS_CACERTDIR /etc/openldap/certs
# TLS_REQCERT never ### only use for testing ###
It seems like httpd isn't reading a necessary certificate and is thus not able to communicate with the remote LDAP server.
The PHP/LDAP setup tutorials I've looked at work with EL6, and I am running EL7.
SOLVED!
SELinux is running Enforced. If I temporarily disabled SELinux, the ldap test script worked fine in a browser.
That led me to this helpful answer and this CentOS Wiki on SELinux. Here we learn:
SELinux doesn't allow your httpd daemon to talk to the LDAP
server on the same machine.
Ah. It turns out SELinux has a multitude of fine-grained switches to allow specific activity from different processes. In my case, SELinux was configured out of the box to disallow LDAP connectivity (even though ldaps is enabled in firewalld).
You can check SELinux configuration of httpd using:
getsebool -a | grep httpd
which returns:
[acoder#myboxen]# getsebool -a | grep httpd
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> off
To enable SELinux network connectivity through httpd:
setsebool -P httpd_can_network_connect on
No need to restart Apache. My ldap script worked fine from that moment on.
As above, be sure to remove TLS_REQCERT never from your /etc/openldap/ldap.conf and of course set SELinux back to Enforcing with setenforce 1.
Hope this is helpful to others.
Related
I have a simple php script using to test bind to MS active directory, in order to use it for login to an php application. When it runs on browser, responds error: "Can't contact LDAP server", but in terminal works fine.
OS centos 7
php 5.6.40
$ldad = ldap_connect('ldap://{LDAP}.{DOMAIN.COM}','389')
or die('Cannot connect');
ldap_set_option($ldap,LDAP_OPT_PROTOCOL_VERSION,3);
ldap_set_option($ldap,LDAP_OPT_REFERRALS,0);
if($bind=ldap_bind($ldap,'{USERNAME}#{DOMAIN.COM}','{PASSWORD}')) {
echo "\n\nSuccess Binding!\n\n";
ldap_unbind($ldap);
}
else {
echo ldap_error($ldap);
}
Any suggestions?
Solution found and has to be shared:
SElinux was enabled. I found better to run
semanage boolean -l
to find out if it was on or off, httpd_can_connect_ldap was off so I alter to on using
setsebool -P httpd_can_connect_ldap on
I hope I helped someone with familiar problem.
I have the following code
public function openConnection()
{
$this->ldapServerHandle = ldap_connect(ConfigH::getConfig()->ldap->host);
$bindDN = ConfigH::getConfig()->ldap->serviceAccount->bindDN;
if ($this->ldapServerHandle) {
$this->ldapBindHandle = ldap_bind(
$this->ldapServerHandle,
$bindDN,
ConfigH::getConfig()->ldap->serviceAccount->password
);
if (!$this->ldapBindHandle) {
$errorMsg = "LDAP::__construct(): Could not bind the service account ".$bindDN;
LoggerH::emergency($errorMsg);
throw new LDAPException($errorMsg);
}
} else {
$errorMsg = "LDAP::__construct(): Could not connect to the LDAP server ".ConfigH::getConfig()->ldap->host;
LoggerH::emergency($errorMsg);
throw new LDAPException($errorMsg);
}
}
The issue
I have this error causing me headaches since this morning:
Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server [...]
Everything worked fine on Windows, when I executed the code on our CentOS production server, it stopped working.
What I have already checked
OpenLDAP is installed and enabled
The LDAP server is reachable from the CentOS server (Kerberos is experiencing no issues on the same machine)
What I have already tried
Re-installed the php-ldap extension
Checked the credentials and the address a milion times
Additional information
ConfigH::getConfig()->ldap->host returns something like "adserver.ourcompany.com", which is the address of our LDAP server
ConfigH::getConfig()->ldap->serviceAccount->bindDN returns a valid bind DN
ConfigH::getConfig()->ldap->serviceAccount->password returns the password of the service account
The solution
Who uses CentOS gets SELinux, yay.
After digging even deeper in Google (such as page 4 of results) and Stackoverflow, I found the issue to be caused by SELinux restricting httpd to communicate over some ports despite the firewall being configured to allow it, including the LDAP one(s).
To allow httpd to communicate over these ports, run the following command
setsebool -P httpd_can_network_connect 1
(Original solution here (WhoIsRich's answer))
I am trying to scan uploaded files on PHP server using clamAV. I've installed ClamAV on my server (Centos 7). Currently, I am using PHP 7, so I am using Clamd socket connection to scan uploaded files. I've enabled PHP sockets, clamd.sock file is present at /var/run/clamd.scan/ folder with apache owner.
My Socket connection code -
$socket = socket_create(AF_UNIX, SOCK_STREAM, 0);
if(socket_connect($socket, '/var/run/clamd.scan/clamd.sock')) {
return $socket;
}
When I try to run above code on the browser I am getting error as socket_connect(): unable to connect [13]: Permission denied, But if I run the PHP code through command line with a user as root it is working fine.
I know there is some issue with SELinux policy with Centos as if I disable SELinux policy everything is working fine from the browser as well. I have checked httpd_can_network_connect --> on and antivirus_can_scan_system --> on both are on.
The issue is with accessing anything inside /var/run/ folder for apache user, there is something (some policy) from SELinux which is stopping apache to connect to clamd socket file. Any ideas?
After debugging, got to know that this is SELinux policy issue.
You need to enable daemons_enable_cluster_mode policy in SELinux.
To Enable daemons_enable_cluster_mode:
setsebool -P daemons_enable_cluster_mode 1
This will allow executing ClamAV scan through another service like Apache in my case.
Using the following bits:
<?php
require('vendor/autoload.php');
$client = new Everyman\Neo4j\Client('localhost', 7474);
print_r($client->getServerInfo());
?>
If I run this as php test.php I get the expected output.
If I run this via http://server/test.php I get connection errors.
[24-Jun-2014 05:49:52] PHP Fatal error: Uncaught exception 'Everyman\Neo4j\Exception'
with message 'Can't open connection to http://localhost:7474/db/data/' in
/var/www/html/vendor/everyman/neo4jphp/lib/Everyman/Neo4j/Transport/Curl.php:91
Clearly I've monkeyed up something with either my PHP config or the installation of this library. Suggestions on where to look?
Installed per these instructions.
Running on CentOS 6.4 (x64), PHP 5.3.3
NOTE: I've made successful connections from other machines back to this server so I know the neo4j server is working. It just doesn't seem to want to let me connect locally when called via browser.
I had same issue, it was caused by SeLinux
Try disabling it by:
echo 0 >/selinux/enforce
then recheck connection.
If solved configure SeLinux permissions.
In my case httpd_can_network_connect should be on
setsebool -P httpd_can_network_connect on
echo 1 >/selinux/enforce
Helpful manual:
http://wiki.centos.org/TipsAndTricks/SelinuxBooleans
I have weird situation in newly installed server, and it seems that Google can't help me this time.
I can't connect to (remote) mysql from my php-code. When I try to connect from command line on the same server the connection succseds.
Could not connect: Can't connect to
MySQL server on 'MYSQL.SERVER' (13)
Here is the code and the connect attempt from the command line
[u1#bosko httpdocs]$ cat test.php
<?
$link = mysql_connect('MYSQL.SERVER', 'testusersimon', '123456');
if (!$link) {
die('Could not connect: ' . mysql_error());
}
echo 'Connected successfully';
mysql_close($link);
?>
[u1#bosko httpdocs]$ mysql -h MYSQL.SERVER -utestusersimon --password=123456
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 352108
Server version: 5.0.45-community-nt-log MySQL Community Edition (GPL)
Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> quit
Bye
I tried running the php script both in mod_php mode and in FastCGI,
check that "/etc/php.d/mysql.ini" shows up in the phpinfo() as well as mysql,mysqli and pdo_mysql sections.
but the result was the same, I know its something simple but I just can't .
Please help :)
Edit:
The problem was with SElinux
setsebool -P httpd_can_network_connect_db=1
Was the solution.
setsebool -P httpd_can_network_connect=1
will also be a helpful CLI command to many people visiting this question, as to allow mysql_connet() connections from within HTTP (Apache) requests to a remote MySQL database server, ensure to enable Network Connections from httpd in SElinux usually located in /etc/selinux/config (disabled by default to prevent hackers from attacking other machines using your httpd).
On CentOs 6, you can use the following (without -P)
setsebool httpd_can_network_connect=1
On Fedora 21 with apache 2/httpd version 2.6 using php version 5.6 when connecting to a remote mysql server 5.6 or mariadb version 10. It even seems to be a problem connecting to local server when specifying the server's FQDN instead of localhost in the php code.
This command will fix the permissions problem for the current session:
setsebool httpd_can_network_connect_db on
To make the fix permanent for subsequent reboots you need to do this:
setsebool -P httpd_can_network_connect_db on
Thanks to all on this question for rescuing me from "permission denied" hell. :)