Reputation: 4373
PHP ldap_connect using ldaps to connect to Active Directory getting Unknown CA error
I am trying to connect to MS Active Directory using PHP 7 on a Windows 2012 server (running apache 2.4 but that should be irrelevant to the problem I am having).
I should also note that I am able to connect to AD from PHP using non-secure LDAP from the command line and the apache server.
When I execute the following PHP test file, source: http://muzso.hu/2012/04/02/php-ldap-ssl-ldaps-authentication-in-windows-running-apache, from a command line on the web server:
$AD_search_bind_DN = 'CN=someuser,OU=Users,DC=example,DC=com';
$AD_search_bind_PW = 'secret123';
ini_set('display_errors', 1);
error_reporting(E_ALL);
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
$conn = ldap_connect('ldaps://SomeDC.example.com/') or die("Failed to connect to ldap server.");
ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_bind($conn, $AD_search_bind_DN, $AD_search_bind_PW) or die("Failed to bind to ldap server: " + ldap_error($conn));
echo "Successful LDAP bind.";
I get the following output (I highlighted the error):
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying %SYSCONFDIR%\ldap.conf
ldap_init: HOME env is NULL
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
ldap_create
ldap_url_parse_ext(ldaps://SomeDC.example.com/)
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP SomeDC.example.com:636
ldap_new_socket: 244
ldap_prepare_socket: 244
ldap_connect_to_host: Trying {IP Address of SomeDC Removed}:636
ldap_pvt_connect: fd: 244 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 20, subject: /DC=com/DC=example/C
N=Self_Named-SHA256-SubCA, issuer: /CN=ITSS-Ent-SHA256-Root
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate).
ldap_err2string
PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in C:\test_bind.php on line 10
I have both the php_ldap and php_openssl extensions UN-commented in my php.ini file.
I have copies of the AD CA cert in DER and PEM formats but I am not sure where to place these files on my web server. There are lots of posts related to linux OS's that simply say to place "TLS_CACERT C:\openldap\sysconf\cacert.pem" in my ldap.conf file. I am not running openLDAP and I do not have a ldap.conf file.
I have openSSL installed but I am not entirely sure that the configuration is correct:
- The openssl.cfg file is unchanged: http://pastebin.com/KxnWThXh
- I added an environment variable 'OpenSSL' that points to the openssl.cfg file
- When I execute 'openssl version -a' from a cmd line, it shows: OPENSSLDIR: /usr/local/ssl which clearly makes no sense for windows. Complete output can be seen here: http://pastebin.com/h3ei3Pwp
== EDIT 1: ========================================
Gabriel, thanks for the suggestions / Reference.
I have now also tried these things without success:
- Created a ldap.conf and an openldap.conf file (Using many diferent formats based on various article suggestions, see the variations I've tried here: http://pastebin.com/aP94Nh4Y) in C:\ and C:\openldap\sysconf
- This article (https://www.reddit.com/r/PHPhelp/comments/3tykpc/php_7_and_ldap/) says to create an environment variable called 'LDAPCONF' that points to the ldap.conf file (C:\openldap\sysconf\ldap.conf). I did. No change.
- I noticed this in the output from executing my test php script (line 2 of the output): ldap_init: trying %SYSCONFDIR%\ldap.conf. The SYSCONFDIR environment variable didn't yet exist so I added that one with a value of 'C:\openldap\sysconf\'. -- no change.
- Introduced an obvious syntax error into all locations of my ldap.conf/openldap.conf files to see if I could change the test script output to know that it was at least looking at one of those files -- nothing changed.
== EDIT 2: ========================================
Gabriel, thanks for the process monitor tip. I can now at least confirm that PHP 7 is using the 'LDAPCONF' environment value path to locate and read the ldap.conf file that this ENV variable is pointing to.
It also appears that PHP 7 is not handling the 'SYSCONFDIR' environment variable correctly because it first tries to open a file in this literal path: E:\httpd\www\%SYSCONFDIR%\ldap.conf
It's still not working but now I can focus my effort in tweaking just the one file I know it is reading.
If anyone has any other tips for configuration or could share their ldap.conf file from a working windows installation I would appreciate it.
I am now still stuck and don't know what else to do. Please help!
Upvotes: 2
Views: 10512
Answers (3)
Reputation: 85
I know i'm a bit late but for me following line of code fixed the problem with the issuer certificate:
ldap_set_option(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_ALLOW);
If you are using the ldaprecord package, you need to add LDAP_DEFAULT_OPT_X_TLS_REQUIRE_CERT=LDAP_OPT_X_TLS_ALLOW to your .env-file.
Upvotes: 0
Reputation: 9
I have similar problem, I have spent some time to resolve it. This behaviour was OpenLDAP bug in PHP. I have reported it and it was fixed and will be released soon. See: PHP BUG #73243 (https://bugs.php.net/bug.php?id=73243)
If you need immediate fix, which is a little bit hacking, try this (on your own risk):
- use some binary editor (e.g. HexEdit) to edit php_ldap.dll
- find the expression "%SYSCONFDIR%\ldap.conf" and
- replace it with "c:\ldap_conf\ldap.conf", the new constant has to have the same length as the replaced constant
- copy the ldap configuration to new location
Hope, it helps :-)
Upvotes: 0
Reputation: 40938
The answer here should help: https://stackoverflow.com/a/6047293/1202807
Under XAMPP on Windows the ldap.conf must be either in the root of the system (c:\ldap.conf, PHP 5.3.3 if I remember correctly) or in C:\openldap\sysconf\ depending on the PHP version. It seems the path is not configurable because hardcoded in the Windows PHP DLLs. See the comments at https://www.php.net/manual/en/ref.ldap.php
So create the ldap.conf file in c:\ or C:\openldap\sysconf\ if it doesn't exist already, and put your TLS_CACERT line in it.
Upvotes: 1
Related Questions
- Reference - What does this error mean in PHP?
- ldap_connect() with domain name instead of dcs hostname using ldaps
- Deploy php with ldap.conf
- How do I solve ldap_start_tls() "Unable to start TLS: Connect error" in PHP?
- Active Directory LDAPS between Trusted Domains
- Active Directory LDAPS is enabled via self signed certificate. But the PHP client fails to authenticate with the AD server
- Do I need ldap.conf when I connect to Active Directory using PHP?
- can not bind to the LDAP directory with secure connection with php