ldap_bind() issue

Hello,

I'm tasked with writing an application in PHP that will authenticate
against a known working LDAP server. I'm having some problems binding
against that LDAP server and cannot find the issue.

I can telnet to the LDAP server's IP and port:

> > telnet 12.34.56.78 636
Trying 12.34.56.78...
Connected to 12.34.56.78.
Escape character is '^]'.
^]
telnet> quit
Connection closed.

So I have more or less ruled out any sort of networking issue.


But then when trying ldapsearch, this command is failing:

> > ldapsearch -h 12.34.56.78 -p 626 -v -W -X
"dn:uid=username,ou=people,dc=example,dc=com"
ldap_initialize( ldap://12.34.56.78:626 )
Enter LDAP Password:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

It could be that I'm not providing the correct options as I'm not
extremely familiar with ldapsearch.


And then the heart of the issue, this simple PHP script is also failing for me:

> > ./ldap_test.php
ldap_create
ldap_url_parse_ext(LDAPS://ldap.example.com)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.example.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 12.34.56.78:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: host=ldap.example.com
TLS certificate verification: depth: 0, err: 66, subject:
C=US,ST=SomeState,O=SomeCompany,CN=ldap.example.co m, issuer:
C=US,O=Equifax,OU=Equifax Secure Certificate Authority
TLS certificate verification: Error, Unknown error
TLS: can't connect.
ldap_err2string


The contents of my PHP test script:

error_reporting( E_ALL );
ini_set( 'display_errors', 1 );
ldap_set_option( NULL, LDAP_OPT_DEBUG_LEVEL, 7 );

$c = ldap_connect( 'LDAPS://ldap.example.com', 636 ) or die( 'Could
not connect to LDAP server.' );

if( ldap_bind( $c, "uid=username,ou=people,dc=example,dc=com", 'xxx' ) ){
echo 'success!';
} else {
echo 'failed to bind';
}


The PHP on my local Ubuntu box currently only has the --with-ldap
option configured as I'm trying to rule out other libraries that may
possibly be causing issues. Are there other dependencies I must build
into my PHP to connect using ldap_bind() ? I have experimented with
adding --with-openssl and --with-ldap-sasl support but neither
resolved my issue.

It's also worth mentioning I am building my PHP against the OpenLDAP
libraries provided in my Linux distro:

> dpkg -l|grep ldap
ii ldap-utils 2.3.35-1ubuntu0.1
OpenLDAP utilities
ii libldap-2.3-0 2.3.35-1ubuntu0.1
OpenLDAP libraries
ii libldap2 2.1.30-13.4
OpenLDAP libraries
ii libldap2-dev 2.1.30-13.4
OpenLDAP development libraries


There are of course other ldap libraries available but I have no idea
if I need them or not. Seems everyone is building their PHP against
OpenLDAP so that's what I'm trying to use too.

I ran ldconfig after installing the above libraries and they seem to
be found with no problems during configuration and compilation.

Any idea what might be the problem or what else I can try? I've
already tried everything Google has to offer on the issue and am still
stuck.


Thanks,


--
Greg Donald
http://destiney.com/

On Fri, January 11, 2008 11:44 am, Greg Donald wrote:

I really have NO IDEA, but...

> ldap_int_sasl_open: host=ldap.example.com
> TLS certificate verification: depth: 0, err: 66, subject:
> C=US,ST=SomeState,O=SomeCompany,CN=ldap.example.co m, issuer:
> C=US,O=Equifax,OU=Equifax Secure Certificate Authority
> TLS certificate verification: Error, Unknown error
> TLS: can't connect.
> ldap_err2string

This strikes me as if you've got a Private/Public key issue where you
neglected to generate/install a key-pair...

Or did you sanitize this before you posted?...

--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/from/lynch
Yeah, I get a buck. So?

On 1/11/08, Richard Lynch <ceo@l-i-e.com> wrote:
> This strikes me as if you've got a Private/Public key issue where you
> neglected to generate/install a key-pair...

Yeah, the "certificate" error message makes me think something is not
right with my PHP install or how it's talking to the OpenLDAP libs..
but what exactly is the mystery. ldap_bind()'s "Error unknown"
message isn't very helpful.

Meanwhile another project of mine, on that same server, uses ruby-ldap
and works just fine.

> Or did you sanitize this before you posted?...

Had to, yes.


--
Greg Donald
http://destiney.com/

On Fri, January 11, 2008 3:54 pm, Greg Donald wrote:
> On 1/11/08, Richard Lynch <ceo@l-i-e.com> wrote:
>> This strikes me as if you've got a Private/Public key issue where
>> you
>> neglected to generate/install a key-pair...
>
> Yeah, the "certificate" error message makes me think something is not
> right with my PHP install or how it's talking to the OpenLDAP libs..
> but what exactly is the mystery. ldap_bind()'s "Error unknown"
> message isn't very helpful.
>
> Meanwhile another project of mine, on that same server, uses ruby-ldap
> and works just fine.

Perhaps try less restrictive checks on the keys -- E.g., in cURL, you
an set it to not check the peer certificate, so it doesn't die on
certs issued by less-known CAs.

I have no idea if you can DO that in LDAP, but perhaps it will lead
somewhere...

You could also try contacting the host and see if they could grep
their logs for any info that might be of use to you.

So long as you give them a time-stamp and some distinctive data that
should be there like your IP, you're only asking somebody to spend a
couple minutes to help you out.

Even large companies occasionally have humans working for them. :-)

--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/from/lynch
Yeah, I get a buck. So?