I have a very simple php ldap script that is only failing when running with Zend and Apache. When I run this script from the command line, it passes. Running strace, I can see where the behavior changes, but I cannot tell why. I have confirmed that the same ldap.conf is being read and the same ldap.so is being loaded.
I believe this is because of a certificate problem, but my settings are supposed to ignore certificate issues.
Version Information (these appear to be identical between running from php and apache):
OpenSSL: 0.9.8o 01 Jun 2010
OpenLdap: $Id: ldap.c 313665 2011-07-25 11:42:53Z felipe $
Zend: 5.5
PHP: 5.3.8
<?php
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
putenv('LDAPTLS_REQCERT=never');
$ds = ldap_connect("ldaps://myserver.com:636");
$db = ldap_bind($ds, 'user', 'pass');
?>
In my ldap.conf, I have only “TLS_REQCERT never”. I realize that this is duplicated above.
When running under apache, I get the following trace from ldap:
ldap_create
ldap_url_parse_ext(ldaps://myserver.com:636)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP myserver.com:636
ldap_new_socket: 20
ldap_prepare_socket: 20
ldap_connect_to_host: Trying <myip>:636
ldap_pvt_connect: fd: 20 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject: /CN=mycn.com,
issuer: /CN=Collaboration Services CA
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:error in SSLv3 write finished A
TLS trace: SSL_connect:error in SSLv3 write finished A
TLS: can't connect: error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable.
ldap_err2string
When running the same script using the same php executable on the command line I get:
ldap_create
ldap_url_parse_ext(ldaps://myserver.com:636)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP myserver.com:636
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying <my ip>:636
ldap_pvt_connect: fd: 4 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject: /CN=myserver.com, issuer: /CN=Collaboration Services CA
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
ldap_open_defconn: successful
ldap_send_server_request
I finally fixed this when inspecting results from running strace showed that it did not have permission to open my ldap.conf file. Opening permissions fixed the issue. However, the file is not supposed to be needed since it only had the same setting from the environment variable:
putenv(‘LDAPTLS_REQCERT=never’);