I have a ldap enabled php app, which is actually a intranet user-search site, what also enables users to change their information and passwords.
However, i've had much problems connecting over ldaps, sometimes it works, but the next moment not. I have experienced a lot of trouble finding out what the problem was, so i would like to share this with the world.
Where to start.. Lets start with some code what is actually working: (But sometimes not... it wasn't the code! :-)
$ds=ldap_connect($prot.$primarydsserver) or die ("Could not connect<BR>");
ldap_set_option( $ds, LDAP_OPT_REFERRALS, 0 );
ldap_set_option( $ds, LDAP_OPT_PROTOCOL_VERSION, 3 );
$r=ldap_bind($ds, "$dsuser", html_entity_decode("$dspass"));
if ($r === true) { return $ds; }
submit_log_file("function loginLDAP primary: ".$prot.$primarydsserver." - ".ldap_error($ds));
This is a short snippet of the code to connect to our AD server (2012). The $port variable contains "ldap://" or "ldaps://". "ldap://" is actually always working, my problems are only with ldaps. When it fails, it writes the following ldap_error to the log file: "Can't contact LDAP server".
So, i want to troubleshoot why it isn't working. That is possible with the following option, which you can place before the ldap_connect statement:
ldap_set_option( NULL, LDAP_OPT_DEBUG_LEVEL, 7)
OK, that should work, but where is the logging? It isn't in my vhost apache error logging.. But in the end, after a lot of googling, i found out it is in the apache webserver main logging. in my case: /var/log/apache/error.log. Warning: there is a lot of debugging rows, so what is did it tail the log temporary into another file, start the action with the error and stop the tail command:
tail /var/log/apache2/error.log -f>debug.log
Also recommend to disable debugging after the ldap session by setting the LEVEL to 0.
So, when looking into the debug log, i found following lines which gives a clue:
ldap_connect_to_host: Trying 172.16.0.77:636 ldap_pvt_connect: fd: 51 tm: -1 async: 0 TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code).
Conclusion: problems with my cert, which is not trusted. Well, i was aware of that. I already placed the line below into /etc/ldap/ldap.conf to disable certificate checking:
TLS_REQCERT never
This is recommended by a lot of solutions for problems with connecting over ldaps with php, but none of them works for me! I also tried to place the ldap.conf into other locations, like /etc/ldap.conf, /etc/openldap/ldap.conf or even apache home, which could or should be /var/lib/apache2/ldap.conf. These 'solutions' did not work for me either. So in the end i was getting a little desperate... Finally i found a solution here, which gives 2 possible options. But only the last one worked for me:
Added to httpd.conf: "LDAPVerifyServerCert off" as replacement for the ldap.conf "TLS_REQCERT never"
I tried to add this statement in the vhost config at first, but that was not allowed. So you should put it in the main config. I finally changed /etc/apache2/apache2.conf, and added the lines below into the config file, and it started to work. Just don't forget to restart apache after the change!
# Added to disable php ldap certificate check! LDAPVerifyServerCert off