You are not logged in.
Hi,
I'm upgrading from 0.91 to 9.3.1 and php7 and ldap auth doesn't work anymore.
something weird is going on but i can't seem to find the culprit.
I'm using selfsigned certificates.
the error i keep seeing in apache log is:
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
Which relates to a certificate not being correct or unable to validate because of CA not found.
however i can't find where or how because normal ldap operations work
ldapsearch and php interactive php works
<code>
ldapsearch -w removedpass -x -ZZ -h localldap.changed.com -b "dc=base,dc=nl" -D "cn=client,ou=ldap,dc=base,dc=nl" "(objectClass=*)"
</code>
php interactive mode works too.
ldap.conf is using:
# tls
SSL START_TLS
TLS_CHECKPEER demand
Anyone got some idea's? thx.
<code>
php -a
Interactive mode enabled
php > ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
php> $conn = ldap_connect("localldap.changed.com");
php > ldap_start_tls($conn);
..
attempting to connect:
connect success
ldap_open_defconn: successful
res_errno: 0, res_error: <>, res_matched: <>
apache error log:
<code>
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/ldap/ldap.conf
ldap_init: HOME env is NULL
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
ldap_create
ldap_url_parse_ext(ldap://ldapserver.changed.com:389)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldapserver.changed.com:389
ldap_new_socket: 15
ldap_prepare_socket: 15
ldap_connect_to_host: Trying 10.0.10.138:389
ldap_pvt_connect: fd: 15 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x5608d83d6420 msgid 1
wait4msg ld 0x5608d83d6420 msgid 1 (infinite timeout)
wait4msg continue ld 0x5608d83d6420 msgid 1 all 1
** ld 0x5608d83d6420 Connections:
* host: ldapserver.changed.com port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Nov 2 11:39:49 2018
** ld 0x5608d83d6420 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x5608d83d6420 request count 1 (abandoned 0)
** ld 0x5608d83d6420 Response Queue:
Empty
ld 0x5608d83d6420 response count 0
ldap_chkResponseList ld 0x5608d83d6420 msgid 1 all 1
ldap_chkResponseList returns ld 0x5608d83d6420 NULL
ldap_int_select
read1msg: ld 0x5608d83d6420 msgid 1 all 1
read1msg: ld 0x5608d83d6420 msgid 1 message type extended-result
read1msg: ld 0x5608d83d6420 0 new referrals
read1msg: mark request completed, ld 0x5608d83d6420 msgid 1
request done: ld 0x5608d83d6420 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ldap_parse_result
ldap_msgfree
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
ldap_create
ldap_url_parse_ext(ldap://ldapserver.changed.com:389)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldapserver.changed.com:389
ldap_new_socket: 15
ldap_prepare_socket: 15
ldap_connect_to_host: Trying 10.0.10.138:389
ldap_pvt_connect: fd: 15 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x5608d83d6420 msgid 1
wait4msg ld 0x5608d83d6420 msgid 1 (infinite timeout)
wait4msg continue ld 0x5608d83d6420 msgid 1 all 1
** ld 0x5608d83d6420 Connections:
* host: ldapserver.changed.com port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Nov 2 11:39:49 2018
** ld 0x5608d83d6420 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x5608d83d6420 request count 1 (abandoned 0)
** ld 0x5608d83d6420 Response Queue:
Empty
ld 0x5608d83d6420 response count 0
ldap_chkResponseList ld 0x5608d83d6420 msgid 1 all 1
ldap_chkResponseList returns ld 0x5608d83d6420 NULL
ldap_int_select
read1msg: ld 0x5608d83d6420 msgid 1 all 1
read1msg: ld 0x5608d83d6420 msgid 1 message type extended-result
read1msg: ld 0x5608d83d6420 0 new referrals
read1msg: mark request completed, ld 0x5608d83d6420 msgid 1
request done: ld 0x5608d83d6420 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ldap_parse_result
ldap_msgfree
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
</code>
Offline
update:
All local ldap queries are working, also php-cli.
It fails only when launched through php-fpm7.0
Offline
update:
All local ldap queries are working, also php-cli.
It fails only when launched through php-fpm7.0
Solution:
add cafile/capath info to fpm pool configuration.
/etc/php/7.0/fpm/pool.d/www.conf:php_admin_value[openssl.cafile] = /etc/ssl/certs/ca-certificates.crt
/etc/php/7.0/fpm/pool.d/www.conf:php_admin_value[openssl.capath] = /etc/ssl/certs
Cheers
Offline