当前位置: 文江博客话题详情

Zend/Apache 的 LDAP 失败

发布于 2024-12-27 19:36:27 字数 3246 浏览 1 评论 0原文

我有一个非常简单的 php ldap 脚本,仅在与 Zend 和 Apache 一起运行时才会失败。当我从命令行运行这个脚本时,它通过了。运行 strace,我可以看到行为发生变化的地方,但我不知道为什么。我已确认正在读取相同的 ldap.conf 并加载相同的 ldap.so。

我相信这是因为证书问题,但我的设置应该忽略证书问题。

版本信息(从 php 和 apache 运行时这些似乎是相同的):

OpenSSL:   0.9.8o 01 Jun 2010
OpenLdap:  $Id: ldap.c 313665 2011-07-25 11:42:53Z felipe $
Zend:      5.5
PHP:       5.3.8


<?php
      ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
      putenv('LDAPTLS_REQCERT=never');
      $ds = ldap_connect("ldaps://myserver.com:636");
      $db = ldap_bind($ds, 'user', 'pass');
?>

在我的 ldap.conf 中,我只有“TLS_REQCERT never”。我意识到这是上面重复的。

在 apache 下运行时,我从 ldap 得到以下跟踪:

ldap_create 
ldap_url_parse_ext(ldaps://myserver.com:636)
ldap_bind_s 
ldap_simple_bind_s 
ldap_sasl_bind_s 
ldap_sasl_bind
ldap_send_initial_request 
ldap_new_connection 1 1 0
ldap_int_open_connection 
ldap_connect_to_host: TCP myserver.com:636 
ldap_new_socket: 20 
ldap_prepare_socket: 20
ldap_connect_to_host: Trying <myip>:636 
ldap_pvt_connect: fd: 20 tm: -1 async: 0 
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A 
TLS trace: SSL_connect:SSLv3 read server hello A 
TLS certificate verification: depth: 0, err: 20, subject: /CN=mycn.com,
    issuer: /CN=Collaboration Services CA 
TLS certificate verification: Error, unable to get local issuer certificate 
TLS trace: SSL_connect:SSLv3 read server certificate A 
TLS trace: SSL_connect:SSLv3 read server certificate request A 
TLS trace: SSL_connect:SSLv3 read server done A 
TLS trace: SSL_connect:SSLv3 write client certificate A 
TLS trace: SSL_connect:SSLv3 write client key exchange A 
TLS trace: SSL_connect:error in SSLv3 write finished A
TLS trace: SSL_connect:error in SSLv3 write finished A 
TLS: can't connect: error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable. 
ldap_err2string

在命令行上使用相同的 php 可执行文件运行相同的脚本时,我得到:

ldap_create
ldap_url_parse_ext(ldaps://myserver.com:636)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP myserver.com:636
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying <my ip>:636
ldap_pvt_connect: fd: 4 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject: /CN=myserver.com, issuer: /CN=Collaboration Services CA
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
ldap_open_defconn: successful
ldap_send_server_request
原文

I have a very simple php ldap script that is only failing when running with Zend and Apache. When I run this script from the command line, it passes. Running strace, I can see where the behavior changes, but I cannot tell why. I have confirmed that the same ldap.conf is being read and the same ldap.so is being loaded.

I believe this is because of a certificate problem, but my settings are supposed to ignore certificate issues.

Version Information (these appear to be identical between running from php and apache):

OpenSSL:   0.9.8o 01 Jun 2010
OpenLdap:  $Id: ldap.c 313665 2011-07-25 11:42:53Z felipe $
Zend:      5.5
PHP:       5.3.8


<?php
      ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
      putenv('LDAPTLS_REQCERT=never');
      $ds = ldap_connect("ldaps://myserver.com:636");
      $db = ldap_bind($ds, 'user', 'pass');
?>

In my ldap.conf, I have only "TLS_REQCERT never". I realize that this is duplicated above.

When running under apache, I get the following trace from ldap:

ldap_create 
ldap_url_parse_ext(ldaps://myserver.com:636)
ldap_bind_s 
ldap_simple_bind_s 
ldap_sasl_bind_s 
ldap_sasl_bind
ldap_send_initial_request 
ldap_new_connection 1 1 0
ldap_int_open_connection 
ldap_connect_to_host: TCP myserver.com:636 
ldap_new_socket: 20 
ldap_prepare_socket: 20
ldap_connect_to_host: Trying <myip>:636 
ldap_pvt_connect: fd: 20 tm: -1 async: 0 
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A 
TLS trace: SSL_connect:SSLv3 read server hello A 
TLS certificate verification: depth: 0, err: 20, subject: /CN=mycn.com,
    issuer: /CN=Collaboration Services CA 
TLS certificate verification: Error, unable to get local issuer certificate 
TLS trace: SSL_connect:SSLv3 read server certificate A 
TLS trace: SSL_connect:SSLv3 read server certificate request A 
TLS trace: SSL_connect:SSLv3 read server done A 
TLS trace: SSL_connect:SSLv3 write client certificate A 
TLS trace: SSL_connect:SSLv3 write client key exchange A 
TLS trace: SSL_connect:error in SSLv3 write finished A
TLS trace: SSL_connect:error in SSLv3 write finished A 
TLS: can't connect: error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable. 
ldap_err2string

When running the same script using the same php executable on the command line I get:

ldap_create
ldap_url_parse_ext(ldaps://myserver.com:636)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP myserver.com:636
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying <my ip>:636
ldap_pvt_connect: fd: 4 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject: /CN=myserver.com, issuer: /CN=Collaboration Services CA
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
ldap_open_defconn: successful
ldap_send_server_request

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

装迷糊 2025-01-03 19:36:27

当检查运行 strace 的结果显示它没有打开我的 ldap.conf 文件的权限时,我终于解决了这个问题。打开权限解决了该问题。但是,应该不需要该文件,因为它仅具有与环境变量相同的设置:

putenv('LDAPTLS_REQCERT=never');

I finally fixed this when inspecting results from running strace showed that it did not have permission to open my ldap.conf file. Opening permissions fixed the issue. However, the file is not supposed to be needed since it only had the same setting from the environment variable:

putenv('LDAPTLS_REQCERT=never');

回复 原文
~没有更多了~

关于作者

向地狱狂奔

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

紫罗兰の梦幻

文章 0 评论 0

-2134

文章 0 评论 0

liuxuanli

文章 0 评论 0

意中人

文章 0 评论 0

○愚か者の日

文章 0 评论 0

xxhui

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文