PHP cannot connect to LDAP Oracle Directory Server Enterprise Edition

Question

Been playing with this for days and can not get php to bind to ldap on Oracle's DSEE.

function test(){


    // LDAP variables
    $ldaphost = "xxx.xxxxx.com";        
    $ldapport = 636;
    $ldaprdn  = 'cn=xyxyxyxy,ou=Accounts,dc=xxx,dc=xxxxx,dc=com';
    $ldappass = 'vcvcvcvcvc';

    ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7); // isn't helping

    // Connecting to LDAP
    $ldapconn = ldap_connect($ldaphost, $ldapport)
              or die("Could not connect to $ldaphost");

    if ($ldapconn) {

        // binding to ldap server
        $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);

        // verify binding
        if ($ldapbind) {
            echo "LDAP bind successful...";
        } else {
            echo "LDAP bind failed...";
        }

    }
}

I get the error:

Message: ldap_bind() [function.ldap-bind]: Unable to bind to server: Can't contact LDAP server

Tearing my hair out on this one. I just can't get the thing to bind.

Have tried a straight telnet to the host on port 636 and am not being blocked by any firewall. Peculiarly I am not getting any extra debug info from the 'LDAP_OPT_DEBUG_LEVEL' on screen or in my logs.

I imagine the problem is with the dn, make sure it is correct (it might try to contact a different service than your expecting). — Resorath, May 04 '11 at 19:54
Hmmm. That is what the server admin gave me to use as the dn. — phirschybar, May 05 '11 at 01:14
When you connect via telnet is in the same server that the php script runs? Also, use `$ldaphost = 'ldaps://xxx.xxx.com'; $ldapconn = ldap_connect($ldaphost);` (the `$port` parameter is not used in `ldap_connect()` when using the URL identifier for hostname) as Stefan Gehrig said. If you succeed in stablishing a connection, maybe you'll need to call `ldap_start_tls()` right after `ldap_connect()` — Carlos Campderrós, May 09 '11 at 13:58

score 3 · Accepted Answer · edited May 23 '17 at 12:17

start_tls() and ldaps is mutually exclusive, meaning you cannot issue start_tls() on the ssl port (standard 636), or initiate ldaps on an unecrypted port (standard 389). The start_tls() command initiate a secure connection on the unencrypted port after connection is initiated, so you would then issue this before the bind takes place to make it encrypted. Another set of common ports is 3268 (unecrypted) and 3269 (ssl) which might be enabled in your server.

ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);

is logging to your web servers error log, depending on your log level, or to stout (from PHP CLI). To gain more information here, check your web server log level setting, or simply run your php script from command line.

To successfully use the ssl port, you need to specify the ldaps:// prefix, while on the unencrypted port this is not necessary (with a ldap:// prefix).

Looking at your code, this could be a protocol version issue as PHP by default use version 2. To solve this, you can issue:

ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION,3);
ldap_set_option($conn, LDAP_OPT_REFERRALS,0);

before you attempt to bind.

You can also have a look at the code in Problems with secure bind to Active Directory using PHP which I successfully use in CentOS 5, but is having problems in Ubuntu. If your server has an open unencrypted port, it's a good idea to do an unencrypted test bind against it to rule out any connectivity issues.

To check if the port is open, you can check if telnet connects to it, E.G:

telnet my.server.com 3268

If the port is open, then you should be able to bind using it.

*Edit: If the ssl certificate is deemed invalid, the connection will fail, if this is the case, setting the debug level to 7 would announce this. To get around this specific problem you need to ignore the validity:

You can ignore the validity in windows by issuing

putenv('LDAPTLS_REQCERT=never');

in your php code. In *nix you need to edit your /etc/ldap.conf to contain

TLS_REQCERT never

I have tried setting LDAP_OPT_PROTOCOL_VERSION and LDAP_OPT_REFERRALS with no luck. Also have tried each of your suggestions in the past and still having issues binding. — phirschybar, May 13 '11 at 08:50
What is your result of the telnet test? What operating system are you on? What is the output of debuglevel 7? — Jon Skarpeteig, May 13 '11 at 14:05
A couple things aren't clear to me. Where do I get the errors from `ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);`. What is an example of the `ldaps://` prefix? Where do I specify the `ldaps://` when trying to bind? — Kellen Stuart, Apr 17 '17 at 15:49

score 0 · Answer 2 · answered May 05 '11 at 10:03

0

The port 636 is the SSL enabled port and requires an SSL enabled connection. You should try to connect on port 389, or change your code to include the secure layer (much more complex).

Kind regards,

Ludovic

answered May 05 '11 at 10:03

Ludovic Poitou

4,788
2
21
30

score 0 · Answer 3 · answered May 05 '11 at 10:11

To connect using SSL you should try

$ldapconn = ldap_connect('ldaps://'.$ldaphost);

This will automatically connect on port 636 which is the default ldaps-port. Depending on your server installation and configuration it may be possible that connections are only allowed on port 389 (using no encryption or using TLS) or only on port 636 using SSL-encryption. Although it might be possible that your server exposes other ports. So in general you need to know which port you're gonna connect to and which encryption method the server requires (no encryption, SSL or TLS).

According to the LDAP admin, we have to use SSL and port 636. I tried using the prefix you suggested to no avail. — phirschybar, May 05 '11 at 20:49

score 0 · Answer 4 · answered May 13 '11 at 12:13

0

Is the certificate of the LDAP server signed by a valid CA? Maybe your client just rejects the certificate!

answered May 13 '11 at 12:13

ZoolWay

5,411
6
42
76

PHP cannot connect to LDAP Oracle Directory Server Enterprise Edition

4 Answers4

Linked