PHP Doku:: Startet TLS - function.ldap-start-tls.html

Verlauf / Chronik / History: (1) anzeigen

Sie sind hier:
Doku-StartseitePHP-HandbuchFunktionsreferenzSonstige DiensteLightweight Directory Access ProtocolLDAP Funktionenldap_start_tls

Ein Service von Reinhard Neidl - Webprogrammierung.

LDAP Funktionen

<<ldap_sort

ldap_t61_to_8859>>

ldap_start_tls

(PHP 4 >= 4.2.0, PHP 5)

ldap_start_tls Startet TLS

Beschreibung

bool ldap_start_tls ( resource $link )

Warnung

Diese Funktion ist bis jetzt nicht dokumentiert. Es steht nur die Liste der Argumente zur Verfügung.


11 BenutzerBeiträge:
- Beiträge aktualisieren...
T. Le Meur
19.10.2010 15:11
Note that, on Windows, due to a bug in the php_ldap extension for php 5.3.2, the location of the ldap.conf may change.

In this case, PHP expects the ldap.conf file to be in the root filesystem where the Webserver Document root is installed (for instance C:\ldap.conf).

This seems to be fixed in PHP 5.3.3RC1

See the following bug reference:
http://bugs.php.net/bug.php?id=48866
victoriano at uma dot es
14.06.2010 21:00
ldaps:// (on port 636) is NOT the same as using STARTTLS on port 389.

The second method upgrades the security of a plain connection to an encrypted channel, which is strongly recommended for plain binding (DN/password).
josselin dot dulac at enscm dot fr
29.01.2010 16:19
Note : if you are using OpenLdap client > v2 and PHP > 4.0.4, you don't have to use that function. You just have to specify it using
<?php
ldap_connect
("ldaps://yourhostname", 636);
?>

If you use both ldaps:// uri and ldap_start_tls function, you'll get a warning saying that a TLS/SSL session is already open.
jcarlos at dsi dot uclm dot es
1.12.2009 14:10
Tested in Linux, ubuntu 9.10, PHP/5.2.10-2 and Apache/2.2.1.2

INTEGRATING ACTIVE DIRECTORY WITH PHP-LDAP AND TLS IN LINUX
=============================================================

I'm not an expert, but it works.

1)I have installed ubuntu 9.10 desktop

2)Packages:
 apt-get install apache2
 apt-get install libapache2-mod-php5
 apt-get install libldap-2.4-2
 apt-get install ldap-utils
 apt-get install libsasl2-modules-ldap
 apt-get install openssl
 apt-get install libsasl2-2
 apt-get install libkrb5-3
 apt-get install php5-ldap
 apt-get install php5-sasl
 apt-get install php5-auth-pam

3)Put the PEM certificate.
 cd /etc/ldap
 mkdir certs
 copy /myhome/mycert.pem /etc/ldap/certs/mycert.pem
 NOTE:webcert.crt rename to mycert.pem. It's the same

4)Edit the file /etc/ldap/ldap.conf and Add:
  TLS_REQCERT never
  TLS_CACERT /etc/ldap/certs/mycert.pem

5)Create file /var/www/ldaptlstest.php:

<?php

   $ldap
="ldap.myDomain.com";
  
$usr="user@myDomain.com";
  
$pwd="mypassword";
  
  
$ds=ldap_connect($ldap); 
  
$ldapbind=false;
   if(
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3))
      if(
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0))
         if(
ldap_start_tls($ds))
              
$ldapbind = @ldap_bind($ds, $usr, $pwd);   
  
ldap_close($ds);

   if(!
$ldapbind)
      echo
"ERROR";
   else
      echo
"OK";
?>

6)Restart the server: /etc/init.d/apache2 restart

7)Open Firefox and write: http://localhost/ldaptlstest.php
;)
jcarlos at dsi dot uclm dot es
26.11.2009 12:04
INTEGRATING ACTIVE DIRECTORY WITH PHP-LDAP AND TLS
==================================================

My configuration:
Apache/2.2.14 (Win32) mod_ssl/2.2.14 OpenSSL/0.9.8k PHP/5.2.11

NOTE 1: At the momment, the versión 5.3.1 fail with tls
NOTE 2: This example works on windows, but in linux is similar

1) Download the Certificate X.509 (PEM format) from a web browser, I used Firefox. I put the name webcert.crt
2) Create the folder c:\openldap\sysconf
3) Copy the file webcert.crt to c:\openldap\sysconf
4) With notepad you must create the file c:\openldap\sysconf\ldap.conf file. The file contents:
TLS_REQCERT never
TLS_CACERT c:\openldap\sysconf\webcert.crt
5) The code:

<?php
   $ldap
="ldap.myDomain.com";
  
$usr="user@myDomain.com";
  
$pwd="mypassword";
  
  
$ds=ldap_connect($ldap); 
  
$ldapbind=false;
   if(
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3))
      if(
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0))
         if(
ldap_start_tls($ds))
              
$ldapbind = @ldap_bind($ds, $usr, $pwd);   
  
ldap_close($ds);
   if(!
$ldapbind)
       echo
"ERROR";
   else
       echo
"OK";
?>
pataisjsu at Yahoo.com
15.11.2007 23:55
I seemingly take forever to make use of ldap_start_tls work.
Especially lacking in document, I was frustrate and almost gave up until I saw this link in the php forum.
I thought it is worth for put the link in here.

http://marc.info/?l=php-windows&m=116127873321748&w=2

it is really work, and it saves me.
technosophos
6.03.2007 21:53
If your version was linked against the OpenLDAP libraries, you may want to look at the ldap.conf file for more information about specifying SSL/TLS behavior. Apparently, the settings in ldap.conf make a different in the way SSL/TLS is handled by PHP.
on at cs dot ait dot ac dot th
7.08.2006 9:00
More on TLS start.

It seems that either you ldap_connect to ldaps://, port 636 or you ldap_tls_start.

In my case, using ldaps on port 636 (to be sure I enforce TLS) the connection will go like:

$LDAP_SERVER="ldaps://ldap.../";
$LDAP_PORT=636;

$ds = ldap_connect($LDAP_SERVER,$LDAP_PORT);
if ($ds) {
   if (!ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)) {
     fatal_error("Failed to set LDAP Protocol version to 3, TLS not supported.");
   }
/*** NO NEED ***
*   if (!ldap_start_tls($ds)) {
*      exit;
*   }
***/
   // now we need to bind anonymously to the ldap server
   $bth = ldap_bind($ds);
   //make your query
bill at strosberg dot com
13.04.2005 19:42
Please note there is a difference between ldaps and start-TLS for ldap.  start-TLS uses port 389, while ldaps uses port 636.  ldaps has been deprecated in favour of start-TLS for ldap.  Both encrypted (start-TLS ldap)  and unencrypted ldap (ldap) run on port 389 concurrently.

Errors encountered are generally due to misunderstanding how to implement TLS-encrypted ldap.
claar at no dot spam dot ksu dot edu
29.06.2004 0:10
Note that (in my very limited experience) you cannot use the ldaps protocol with tls, or ldap_start_tls() will report "ldap_start_tls(): Unable to start TLS: Operations error", and ldap_error() will return error code 1.

I found that I had to call ldap_connect() with ldap:// rather than ldaps:// for ldap_start_tls() to succeed.  Hope this helps someone!
wirges-at-cerias.purdue.edu
23.07.2002 5:19
It should be mentioned, that TLS connections for LDAP *REQUIRE* you to use LDAP Protocol version 3.  By default, PHP uses Protocol 2. 
Therefore, if you do not know this, you may be puzzled as to why you get "TLS not supported" error.

To get around this, just use ldap_set_option to make the LDAP connection use Protocol 3 (if supported).

For example:

$ds = ldap_connect($LDAP_SERVER,$LDAP_PORT);
if ($ds) {
   if (!ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)) {
      fatal_error("Failed to set LDAP Protocol version to 3, TLS not supported.");
    }
    if (!ldap_start_tls($ds)) {
       fatal_error("Ldap_start_tls failed");
    }
    // now we need to bind anonymously to the ldap server
    $bth = ldap_bind($ds);
    //make your query
}



PHP Powered Diese Seite bei php.net
The PHP manual text and comments are covered by the Creative Commons Attribution 3.0 License © the PHP Documentation Group - Impressum - mail("TO:Reinhard Neidl",...)