php-ldap : Error -1 : Can't contact LDAP server

**waaalex** · 28/11/2022, 16h56

Bonjour à tous,
J'espère être dans la bonne sous section.
Je requiers votre aide car je ne parviens pas à mettre le doigt sur le souci.

Je suis en train de déménager un serveur web et j'ai un souci étrange.
Ancien serveur :
CentOS Linux release 7.9.2009 (Core)
Server version: Apache/2.4.6 (CentOS)
PHP 8.0.24 (cli)

Nouveau serveur :
AlmaLinux release 8.7 (Stone Smilodon)
Server version: Apache/2.4.37 (AlmaLinux)
PHP 8.0.26 (cli)

La fonction ldap_bind ne fonctionne pas en TLS depuis la page web.

Voici le script de test :

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
<?php
        $server = "ldap://xxx:389";
        $login =  "xxx";
        $password = "xxx";
        $basedn = 'dc=xxx,dc=com';
        $group = 'xxx';
 
        // Connexion à LDAP.
        echo "Connexion...<br>";
        $ldap_con=ldap_connect($server) or die('Could not connect to LDAP server.');
		ldap_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE, "/etc/pki/tls/certs/xxx.pem");
        ldap_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE, "/etc/pki/tls/private/xxx.key");
        ldap_set_option($ldap_con, LDAP_OPT_PROTOCOL_VERSION, 3);
        ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
        ldap_set_option($ldap_con, LDAP_OPT_REFERRALS, 0);
        ldap_set_option($ldap_con, LDAP_OPT_NETWORK_TIMEOUT, 10);
        ldap_start_tls($ldap_con);
 
        if (!@ldap_bind($ldap_con, $login . "@xxx.com", $password))
                {
                // Ici on peut voir quelle est la vraie nature de l'erreur (commenter la redirection)
                 echo "<p>Error:" . ldap_error($ldap_con) . "</p>";
                 echo "<p>Error number:" . ldap_errno($ldap_con) . "</p>";
                 echo "<p>Error:" . ldap_err2str(ldap_errno($ldap_con)) . "</p>";
                // Rediriger quand erreur
                // header("Location: https://xxx.com?error=1");
                }
        else
                {
		echo "";
                echo "OK TOTO";
                echo "";
                }
        ldap_bind($ldap_con, $login . "@xxx.com", $password);
?>

Voici l'output :
La première fois, je prends un timeout :

PHP Warning: ldap_start_tls(): Unable to start TLS: Timed out in /var/www/html/SI/test2.php on line 17

Ensuite ça marche:

Connexion...<br>ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP xxx:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying xxx:389
ldap_pvt_connect: fd: 4 tm: 10 async: 0
ldap_ndelay_on: 4
attempting to connect:
connect errno: 115
ldap_int_poll: fd: 4 tm: 10
ldap_is_sock_ready: 4
ldap_ndelay_off: 4
ldap_pvt_connect: 0
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x55bbf6816c40 msgid 1
wait4msg ld 0x55bbf6816c40 msgid 1 (infinite timeout)
wait4msg continue ld 0x55bbf6816c40 msgid 1 all 1
** ld 0x55bbf6816c40 Connections:
* host: xxx port: 389 (default)
refcnt: 2 status: Connected
last used: Mon Nov 28 16:50:16 2022

** ld 0x55bbf6816c40 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x55bbf6816c40 request count 1 (abandoned 0)
** ld 0x55bbf6816c40 Response Queue:
Empty
ld 0x55bbf6816c40 response count 0
ldap_chkResponseList ld 0x55bbf6816c40 msgid 1 all 1
ldap_chkResponseList returns ld 0x55bbf6816c40 NULL
ldap_int_select
read1msg: ld 0x55bbf6816c40 msgid 1 all 1
read1msg: ld 0x55bbf6816c40 msgid 1 message type extended-result
read1msg: ld 0x55bbf6816c40 0 new referrals
read1msg: mark request completed, ld 0x55bbf6816c40 msgid 1
request done: ld 0x55bbf6816c40 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ldap_parse_result
ldap_msgfree
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:error in SSLv3/TLS write client hello
ldap_int_tls_start: ldap_int_tls_connect needs read
ldap_int_poll: fd: 4 tm: 10
ldap_is_sock_ready: 4
ldap_ndelay_off: 4
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS certificate verification: depth: 1, err: 0, subject: xxx, issuer: xxxx
TLS certificate verification: depth: 0, err: 0, subject: , issuer: xxxx
TLS trace: SSL_connect:SSLv3/TLS read server certificate
TLS trace: SSL_connect:SSLv3/TLS read server key exchange
TLS trace: SSL_connect:SSLv3/TLS read server certificate request
TLS trace: SSL_connect:SSLv3/TLS read server done
TLS trace: SSL_connect:SSLv3/TLS write client certificate
TLS trace: SSL_connect:SSLv3/TLS write client key exchange
TLS trace: SSL_connect:SSLv3/TLS write certificate verify
TLS trace: SSL_connect:SSLv3/TLS write change cipher spec
TLS trace: SSL_connect:SSLv3/TLS write finished
TLS trace: SSL_connect:error in SSLv3/TLS write finished
ldap_int_tls_start: ld 0x55bbf6816c40 9 s 983479 us to go
ldap_int_tls_start: ldap_int_tls_connect needs read
ldap_int_poll: fd: 4 tm: 9
ldap_is_sock_ready: 4
ldap_ndelay_off: 4
TLS trace: SSL_connect:SSLv3/TLS write finished
TLS trace: SSL_connect:SSLv3/TLS read change cipher spec
TLS trace: SSL_connect:SSLv3/TLS read finished
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 0x55bbf6816c40 msgid 2
wait4msg ld 0x55bbf6816c40 msgid 2 (infinite timeout)
wait4msg continue ld 0x55bbf6816c40 msgid 2 all 1
** ld 0x55bbf6816c40 Connections:
* host: xxxx port: 389 (default)
refcnt: 2 status: Connected
last used: Mon Nov 28 16:50:16 2022

** ld 0x55bbf6816c40 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x55bbf6816c40 request count 1 (abandoned 0)
** ld 0x55bbf6816c40 Response Queue:
Empty
ld 0x55bbf6816c40 response count 0
ldap_chkResponseList ld 0x55bbf6816c40 msgid 2 all 1
ldap_chkResponseList returns ld 0x55bbf6816c40 NULL
ldap_int_select
read1msg: ld 0x55bbf6816c40 msgid 2 all 1
read1msg: ld 0x55bbf6816c40 msgid 2 message type bind
read1msg: ld 0x55bbf6816c40 0 new referrals
read1msg: mark request completed, ld 0x55bbf6816c40 msgid 2
request done: ld 0x55bbf6816c40 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ldap_msgfree
OK TOTOldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 0x55bbf6816c40 msgid 3
wait4msg ld 0x55bbf6816c40 msgid 3 (infinite timeout)
wait4msg continue ld 0x55bbf6816c40 msgid 3 all 1
** ld 0x55bbf6816c40 Connections:
* host: xxxx port: 389 (default)
refcnt: 2 status: Connected
last used: Mon Nov 28 16:50:16 2022

** ld 0x55bbf6816c40 Outstanding Requests:
* msgid 3, origid 3, status InProgress
outstanding referrals 0, parent count 0
ld 0x55bbf6816c40 request count 1 (abandoned 0)
** ld 0x55bbf6816c40 Response Queue:
Empty
ld 0x55bbf6816c40 response count 0
ldap_chkResponseList ld 0x55bbf6816c40 msgid 3 all 1
ldap_chkResponseList returns ld 0x55bbf6816c40 NULL
ldap_int_select
read1msg: ld 0x55bbf6816c40 msgid 3 all 1
read1msg: ld 0x55bbf6816c40 msgid 3 message type bind
read1msg: ld 0x55bbf6816c40 0 new referrals
read1msg: mark request completed, ld 0x55bbf6816c40 msgid 3
request done: ld 0x55bbf6816c40 msgid 3
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 3, msgid 3)
ldap_parse_result
ldap_msgfree

ldap_free_connection 1 1
ldap_send_unbind
TLS trace: SSL3 alert write:warning:close notify
ldap_free_connection: actually freed

Mais lorsque le script est lancé via un navigateur :

Connexion...
Error:Can't contact LDAP server

Error number:-1

Error:Can't contact LDAP server

A noter que si je ne lance pas ldap_start_tls($ldap_con); la connexion se fait correctement.

Je ne comprends pas ce qu'il se passe.
Pouvez vous m'aider?
Cordialement,
Alex.

**waaalex** · 30/11/2022, 09h42

Petite précision suite strace :

Strace php-fpm strace -f $(pidof php-fpm | sed 's/$[0-9]*$/\-p \1/g')

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
[pid 340925] openat(AT_FDCWD, "/etc/pki/tls/private/xxx.key", O_RDONLY) = -1 EACCES (Permission non accordée)
[pid 340925] write(2, "TLS: could not use key file `/et"..., 70) = 70
[pid 340925] write(2, "TLS: error:0200100D:system libra"..., 85) = 85
[pid 340925] write(2, "TLS: error:20074002:BIO routines"..., 80) = 80
[pid 340925] write(2, "TLS: error:140B0002:SSL routines"..., 90) = 90

A mon avis, le souci est ici.
Avez vous déjà vu ce genre de souci?

**waaalex** · 30/11/2022, 10h29

Bonjour,
C'était un probleme de permission sur la clé.
-rw-r-----. 1 root apache 3272 28 nov. 11:35 xx.key

php-ldap : Error -1 : Can't contact LDAP server

Langage PHP

Discussions similaires

Partager

Partager