1

I have this simple php file:

    $ldap="localhost";
    $port=636;
    $usr="CN=admin";
    $pwd="pwd123";

    $ds=ldap_connect("$ldap", $port); 
    $ldapbind=false;
    // for debugging
    ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 9);
    if(ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3))
    if(ldap_set_option($ds, LDAP_OPT_X_TLS_REQUIRE_CERT, 0))
                    if(ldap_set_option($ds, LDAP_OPT_REFERRALS, 0))
                    if(ldap_start_tls($ds))
                            $ldapbind = @ldap_bind($ds, $usr, $pwd);   
    ldap_close($ds);

    if(!$ldapbind)
            echo "BIND ERROR!\n";
    else
            echo "BIND OK!\n";

Where I try to connect and bind an ldap server on localhost. (command: php testcon.php). I've added the TLS_REQCERT never line to /etc/ldap.conf as well.

But I got BIND ERROR! result. Furthermore I got warning msg as well:

PHP Warning:  ldap_start_tls(): Unable to start TLS: Can't contact LDAP server in /root/testfolder/testcon.php on line 16

If I comment out the 16. line I got no warning, but BIND ERROR! stays.

Furher Infos:

  • PHP version: PHP 7.2.5
  • server: openSUSE Leap 15.0
  • ldap: active directory 2.4.46-lp150.7.1
  • The required php libs are isntalled

I try with basedn and without base dn (same result).

Improve this question
3
  • 2
    Change the port to 389. Port 636 is for LDAP over SSL, which is deprecated (was never standardized as part of LDAP actually). LDAP works from port 389 and when you issue the StartTLS (with ldap_start_tls()) it encrypts the connection. Commented Jul 31, 2018 at 14:42
  • believe or not that was the problem.. I put it back to 389.. and it works. :D Commented Jul 31, 2018 at 15:08
  • 1
    Glad to hear it! I just copied the comment into the answers since it solved. Wasn't sure if that would do it or not. Commented Jul 31, 2018 at 18:21

2 Answers 2

Reset to default
3

Per the comments to the question, since it ended up being the answer:

Change the port to 389. Port 636 is for LDAP over SSL, which is deprecated (was never standardized as part of LDAP actually). LDAP works from port 389 and when you issue the StartTLS (with ldap_start_tls()) it encrypts the connection.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Could you provide some data on which you wrote 'Port 636 is for LDAP over SSL, which is deprecated (was never standardized as part of LDAP actually)'?
1

Can't contact LDAP server

This can mean two things:

  1. The server is unreachable over network or
  2. the TLS connection could not be established because of a cert validation error

The error message

ldap_start_tls(): Unable to start TLS

is a bit misleading because after initializing the context with ldap_connect() the TCP connection is still not established yet. The first real LDAP operation called, ldap_start_tls() in your case, is opening the TCP connection.

I'd recommend:

  • to use CLI tool ldapwhoami from the same machine to check whether you can connect at all
  • not to switch off certificate validation even for tests
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.