PHP8 ldap_bind: 오류 -1 LDAP 서버에 접속할 수 없습니다.

PHP8 ldap_bind: 오류 -1 LDAP 서버에 접속할 수 없습니다.

저는 PHP8이 포함된 almalinux 8.7을 사용하고 있습니다. TLS를 사용한 ldapsearch 테스트는 괜찮습니다.

ldapsearch -H ldap://xxxx -x -ZZ /etc/pki/tls/certs/xxxx.pem -D 'xxxxx' -w 'xxxx' -b 'cn=xxx,cn=users,dc=xxx,dc=xxxx'

그러나 ldap_bind는 LDAP 서버를 찾지 못합니다. 오류 -1. 없이ldap_start_tls($ldap_con);, 괜찮아.

- 편집하다에러 메시지 :

  • 여기에 이미지 설명을 입력하세요

내가 무엇을 놓치고 있나요?

if(empty(!$_POST["password"]))
        {
        // Configuration pour interface PHP de notre annuaire LDAP
        $server = "ldap://xxx:389";
        $login =  $_POST['login'];
        $password = $_POST['password'];
        $basedn = 'dc=xxx,dc=xxx';
        $group = 'xxxxx';

        // Connexion à LDAP.
        echo "Connexion...<br>";
        $ldap_con=ldap_connect($server) or die('Could not connect to LDAP server.');
        ldap_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE, "/etc/pki/tls/certs/xxx.pem");
        ldap_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE, "/etc/pki/tls/private/xxx.key");
        ldap_set_option($ldap_con, LDAP_OPT_PROTOCOL_VERSION, 3);
        ldap_set_option($ldap_con, LDAP_OPT_REFERRALS, 0);
        ldap_set_option($ldap_con, LDAP_OPT_NETWORK_TIMEOUT, 10);
        ldap_start_tls($ldap_con);

        if (!@ldap_bind($ldap_con, $login . "@xxxx", $password))
                {
                // Ici on peut voir quelle est la vraie nature de l'erreur (commenter la redirection)
                 echo "<p>Error:" . ldap_error($ldap_con) . "</p>";
                 echo "<p>Error number:" . ldap_errno($ldap_con) . "</p>";
                 echo "<p>Error:" . ldap_err2str(ldap_errno($ldap_con)) . "</p>";
                // Rediriger quand erreur
                // header("Location: https://xxxxx?error=1");
                }
        else
                {
                echo("Login correct <br>");

디버그로 테스트

> <?php
>         $server = "ldap://xxxx:389";
>         $login =  "xxxx";
>         $password = "xxxx";
>         $basedn = 'dc=xxx,dc=com';
>         $group = 'xxxx';
> 
>         // Connexion à LDAP.
>         echo "Connexion...<br>";
>         $ldap_con=ldap_connect($server) or die('Could not connect to LDAP server.');
>         ldap_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE, "/etc/pki/tls/certs/xxxx.pem");
>         ldap_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE, "/etc/pki/tls/private/xxxx.key");
>         ldap_set_option($ldap_con, LDAP_OPT_PROTOCOL_VERSION, 3);
>                 ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
>         ldap_set_option($ldap_con, LDAP_OPT_REFERRALS, 0);
>         ldap_set_option($ldap_con, LDAP_OPT_NETWORK_TIMEOUT, 10);
>         ldap_start_tls($ldap_con);
> 
>         ldap_bind($ldap_con, $login . "@xxxx", $password) ?>

산출

> Connexion...<br>ldap_extended_operation_s ldap_extended_operation
> ldap_send_initial_request ldap_new_connection 1 1 0
> ldap_int_open_connection ldap_connect_to_host: TCP xxx:389
> ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying
> xxxx:389 ldap_pvt_connect: fd: 4 tm: 10 async: 0 ldap_ndelay_on: 4 attempting to connect: connect errno: 115 ldap_int_poll: fd: 4 tm:
> 10 ldap_is_sock_ready: 4 ldap_ndelay_off: 4 ldap_pvt_connect: 0
> ldap_open_defconn: successful ldap_send_server_request ldap_result ld
> 0x55808231ec30 msgid 1 wait4msg ld 0x55808231ec30 msgid 1 (infinite
> timeout) wait4msg continue ld 0x55808231ec30 msgid 1 all 1
> ** ld 0x55808231ec30 Connections:
> * host: xxxx port: 389  (default)   refcnt: 2  status: Connected   last used: Mon Nov 28 11:31:12 2022
> 
> 
> ** ld 0x55808231ec30 Outstanding Requests:  * msgid 1,  origid 1, status InProgress    outstanding referrals 0, parent count 0   ld
> 0x55808231ec30 request count 1 (abandoned 0)
> ** ld 0x55808231ec30 Response Queue:    Empty   ld 0x55808231ec30 response count 0 ldap_chkResponseList ld 0x55808231ec30 msgid 1 all 1
> ldap_chkResponseList returns ld 0x55808231ec30 NULL ldap_int_select
> read1msg: ld 0x55808231ec30 msgid 1 all 1 read1msg: ld 0x55808231ec30
> msgid 1 message type extended-result read1msg: ld 0x55808231ec30 0 new
> referrals read1msg:  mark request completed, ld 0x55808231ec30 msgid 1
> request done: ld 0x55808231ec30 msgid 1 res_errno: 0, res_error: <>,
> res_matched: <> ldap_free_request (origid 1, msgid 1)
> ldap_parse_extended_result ldap_parse_result ldap_msgfree TLS trace:
> SSL_connect:before SSL initialization TLS trace: SSL_connect:SSLv3/TLS
> write client hello TLS trace: SSL_connect:error in SSLv3/TLS write
> client hello ldap_int_tls_start: ldap_int_tls_connect needs read
> ldap_int_poll: fd: 4 tm: 10 ldap_is_sock_ready: 4 ldap_ndelay_off: 4
> TLS trace: SSL_connect:SSLv3/TLS write client hello TLS trace:
> SSL_connect:SSLv3/TLS read server hello TLS certificate verification:
> depth: 1, err: 0, subject: /DC=com/DC=xxx/CN=xxxx, issuer:
> /DC=com/DC=xx/CN=xx-CA TLS certificate verification: depth: 0,
> err: 0, subject: , issuer: /DC=com/DC=xxx/CN=xxxx TLS trace:
> SSL_connect:SSLv3/TLS read server certificate TLS trace:
> SSL_connect:SSLv3/TLS read server key exchange TLS trace:
> SSL_connect:SSLv3/TLS read server certificate request TLS trace:
> SSL_connect:SSLv3/TLS read server done TLS trace:
> SSL_connect:SSLv3/TLS write client certificate TLS trace:
> SSL_connect:SSLv3/TLS write client key exchange TLS trace:
> SSL_connect:SSLv3/TLS write certificate verify TLS trace:
> SSL_connect:SSLv3/TLS write change cipher spec TLS trace:
> SSL_connect:SSLv3/TLS write finished TLS trace: SSL_connect:error in
> SSLv3/TLS write finished ldap_int_tls_start: ld 0x55808231ec30 9 s
> 976966 us to go ldap_int_tls_start: ldap_int_tls_connect needs read
> ldap_int_poll: fd: 4 tm: 9 ldap_is_sock_ready: 4 ldap_ndelay_off: 4
> TLS trace: SSL_connect:SSLv3/TLS write finished TLS trace:
> SSL_connect:SSLv3/TLS read change cipher spec TLS trace:
> SSL_connect:SSLv3/TLS read finished ldap_sasl_bind_s ldap_sasl_bind
> ldap_send_initial_request ldap_send_server_request ldap_result ld
> 0x55808231ec30 msgid 2 wait4msg ld 0x55808231ec30 msgid 2 (infinite
> timeout) wait4msg continue ld 0x55808231ec30 msgid 2 all 1
> ** ld 0x55808231ec30 Connections:
> * host: xxxx port: 389  (default)   refcnt: 2  status: Connected   last used: Mon Nov 28 11:31:12 2022
> 
> 
> ** ld 0x55808231ec30 Outstanding Requests:  * msgid 2,  origid 2, status InProgress    outstanding referrals 0, parent count 0   ld
> 0x55808231ec30 request count 1 (abandoned 0)
> ** ld 0x55808231ec30 Response Queue:    Empty   ld 0x55808231ec30 response count 0 ldap_chkResponseList ld 0x55808231ec30 msgid 2 all 1
> ldap_chkResponseList returns ld 0x55808231ec30 NULL ldap_int_select
> read1msg: ld 0x55808231ec30 msgid 2 all 1 read1msg: ld 0x55808231ec30
> msgid 2 message type bind read1msg: ld 0x55808231ec30 0 new referrals
> read1msg:  mark request completed, ld 0x55808231ec30 msgid 2 request
> done: ld 0x55808231ec30 msgid 2 res_errno: 0, res_error: <>,
> res_matched: <> ldap_free_request (origid 2, msgid 2)
> ldap_parse_result ldap_msgfree ldap_free_connection 1 1
> ldap_send_unbind TLS trace: SSL3 alert write:warning:close notify
> ldap_free_connection: actually freed

편집하다

추적을 시작했지만 ps awux | grep sbin/httpd | awk '{print"-p " $2}' | xargs strace -f참고할 사항이 없습니다.

php-fpm의 Stracestrace -f $(pidof php-fpm | sed 's/\([0-9]*\)/\-p \1/g')

[pid 340925] openat(AT_FDCWD, "/etc/pki/tls/private/xxx.key", O_RDONLY) = -1 EACCES (Permission non accordée)
[pid 340925] write(2, "TLS: could not use key file `/et"..., 70) = 70
[pid 340925] write(2, "TLS: error:0200100D:system libra"..., 85) = 85
[pid 340925] write(2, "TLS: error:20074002:BIO routines"..., 80) = 80
[pid 340925] write(2, "TLS: error:140B0002:SSL routines"..., 90) = 90

   

파일/var/log/php-fpm/www-error.log

[30-Nov-2022 08:00:01 UTC] PHP Warning:  ldap_start_tls(): Unable to start TLS: Connect error in /var/www/html/SI/test2.php on line 17
[30-Nov-2022 08:00:01 UTC] PHP Warning:  ldap_bind(): Unable to bind to server: Can't contact LDAP server in /var/www/html/SI/test2.php on line 37

감사해요

답변1

StartTLS와 TLS 사이에 약간의 혼란이 있을 수 있습니다. 둘은 서로 다른 것입니다.

StartTLS를 사용하는 경우 일반 텍스트 포트(LDAP의 경우 389/tcp)에 연결한 다음 암호화된 전송을 시작하는 명령을 실행합니다. 호출하면 ldapsearch -ZZ ...StartTLS를 호출한다는 의미입니다.

"실제" SSL/TLS를 사용하는 경우 암호화된 포트(LDAP의 경우 기본적으로 636/tcp)에 연결하고 암호화된 채널이 설정되며그 다음에LDAP 프로토콜 통신 시작이 적용됩니다.

따라서 StartTLS를 작동시키기 위해 PHP 코드에 일부 OPTS가 누락되었거나 ldaps://hostname/LDAP URI로 사용해야 합니다.

편집하다: 사실은 맞지만 근본 원인은 TLS-StartTLS 혼동에 있는 것 같지 않습니다. PHP ldap_start_tls()루틴은 실제로 StartTLS를 호출하므로 OP의 사용이 389/tcp정확합니다.

답변2

설립하다. @Fiisch에게 많은 감사를 드립니다.

해결책 :-rw-r-----. 1 root apache 3272 28 nov. 11:35 xx.key

그것은 루트로 작동했지만 아파치로는 작동하지 않았습니다. 질문입니다. 충분히 안전합니까?

관련 정보