• <bdo id='CFmmP'></bdo><ul id='CFmmP'></ul>

      <tfoot id='CFmmP'></tfoot>
    1. <i id='CFmmP'><tr id='CFmmP'><dt id='CFmmP'><q id='CFmmP'><span id='CFmmP'><b id='CFmmP'><form id='CFmmP'><ins id='CFmmP'></ins><ul id='CFmmP'></ul><sub id='CFmmP'></sub></form><legend id='CFmmP'></legend><bdo id='CFmmP'><pre id='CFmmP'><center id='CFmmP'></center></pre></bdo></b><th id='CFmmP'></th></span></q></dt></tr></i><div id='CFmmP'><tfoot id='CFmmP'></tfoot><dl id='CFmmP'><fieldset id='CFmmP'></fieldset></dl></div>

      1. <small id='CFmmP'></small><noframes id='CFmmP'>

      2. <legend id='CFmmP'><style id='CFmmP'><dir id='CFmmP'><q id='CFmmP'></q></dir></style></legend>
      3. 使用 PHP 安全绑定到 Active Directory 的问题

        时间:2024-08-23
      4. <tfoot id='d4Yai'></tfoot>
        <i id='d4Yai'><tr id='d4Yai'><dt id='d4Yai'><q id='d4Yai'><span id='d4Yai'><b id='d4Yai'><form id='d4Yai'><ins id='d4Yai'></ins><ul id='d4Yai'></ul><sub id='d4Yai'></sub></form><legend id='d4Yai'></legend><bdo id='d4Yai'><pre id='d4Yai'><center id='d4Yai'></center></pre></bdo></b><th id='d4Yai'></th></span></q></dt></tr></i><div id='d4Yai'><tfoot id='d4Yai'></tfoot><dl id='d4Yai'><fieldset id='d4Yai'></fieldset></dl></div>

                <bdo id='d4Yai'></bdo><ul id='d4Yai'></ul>
                  <legend id='d4Yai'><style id='d4Yai'><dir id='d4Yai'><q id='d4Yai'></q></dir></style></legend>

                  <small id='d4Yai'></small><noframes id='d4Yai'>

                    <tbody id='d4Yai'></tbody>

                  本文介绍了使用 PHP 安全绑定到 Active Directory 的问题的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着跟版网的小编来一起学习吧!

                  问题描述

                  我似乎无法使用 php 安全地绑定到 Active Directory.未加密的连接工作正常.使用其他客户端能够安全地绑定,例如使用 LDAPAdmin 通过 SSL 进行连接.这里有什么问题?是否有一些我缺少的 LDAP SSL 模块?如何使用 php 安全地绑定到服务器?

                  I seem to be unable to use php to securely bind to Active Directory. Unencrypted connections work fine. Using other clients are able to securely bind, e.g. connecting using LDAPAdmin over SSL. What is the problem here? Is there some LDAP SSL module that I'm missing? How to securely bind to the server using php?

                  我从 phpinfo() 中注意到 cURL 支持 ldap/ldaps - 使用它在 php 中执行安全绑定的一个很好的例子是什么?这是一个可行的解决方法吗?

                  I noticed from phpinfo() that cURL has support for ldap/ldaps - what is a good example on utilizing this to perform secure bind in php? Is this a viable workaround?

                  phpinfo();

                  ldap
                  LDAP Support    enabled
                  RCS Version     $Id: ldap.c 293036 2010-01-03 09:23:27Z sebastian $
                  Total Links     0/unlimited
                  API Version     3001
                  Vendor Name     OpenLDAP
                  Vendor Version  20421
                  SASL Support    Enabled 
                  

                  尝试使用来自 Ubuntu 10.04 存储库的 PHP 版本 5.3.2-1ubuntu4.7 绑定到 Active Directory 服务器

                  Attempting to bind to an Active Directory server using PHP Version 5.3.2-1ubuntu4.7 from Ubuntu 10.04 repo

                  $username = 'user';
                  $password = 'passwd';
                  $account_suffix = '@example.com';
                  $hostnameSSL = 'ldaps://ldap.example.com:636';
                  $hostnameTLS = 'ldap.example.com';
                  $portTLS = 389;
                  
                  ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
                  
                  // Attempting fix from http://www.php.net/manual/en/ref.ldap.php#77553
                  putenv('LDAPTLS_REQCERT=never');
                  
                  ####################
                  # SSL bind attempt #
                  ####################
                  // Attempting syntax from http://www.php.net/manual/en/function.ldap-bind.php#101445
                  $con =  ldap_connect($hostnameSSL);
                  if (!is_resource($con)) trigger_error("Unable to connect to $hostnameSSL",E_USER_WARNING);
                  
                  // Options from http://www.php.net/manual/en/ref.ldap.php#73191
                  if (!ldap_set_option($con, LDAP_OPT_PROTOCOL_VERSION, 3))
                  {
                      trigger_error("Failed to set LDAP Protocol version to 3, TLS not supported",E_USER_WARNING);
                  }
                  ldap_set_option($con, LDAP_OPT_REFERRALS, 0);
                  
                  if (ldap_bind($con,$username . $account_suffix, $password)) die('All went well using SSL');
                  ldap_close($con);
                  
                  ####################
                  # TLS bind attempt #
                  ####################
                  $con =  ldap_connect($hostnameTLS,$portTLS);
                  ldap_set_option($con, LDAP_OPT_PROTOCOL_VERSION, 3);
                  ldap_set_option($con, LDAP_OPT_REFERRALS, 0);
                  $encrypted = (ldap_start_tls($con));
                  if ($encrypted) ldap_bind($con,$username . $account_suffix, $password); // Unecrypted works, but don't want logins sent in cleartext
                  ldap_close($con);
                  
                  #####################
                  # SASL bind attempt #
                  #####################
                  $con =  ldap_connect($hostnameTLS,$portTLS);
                  ldap_set_option($con, LDAP_OPT_PROTOCOL_VERSION, 3);
                  ldap_set_option($con, LDAP_OPT_REFERRALS, 0);
                  ldap_sasl_bind($con, NULL, $password, 'DIGEST-MD5', NULL, $username. $account_suffix);
                  ldap_close($con);
                  

                  以上都失败了.日志中的错误:

                  All of the above fails. Errors from log:

                  ldap_create
                  ldap_url_parse_ext(ldaps://ldap.example.com:636)
                  ldap_bind_s
                  ldap_simple_bind_s
                  ldap_sasl_bind_s
                  ldap_sasl_bind
                  ldap_send_initial_request
                  ldap_new_connection 1 1 0
                  ldap_int_open_connection
                  ldap_connect_to_host: TCP ldap.example.com:636
                  ldap_new_socket: 27
                  ldap_prepare_socket: 27
                  ldap_connect_to_host: Trying 1.1.1.1:636
                  ldap_pvt_connect: fd: 27 tm: -1 async: 0
                  ldap_open_defconn: successful
                  ldap_send_server_request
                  ldap_result ld 0x215380c0 msgid 1
                  wait4msg ld 0x215380c0 msgid 1 (infinite timeout)
                  wait4msg continue ld 0x215380c0 msgid 1 all 1
                  ** ld 0x215380c0 Connections:
                  * host: ldap.example.com  port: 636  (default)
                    refcnt: 2  status: Connected
                    last used: Thu Mar 10 11:15:53 2011
                  
                  
                  ** ld 0x215380c0 Outstanding Requests:
                   * msgid 1,  origid 1, status InProgress
                     outstanding referrals 0, parent count 0
                    ld 0x215380c0 request count 1 (abandoned 0)
                  ** ld 0x215380c0 Response Queue:
                     Empty
                    ld 0x215380c0 response count 0
                  ldap_chkResponseList ld 0x215380c0 msgid 1 all 1
                  ldap_chkResponseList returns ld 0x215380c0 NULL
                  ldap_int_select
                  read1msg: ld 0x215380c0 msgid 1 all 1
                  ldap_err2string
                  [Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP Warning:  ldap_bind() [<a href='function.ldap-bind'>function.ldap-bind</a>]: Unable to bind to server: Can't contact LDAP server in /..test.php on line 28
                  [Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP Stack trace:
                  [Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP   1. {main}() /..test.php:0
                  [Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP   2. ldap_bind() /..test.php:28
                  ldap_free_request (origid 1, msgid 1)
                  ldap_free_connection 1 1
                  ldap_free_connection: actually freed
                  ldap_create
                  ldap_err2string
                  [Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP Warning:  ldap_start_tls() [<a href='function.ldap-start-tls'>function.ldap-start-tls</a>]: Unable to start TLS: Not Supported in /..test.php on line 37
                  [Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP Stack trace:
                  [Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP   1. {main}() /..test.php:0
                  [Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP   2. ldap_start_tls() /..test.php:37
                  ldap_create
                  ldap_sasl_interactive_bind_s: user selected: DIGEST-MD5
                  ldap_err2string
                  [Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP Warning:  ldap_sasl_bind() [<a href='function.ldap-sasl-bind'>function.ldap-sasl-bind</a>]: Unable to bind to server: Not Supported in /..test.php on line 47
                  [Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP Stack trace:
                  [Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP   1. {main}() /..test.php:0
                  [Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP   2. ldap_sasl_bind() /..test.php:47
                  

                  查看 ssl 响应:

                  >> openssl s_client -connect my.example.com:636 -prexit
                  
                  (...)
                  SSL handshake has read 5732 bytes and written 443 bytes
                  ---
                  New, TLSv1/SSLv3, Cipher is RC4-MD5
                  Server public key is 2048 bit
                  Secure Renegotiation IS supported
                  Compression: NONE
                  Expansion: NONE
                  SSL-Session:
                      Protocol  : TLSv1
                      Cipher    : RC4-MD5
                      Session-ID: 111111111111111111111111
                      Session-ID-ctx: 
                      Master-Key: AAAAAAAAAAAAAAAAAAAAA
                      Key-Arg   : None
                      Start Time: 1299071105
                      Timeout   : 300 (sec)
                      Verify return code: 20 (unable to get local issuer certificate)
                  

                  'strace php test.php' 的结果:

                  Results from 'strace php test.php' :

                      write(2, "  refcnt: 2  status: Connected
                  ", 31  refcnt: 2  status: Connected
                      ) = 31
                      write(2, "  last used: Tue Mar 15 10:59:19"..., 39  last used: Tue Mar 15 10:59:19 2011
                  
                      ) = 39
                      write(2, "
                  ", 1
                      )                       = 1
                      write(2, "** ld 0x954e0b8 Outstanding Requ"..., 38** ld 0x954e0b8 Outstanding Requests:
                      ) = 38
                      write(2, " * msgid 1,  origid 1, status In"..., 41 * msgid 1,  origid 1, status InProgress
                      ) = 41
                      write(2, "   outstanding referrals 0, pare"..., 43   outstanding referrals 0, parent count 0
                      ) = 43
                      write(2, "  ld 0x954e0b8 request count 1 ("..., 45  ld 0x954e0b8 request count 1 (abandoned 0)
                      ) = 45
                      write(2, "** ld 0x954e0b8 Response Queue:
                  ", 32** ld 0x954e0b8 Response Queue:
                      ) = 32
                      write(2, "   Empty
                  ", 9   Empty
                      )               = 9
                      write(2, "  ld 0x954e0b8 response count 0
                  ", 32  ld 0x954e0b8 response count 0
                      ) = 32
                      write(2, "ldap_chkResponseList ld 0x954e0b"..., 48ldap_chkResponseList ld 0x954e0b8 msgid 1 all 1
                      ) = 48
                      write(2, "ldap_chkResponseList returns ld "..., 47ldap_chkResponseList returns ld 0x954e0b8 NULL
                      ) = 47
                      write(2, "ldap_int_select
                  ", 16ldap_int_select
                      )       = 16
                      poll([{fd=3, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, -1) = 1 ([{fd=3, revents=POLLIN}])
                      write(2, "read1msg: ld 0x954e0b8 msgid 1 a"..., 37read1msg: ld 0x954e0b8 msgid 1 all 1
                      ) = 37
                      read(3, "", 8)                          = 0
                      write(2, "ldap_err2string
                  ", 16ldap_err2string
                      )       = 16
                      write(2, "PHP Warning:  ldap_bind(): Unabl"..., 158PHP Warning:  ldap_bind(): Unable to bind to server: Can't contact LDAP server in
                  

                  而且我确实使用TLS_REQCERT never"修复了/etc/ldap.conf - 即使这个修复是针对不同的错误,它给出了相当清晰的错误消息.

                  And I do have the /etc/ldap.conf fix with 'TLS_REQCERT never' - even though this fix is for a different error, which gives a fairly clear error message.

                  推荐答案

                  由于我的代码在 CentOS 上运行良好,我的结论是问题不是特定于编程的.到目前为止,我还不能让它在我的 Ubuntu 环境中运行,但我认为这是我的服务器软件中的一个错误.

                  As my code is working fine with CentOS, I conclude that the problem is not programming specific. I have not been able to get it running in my Ubuntu environment as of yet, but I assume this is a bug in my server software.

                  这篇关于使用 PHP 安全绑定到 Active Directory 的问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!

                  上一篇:在 PHP 中显示来自 Active Directory 的缩略图照片 下一篇:使用 LDAP/PHP/IIS/SSL 在 Active Directory 中更改密码

                  相关文章

                • <i id='CaxSl'><tr id='CaxSl'><dt id='CaxSl'><q id='CaxSl'><span id='CaxSl'><b id='CaxSl'><form id='CaxSl'><ins id='CaxSl'></ins><ul id='CaxSl'></ul><sub id='CaxSl'></sub></form><legend id='CaxSl'></legend><bdo id='CaxSl'><pre id='CaxSl'><center id='CaxSl'></center></pre></bdo></b><th id='CaxSl'></th></span></q></dt></tr></i><div id='CaxSl'><tfoot id='CaxSl'></tfoot><dl id='CaxSl'><fieldset id='CaxSl'></fieldset></dl></div>
                • <small id='CaxSl'></small><noframes id='CaxSl'>

                      <legend id='CaxSl'><style id='CaxSl'><dir id='CaxSl'><q id='CaxSl'></q></dir></style></legend>
                    1. <tfoot id='CaxSl'></tfoot>

                      • <bdo id='CaxSl'></bdo><ul id='CaxSl'></ul>