使用 PHP 安全绑定到 Active Directory 的问题
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5258556/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Problems with secure bind to Active Directory using PHP
提问by Jon Skarpeteig
I seem to be unable to use php to securely bind to Active Directory. Unencrypted connections work fine. Using other clients are able to securely bind, e.g. connecting using LDAPAdmin over SSL. What is the problem here? Is there some LDAP SSL module that I'm missing? How to securely bind to the server using php?
我似乎无法使用 php 安全地绑定到 Active Directory。未加密的连接工作正常。使用其他客户端能够安全地绑定,例如通过 SSL 使用 LDAPAdmin 进行连接。这里有什么问题?是否有一些我遗漏的 LDAP SSL 模块?如何使用php安全地绑定到服务器?
I noticed from phpinfo()that cURL has support for ldap/ldaps - what is a good example on utilizing this to perform secure bind in php? Is this a viable workaround?
我注意到phpinfo()cURL 支持 ldap/ldaps - 利用它在 php 中执行安全绑定的好例子是什么?这是一个可行的解决方法吗?
phpinfo();
phpinfo();
ldap
LDAP Support enabled
RCS Version $Id: ldap.c 293036 2010-01-03 09:23:27Z sebastian $
Total Links 0/unlimited
API Version 3001
Vendor Name OpenLDAP
Vendor Version 20421
SASL Support Enabled
Attempting to bind to an Active Directory server using PHP Version 5.3.2-1ubuntu4.7 from Ubuntu 10.04 repo
尝试使用来自 Ubuntu 10.04 存储库的 PHP 版本 5.3.2-1ubuntu4.7 绑定到 Active Directory 服务器
$username = 'user';
$password = 'passwd';
$account_suffix = '@example.com';
$hostnameSSL = 'ldaps://ldap.example.com:636';
$hostnameTLS = 'ldap.example.com';
$portTLS = 389;
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
// Attempting fix from http://www.php.net/manual/en/ref.ldap.php#77553
putenv('LDAPTLS_REQCERT=never');
####################
# SSL bind attempt #
####################
// Attempting syntax from http://www.php.net/manual/en/function.ldap-bind.php#101445
$con = ldap_connect($hostnameSSL);
if (!is_resource($con)) trigger_error("Unable to connect to $hostnameSSL",E_USER_WARNING);
// Options from http://www.php.net/manual/en/ref.ldap.php#73191
if (!ldap_set_option($con, LDAP_OPT_PROTOCOL_VERSION, 3))
{
trigger_error("Failed to set LDAP Protocol version to 3, TLS not supported",E_USER_WARNING);
}
ldap_set_option($con, LDAP_OPT_REFERRALS, 0);
if (ldap_bind($con,$username . $account_suffix, $password)) die('All went well using SSL');
ldap_close($con);
####################
# TLS bind attempt #
####################
$con = ldap_connect($hostnameTLS,$portTLS);
ldap_set_option($con, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($con, LDAP_OPT_REFERRALS, 0);
$encrypted = (ldap_start_tls($con));
if ($encrypted) ldap_bind($con,$username . $account_suffix, $password); // Unecrypted works, but don't want logins sent in cleartext
ldap_close($con);
#####################
# SASL bind attempt #
#####################
$con = ldap_connect($hostnameTLS,$portTLS);
ldap_set_option($con, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($con, LDAP_OPT_REFERRALS, 0);
ldap_sasl_bind($con, NULL, $password, 'DIGEST-MD5', NULL, $username. $account_suffix);
ldap_close($con);
All of the above fails. Errors from log:
以上都失败了。日志中的错误:
ldap_create
ldap_url_parse_ext(ldaps://ldap.example.com:636)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.example.com:636
ldap_new_socket: 27
ldap_prepare_socket: 27
ldap_connect_to_host: Trying 1.1.1.1:636
ldap_pvt_connect: fd: 27 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x215380c0 msgid 1
wait4msg ld 0x215380c0 msgid 1 (infinite timeout)
wait4msg continue ld 0x215380c0 msgid 1 all 1
** ld 0x215380c0 Connections:
* host: ldap.example.com port: 636 (default)
refcnt: 2 status: Connected
last used: Thu Mar 10 11:15:53 2011
** ld 0x215380c0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x215380c0 request count 1 (abandoned 0)
** ld 0x215380c0 Response Queue:
Empty
ld 0x215380c0 response count 0
ldap_chkResponseList ld 0x215380c0 msgid 1 all 1
ldap_chkResponseList returns ld 0x215380c0 NULL
ldap_int_select
read1msg: ld 0x215380c0 msgid 1 all 1
ldap_err2string
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP Warning: ldap_bind() [<a href='function.ldap-bind'>function.ldap-bind</a>]: Unable to bind to server: Can't contact LDAP server in /..test.php on line 28
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP Stack trace:
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP 1. {main}() /..test.php:0
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP 2. ldap_bind() /..test.php:28
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 1 1
ldap_free_connection: actually freed
ldap_create
ldap_err2string
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP Warning: ldap_start_tls() [<a href='function.ldap-start-tls'>function.ldap-start-tls</a>]: Unable to start TLS: Not Supported in /..test.php on line 37
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP Stack trace:
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP 1. {main}() /..test.php:0
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP 2. ldap_start_tls() /..test.php:37
ldap_create
ldap_sasl_interactive_bind_s: user selected: DIGEST-MD5
ldap_err2string
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP Warning: ldap_sasl_bind() [<a href='function.ldap-sasl-bind'>function.ldap-sasl-bind</a>]: Unable to bind to server: Not Supported in /..test.php on line 47
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP Stack trace:
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP 1. {main}() /..test.php:0
[Thu Mar 10 11:15:53 2011] [error] [client ::1] PHP 2. ldap_sasl_bind() /..test.php:47
Looking at ssl response:
查看 ssl 响应:
>> openssl s_client -connect my.example.com:636 -prexit
(...)
SSL handshake has read 5732 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 111111111111111111111111
Session-ID-ctx:
Master-Key: AAAAAAAAAAAAAAAAAAAAA
Key-Arg : None
Start Time: 1299071105
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Results from 'strace php test.php' :
'strace php test.php' 的结果:
write(2, " refcnt: 2 status: Connected\n", 31 refcnt: 2 status: Connected
) = 31
write(2, " last used: Tue Mar 15 10:59:19"..., 39 last used: Tue Mar 15 10:59:19 2011
) = 39
write(2, "\n", 1
) = 1
write(2, "** ld 0x954e0b8 Outstanding Requ"..., 38** ld 0x954e0b8 Outstanding Requests:
) = 38
write(2, " * msgid 1, origid 1, status In"..., 41 * msgid 1, origid 1, status InProgress
) = 41
write(2, " outstanding referrals 0, pare"..., 43 outstanding referrals 0, parent count 0
) = 43
write(2, " ld 0x954e0b8 request count 1 ("..., 45 ld 0x954e0b8 request count 1 (abandoned 0)
) = 45
write(2, "** ld 0x954e0b8 Response Queue:\n", 32** ld 0x954e0b8 Response Queue:
) = 32
write(2, " Empty\n", 9 Empty
) = 9
write(2, " ld 0x954e0b8 response count 0\n", 32 ld 0x954e0b8 response count 0
) = 32
write(2, "ldap_chkResponseList ld 0x954e0b"..., 48ldap_chkResponseList ld 0x954e0b8 msgid 1 all 1
) = 48
write(2, "ldap_chkResponseList returns ld "..., 47ldap_chkResponseList returns ld 0x954e0b8 NULL
) = 47
write(2, "ldap_int_select\n", 16ldap_int_select
) = 16
poll([{fd=3, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, -1) = 1 ([{fd=3, revents=POLLIN}])
write(2, "read1msg: ld 0x954e0b8 msgid 1 a"..., 37read1msg: ld 0x954e0b8 msgid 1 all 1
) = 37
read(3, "", 8) = 0
write(2, "ldap_err2string\n", 16ldap_err2string
) = 16
write(2, "PHP Warning: ldap_bind(): Unabl"..., 158PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in
And I do have the /etc/ldap.conf fix with 'TLS_REQCERT never' - even though this fix is for a different error, which gives a fairly clear error message.
而且我确实有带有“TLS_REQCERT never”的 /etc/ldap.conf 修复 - 即使此修复是针对不同的错误,它给出了相当清晰的错误消息。
采纳答案by Jon Skarpeteig
As my code is working fine with CentOS, I conclude that the problem is not programming specific. I have not been able to get it running in my Ubuntu environment as of yet, but I assume this is a bug in my server software.
由于我的代码在 CentOS 上运行良好,因此我得出结论,问题不是特定于编程的。到目前为止,我还不能让它在我的 Ubuntu 环境中运行,但我认为这是我的服务器软件中的一个错误。
回答by schlenk
Did you see the comment on the PHP.net page about missing permissions on some cert store that does this:
您是否在 PHP.net 页面上看到有关某些证书存储缺少权限的评论:
http://de3.php.net/manual/en/function.ldap-connect.php
http://de3.php.net/manual/en/function.ldap-connect.php
bleathem 27-Feb-2008 10:30 Everyone is posting about getting ldaps:// working in a WAMP/AD stack, I had a tough time finding how to get it going in RHEL 5.1 (w/ all stock rpms). Good old strace did the trick and helped me find the problem... Turns out php was looking for the CA file in /etc/pki/CA, and I didn't have the correct permissions on the folder. chmod'ing it to 755 solved my "Can't contact LDAP server" message.
bleathem 27-Feb-2008 10:30 每个人都发布了关于让 ldaps:// 在 WAMP/AD 堆栈中工作的帖子,我很难找到如何在 RHEL 5.1(带有所有库存 rpm)中运行它。好的老strace 解决了这个问题并帮助我找到了问题...原来php 正在/etc/pki/CA 中寻找CA 文件,而我没有对该文件夹的正确权限。将其修改为 755 解决了我的“无法联系 LDAP 服务器”消息。
So maybe thats your issue too. If not you should give either strace or wireshark a try to catch the syscalls and network transmissions and figure out what goes wrong. One of the two will show it clearly.
所以也许那也是你的问题。如果没有,您应该尝试使用 strace 或 wireshark 来捕获系统调用和网络传输并找出问题所在。两者之一将清楚地显示它。
回答by JMW
this is how i do it:
这就是我的做法:
<?php
$username = ''; // username to check
$password = ''; // password to check
/**
* Is it an Active Directory?
*
* <pre>
* true = yes
* set the following values:
* SDB_AUTH_LDAP_HOST
* SDB_AUTH_LDAP_SSL
* SDB_AUTH_LDAP_BASE
* SDB_AUTH_LDAP_SEARCH
* SDB_AUTH_LDAP_USERDOMAIN
* false = no, you have to supply an hostname
* and configure the following values:
* SDB_AUTH_LDAP_HOST
* SDB_AUTH_LDAP_PORT
* SDB_AUTH_LDAP_SSL
* SDB_AUTH_LDAP_BASE
* SDB_AUTH_LDAP_SEARCH
* SDB_AUTH_LDAP_USERDOMAIN
* </pre>
* @see SDB_AUTH_LDAP_HOST
*/
define('SDB_AUTH_IS_AD', true);
/**
* Domain name of the LDAP Host or of the AD-Domain
*/
define('SDB_AUTH_LDAP_HOST', 'your-domain.tld');
/**
* LDAP Port?
*
* if {@link SDB_AUTH_IS_AD} = true, then the port will be read form DNS.
*/
define('SDB_AUTH_LDAP_PORT', '389');
/**
* Use LDAPS (true) oder LDAP (false) connection?
*/
define('SDB_AUTH_LDAP_SSL', false);
/**
* LDAP Base
*/
define('SDB_AUTH_LDAP_BASE', 'CN=Users,DC=your-domain.tld,DC=de');
/**
* LDAP Search, to find a user
*
* %s will be replaced by the username.<br>
* z.B. CN=%s
*/
define('SDB_AUTH_LDAP_SEARCH', '(&(sAMAccountName=%s)(objectclass=user)(objectcategory=person))');
/**
* Die LDAP Domain des Benutzers
*
* if the username doesnt contain a domain append this domain to it.<br>
* in case this is empty, nothing will be appended.
*/
define('SDB_AUTH_LDAP_USERDOMAIN', 'your-domain.tld');
/**
* Path to LDAP Search
*
* Will give back better error messages
* ( leave empty in case you don't want to have it. )
*/
define('SDB_AUTH_LDAP_SEARCHBIN', '/usr/bin/ldapsearch');
$ldap_error_codes=array(
'525' => 'Username doesnt exist.',
'52e' => 'Wrong password.',
'530' => 'You cannot login at this time.',
'531' => 'You cannot login from this host.',
'532' => 'Your password was expired.',
'533' => 'Your account has been deactivated.',
'701' => 'Your account was expired.',
'773' => 'Please set another password (at your workstation) before you login.',
'775' => 'Your account has been locked.',
);
if(SDB_AUTH_LDAP_SSL) $dcs=dns_get_record("_ldaps._tcp.".SDB_AUTH_LDAP_HOST, DNS_SRV); else $dcs=dns_get_record("_ldap._tcp.".SDB_AUTH_LDAP_HOST, DNS_SRV);
shuffle($dcs);
$_LDAP_ATTRS=array('cn', 'sn', 'description', 'givenName', 'distinguishedName', 'displayName', 'memberOf', 'name', 'sAMAccountName', 'sAMAccountType', 'objectClass', 'objectCategory');
if(SDB_AUTH_LDAP_USERDOMAIN!='' && strstr($username, '@')===false) {
$username=$username.'@'.SDB_AUTH_LDAP_USERDOMAIN;
}
$status=array();
$status['CN']='';
$status['displayName']='';
$status['description']='';
$status['distinguishedName']='';
$status['groups']=array();
$status['RC']=array();
$status['connected']=false;
$status['user_exists']=false;
$status['is_in_team']=false;
foreach($dcs as $_LDAP_HOST) {
$_LDAP_PORT=$_LDAP_HOST['port'];
$_LDAP_HOST=$_LDAP_HOST['target'];
// check connection first ( http://bugs.php.net/bug.php?id=15637 )
$sock=@fsockopen($_LDAP_HOST, $_LDAP_PORT, $errno, $errstr, 1);
@fclose($sock);
if($errno!=0) continue;
// then do a "connect"... ( the real connect happens with bind )
$ds=@ldap_connect(( SDB_AUTH_LDAP_SSL ? "ldaps://" : "ldap://" ).$_LDAP_HOST.":".$_LDAP_PORT."/");
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
// are we connected? actually, this will always return true
if(is_resource($ds)) {
$status['connected']=true;
// login sucessful? actually also connection test
if(@ldap_bind($ds, $username, $password)) {
// search
$sr=ldap_search($ds, SDB_AUTH_LDAP_BASE, sprintf(SDB_AUTH_LDAP_SEARCH, $usernode), $_LDAP_ATTRS);
// suche successful?
if(is_resource($sr)) {
// fetch entries
$info = ldap_get_entries($ds, $sr);
if(isset($info['count']) && $info['count']>0) {
$status['user_exists']=true;
}
// close search result
ldap_free_result($sr);
$status['CN']=$info[0]['cn'][0];
$status['description']=$info[0]['description'][0];
$status['displayName']=$info[0]['displayname'][0];
$status['distinguishedName']=$info[0]['distinguishedname'][0];
// is the user in the dexteam?
for($i=0; $i<$info[0]['memberof']['count']; $i++) {
$status['groups'][]=$info[0]['memberof'][$i];
// IS IN TEAM CHECK
if(substr($info[0]['memberof'][$i], 0, strlen('CN=DexTeam,'))=='CN=DexTeam,') $status['is_in_team']=true;
}
$status['RC']['code']=ldap_errno($ds);
$status['RC']['string']=ldap_error($ds);
ldap_close($ds);
break;
}
else {
$status['RC']['code']=ldap_errno($ds);
$status['RC']['string']=ldap_error($ds);
ldap_close($ds);
break;
}
}
else {
$status['RC']['code']=ldap_errno($ds);
$status['RC']['string']=ldap_error($ds);
// do we want better error messages?
if(SDB_AUTH_LDAP_SEARCHBIN!='' && is_executable(SDB_AUTH_LDAP_SEARCHBIN)) {
$status['RC']['ldapsearchrc']='';
$status['RC']['ldapsearchtxt']=array();
exec(SDB_AUTH_LDAP_SEARCHBIN.' -x -H '.escapeshellarg(( SDB_AUTH_LDAP_SSL ? "ldaps://" : "ldap://" ).$_LDAP_HOST.":".$_LDAP_PORT."/").' -D '.escapeshellarg($username).' -w '.escapeshellarg($password).' 2>&1', $status['RC']['ldapsearchtxt'], $status['RC']['ldapsearchrc']);
if($status['RC']['ldapsearchrc']!=0) {
if(preg_match("/data ([^, ]+),/", $status['RC']['ldapsearchtxt'][1], $matches)) {
if(isset($ldap_error_codes[$matches[1]])) {
$status['RC']['code']=$matches[1];
$status['RC']['string']=$ldap_error_codes[$matches[1]];
}
}
unset($status['RC']['ldapsearchrc']);
unset($status['RC']['ldapsearchtxt']);
}
}
ldap_close($ds);
break;
}
}
else {
continue;
}
}
did you enable the certificate? i know there was a problem, when the certifiacte gets refused. edit the "/etc/ldap/ldap.conf" and add "TLS_REQCERT never"
你启用了证书吗?我知道有问题,当证书被拒绝时。编辑“/etc/ldap/ldap.conf”并添加“TLS_REQCERT never”
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_REQCERT never
however, to me it works with ldap and ldaps:
然而,对我来说,它适用于 ldap 和 ldaps:
- it might be a configuration issue with the ad configuration. maybe lower certain security limitations...
- OR it might be also a php / ldap lib issue. Try to update to newer versions :)
- 这可能是广告配置的配置问题。也许降低某些安全限制...
- 或者它也可能是一个 php/ldap lib 问题。尝试更新到新版本:)
回答by Omar Ramos
I was finally able to get things working on my Windows machine by reading the following PHP bug thread: http://bugs.php.net/bug.php?id=48866
通过阅读以下 PHP 错误线程,我终于能够在我的 Windows 机器上运行:http: //bugs.php.net/bug.php?id=48866
Unfortunately, this is Windows specific but it got me at least going in the right direction now in my testing (I know it should work from PHP now on my web server...so long as I have ldap.conf configured correctly). On Windows with PHP 5.3 I needed to add the ldap.conf file into the root of my C: drive (other examples I had seen online had been placing it in C:\openldap\sysconf which wasn't working).
不幸的是,这是特定于 Windows 的,但它至少让我在我的测试中朝着正确的方向前进(我知道它现在应该可以在我的 Web 服务器上从 PHP 工作......只要我正确配置了 ldap.conf)。在带有 PHP 5.3 的 Windows 上,我需要将 ldap.conf 文件添加到我的 C: 驱动器的根目录中(我在网上看到的其他示例已将它放在 C:\openldap\sysconf 中,但它不起作用)。
TLS still doesn't work exactly (it gives me a "unable to start tls: can't contact LDAP server" message), but SSL does appear to be working and I was able to update a password for an account in my test script.
TLS 仍然不能正常工作(它给我一条“无法启动 tls:无法联系 LDAP 服务器”消息),但 SSL 似乎正在工作,我能够在我的测试脚本中更新帐户的密码.
I'm guessing the ldap.conf file just needs to be setup similarly on my web server and I should hopefully be in business (I'm just not sure if the one that's already there is the one I need to modify or if I need to create an additional one). I'll see if I can report back on that front.
我猜 ldap.conf 文件只需要在我的 Web 服务器上进行类似的设置,我希望可以开展业务(我只是不确定已经存在的文件是否是我需要修改的文件,或者我是否需要创建一个额外的)。我会看看我是否可以在这方面报告。
回答by ak93
What saved my day after reading and trying out solutions from allover the web and SO, was to use a ldaps uri without the portspecified in it.
在阅读并尝试了来自整个网络和 SO 的解决方案后,拯救我的一天是使用一个没有指定端口的 ldaps uri。
So instead of this: ldaps://example.com:636I had to use this: ldaps://example.comand it now works like a charm.
所以而不是这个:ldaps://example.com:636我不得不使用这个:ldaps://example.com现在它就像一个魅力。
I was setting this up on Ubuntu 16.04 with PHP7.3 runing through Nginx and php-fpm.
我在 Ubuntu 16.04 上设置了这个,PHP7.3 通过 Nginx 和 php-fpm 运行。
A full code example:
完整的代码示例:
try{
$ldapUri = "ldaps://example.com";
$ldapUsername = 'username';
$ldapPassword = 'password';
$ldapConn = ldap_connect($ldapUri);
if($ldapConn){
ldap_set_option($ldapConn,LDAP_OPT_NETWORK_TIMEOUT,10);
if(!ldap_set_option($ldapConn,LDAP_OPT_PROTOCOL_VERSION,3)){
print 'Failed to set ldap protocol to version 3<br>';
}
ldap_set_option($ldapConn, LDAP_OPT_REFERRALS,0);
$ldapBind = ldap_bind($ldapConn, $ldapUsername, $ldapPass);
if ($ldapBind) {
echo "LDAP bind successful...";
//DO LDAP search and stuff
ldap_unbind($ldapConn);
} else {
echo "LDAP bind failed...";
}
}
}catch(Exception $e){
print($e->getMessage();
}
回答by geoffc
Does your Active Directory have LDAPS enabled? If so, get the Trusted Root of the CA's key into the trusted root keystore.
您的 Active Directory 是否启用了 LDAPS?如果是,将 CA 密钥的可信根放入可信根密钥库。
