The problem is not related to the actual binding process (invalid credentials) as the warning would be a different one if the LDAP server could not authenticate your credentials. But as Paul Dixonnoted the use of ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)should be required - even though I don't think that this is the cause of your problems.

该问题与实际绑定过程（无效凭据）无关，因为如果 LDAP 服务器无法验证您的凭据，警告将是不同的。但是正如Paul Dixon指出的那样，ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)应该需要使用 - 即使我不认为这是导致您出现问题的原因。

• Which LDAP server type are you connecting to? OpenLDAP, Active Directory or something else?
• What's the operating system of the computer running your PHP program?
• Are you using a self-signed SSL certificate on the LDAP server and is the certificate authority for the given certificate trusted by the machine running your PHP program?
• Which port does the LDAP server run on? 636 would be the "official" port for LDAPS. Perhaps you can add the port explicitly to the server address: ldaps://<<server>>:636.

• 您要连接到哪种 LDAP 服务器类型？OpenLDAP、Active Directory 或其他什么？
• 运行您的 PHP 程序的计算机的操作系统是什么？
• 您是否在 LDAP 服务器上使用自签名 SSL 证书，并且运行 PHP 程序的机器是否信任给定证书的证书颁发机构？
• LDAP 服务器运行在哪个端口上？636 将是 LDAPS 的“官方”端口。也许您可以将端口显式添加到服务器地址：ldaps://<<server>>:636。

ext/ldaphas some issues with SSL/TLS secured connections. You can try to add

ext/ldapSSL/TLS 安全连接存在一些问题。您可以尝试添加

TLS_REQCERT never

to the ldap.conf(/etc/ldap.confor /etc/ldap/ldap.confon *nix-based systems) or for Windows machines create a ldap.confwith the above content in C:\OpenLDAP\sysconf\ldap.conf(the path must be an exact match as it's hard-coded into the extension).

到ldap.conf（/etc/ldap.conf或/etc/ldap/ldap.conf在基于 *nix 的系统上）或 Windows 机器上创建一个ldap.conf包含上述内容C:\OpenLDAP\sysconf\ldap.conf的路径（路径必须完全匹配，因为它被硬编码到扩展中）。

It appears to be a problem using SSL/TLS on some servers with recent PHP versions. Not sure why. You can refer to my post at: Problems with secure bind to Active Directory using PHP

在某些具有最新 PHP 版本的服务器上使用 SSL/TLS 似乎是一个问题。不知道为什么。您可以参考我的帖子：使用 PHP 安全绑定到 Active Directory 的问题

One of the more likely causes, is the cause from Stefan. To make sure that this is really the case, you can use:

更可能的原因之一是来自 Stefan 的原因。要确保确实如此，您可以使用：

ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);

before your ldap_connect. This will print a more sane error message to log (typically ssl cert not valid, ref. Stefan Gehrig)

在你的 ldap_connect 之前。这将打印更合理的错误消息以记录（通常 ssl 证书无效，参考 Stefan Gehrig）

Although old, I have encountered the same issue and wanted to provide some insight for future readers.

虽然很老，但我遇到了同样的问题，并希望为未来的读者提供一些见解。

Part of the problem was out-of-date OpenSSL libraries, 0.9.6 vs 1.0.0 (which worked).

部分问题是过时的 OpenSSL 库，0.9.6 与 1.0.0（有效）。

After updating OpenSSL on the server, it was noted that PHP lost support for OpenSSL.

在服务器上更新 OpenSSL 后，有人注意到 PHP 失去了对 OpenSSL 的支持。

You can check support for modules with the following from the command line:

您可以从命令行使用以下命令检查对模块的支持：

php -m 

Or

或者

echo phpinfo(INFO_MODULES);

From the browser.

从浏览器。

Also, there have been a lot of issues with SSL Support for LDAP when using the OCI8/Oracle LDAP libs in my professional experience. On Debian platforms, Libldap-2.4.2-dev packages work best.

此外，根据我的专业经验，在使用 OCI8/Oracle LDAP 库时，LDAP 的 SSL 支持存在很多问题。在 Debian 平台上，Libldap-2.4.2-dev 软件包效果最好。

Additionally, you should look at the connection logs on the LDAP server. I can almost guarantee that you will see an error referring to SSLv3 and missing a CA for the certificate.

此外，您应该查看 LDAP 服务器上的连接日志。我几乎可以保证您会看到一个错误，指的是 SSLv3 并且缺少证书的 CA。

By default, PHP looks for the CA file on UNIX systems in, make sure it is readable by the PHP invoker (user via cli, Apache user, etc..):

默认情况下，PHP 在 UNIX 系统中查找 CA 文件，确保它可以被 PHP 调用者（通过 cli 的用户、Apache 用户等）读取：

/etc/pki/CA

This is not necessarily a PHP issue, but a configuration issue with Secure LDAP. Please see this PHP bug reportand this OpenLDAP thread.

这不一定是 PHP 问题，而是安全 LDAP 的配置问题。请参阅此PHP 错误报告和此OpenLDAP 线程。

The OpenLDAP thread above has a snippet of a working OpenLDAP config for reference.

上面的 OpenLDAP 线程有一个可用的 OpenLDAP 配置片段供参考。

Some other things to check is your services definitions in /etc/services. Make sure you have the following:

其他一些需要检查的是 /etc/services 中的服务定义。确保您具备以下条件：

ldaps           636/tcp                         # LDAP over SSL
ldaps           636/udp

On UNIX "man ldap.conf" = ... SYNOPSIS /usr/local/etc/openldap/ldap.conf ...

在 UNIX 上 "man ldap.conf" = ... 概要 /usr/local/etc/openldap/ldap.conf ...

Write TLS_REQCERT neverin /usr/local/etc/openldap/ldap.conf and set ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)

在 /usr/local/etc/openldap/ldap.conf 中写入TLS_REQCERT never并设置 ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)

This work in my project on Nginx+PHP-fpm: nginx/1.6.0 php55-5.5.15 php55-ldap-5.5.15 openldap-client-2.4.39_1

这在我的 Nginx+PHP-fpm 项目中工作：nginx/1.6.0 php55-5.5.15 php55-ldap-5.5.15 openldap-client-2.4.39_1

What saved my day after reading and trying out solutions from allover the web and SO, was to use a ldaps uri without the portspecified in it.

在阅读并尝试了来自整个网络和 SO 的解决方案后，拯救我的一天是使用一个没有指定端口的 ldaps uri。

So instead of this: ldaps://example.com:636I had to use this: ldaps://example.comand it now works like a charm.

所以而不是这个：ldaps://example.com:636我不得不使用这个：ldaps://example.com它现在就像一个魅力。

I was setting this up on Ubuntu 16.04 with PHP7.3 runing through Nginx and php-fpm.

我在 Ubuntu 16.04 上设置了这个，PHP7.3 通过 Nginx 和 php-fpm 运行。

A full code example:

完整的代码示例：

try{
    $ldapUri = "ldaps://example.com";
    $ldapUsername = 'username';
    $ldapPassword = 'password';
    $ldapConn = ldap_connect($ldapUri);
    if($ldapConn){
        ldap_set_option($ldapConn,LDAP_OPT_NETWORK_TIMEOUT,10);

        if(!ldap_set_option($ldapConn,LDAP_OPT_PROTOCOL_VERSION,3)){
           print 'Failed to set ldap protocol to version 3<br>';
        }
        ldap_set_option($ldapConn, LDAP_OPT_REFERRALS,0);
        $ldapBind = ldap_bind($ldapConn, $ldapUsername, $ldapPass);
        if ($ldapBind) {
           echo "LDAP bind successful...";
           //DO LDAP search and stuff
           ldap_unbind($ldapConn);
        } else {
           echo "LDAP bind failed...";
        }
    }
}catch(Exception $e){
    print($e->getMessage();
}

I think you just need to set the ldap protocol version to be 3

我认为您只需要将 ldap 协议版本设置为 3

echo "<h3>LDAP query test</h3>";
echo "Connecting ...";

$ldap_server = 'ldaps://server';
$ldap_port = '636';

$ds = ldap_connect($ldap_server, $ldap_port);

if ($ds) 
{
    //add this
    if (!ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)) 
    {
        fatal_error("Failed to set LDAP Protocol version to 3, TLS not supported.");
    }
    echo "<br><br>Binding ..."; 
    $r=ldap_bind($ds);     // this is an "anonymous" bind, typically
                       // read-only access
    echo "Bind result is " . $r . "<br />";

    echo "Searching for (sn=S*) ...";
    // Search surname entry
    $sr=ldap_search($ds, "ou=people,o=server.ca,o=server", "uid=username*");  
    echo "Search result is " . $sr . "<br />";

    echo "Number of entires returned is " . ldap_count_entries($ds, $sr) . "<br />";

    echo "Getting entries ...<p>";
    $info = ldap_get_entries($ds, $sr);
    echo "Data for " . $info["count"] . " items returned:<p>";

    print_r($info);
    //    for ($i=0; $i<$info["count"]; $i++) {
    //        echo "dn is: " . $info[$i]["dn"] . "<br />";
    //        echo "first cn entry is: " . $info[$i]["cn"][0] . "<br />";
    //        echo "first email entry is: " . $info[$i]["mail"][0] . "<br /><hr />";
    //    }

    echo "Closing connection";
    ldap_close($ds);

} 
else 
{
    echo "<h4>Unable to connect to LDAP server</h4>";
}

Try to enable "anonymous binds" on your LDAP-Server or use a correct bind (username / password).

尝试在您的 LDAP 服务器上启用“匿名绑定”或使用正确的绑定（用户名/密码）。

like cn=ldapauthuser,ou=accounts,dc=example,dc=com

喜欢 cn=ldapauthuser,ou=accounts,dc=example,dc=com