我有一个安装了LAMP堆栈的运行在CentOS 7上的虚拟机。在虚拟机上,我正在尝试创建一个LDAPS连接到我的域控制器,该域控制器是Windows 2008 R2虚拟机。我使用的SSL证书是自签名的,CA已添加到CentOS 7 CA信任中。
我可以通过ldapsearch连接到域控制器。ldapsearch调试级别设置为1后,我可以验证我的证书是否有效。
ex.) ldapsearch -H "ldaps://server.ad.com" -D "domain'user-name" -W -d 1
每当我尝试通过php使用LDAPS时,我都会收到ldap_connect()作为成功,但ldap_bind()总是错误为-1无法联系ldap服务器。下面是一个代码示例:
<?php
define(LDAP_OPT_DIAGNOSTIC_MESSAGE,0x0032);
echo "defined LDAP_OPT_DIAGNOSTIC_MESSAGE <br />";
$handle = ldap_connect("ldaps://server.ad.com:636");
echo "called ldap_connect <br />";
$errorCode = ldap_errno( $handle );
echo "error code: $errorCode <br />";
$errorMsg = ldap_error( $handle );
echo "error message: $errorMsg <br />";
if (!$handle)
{
echo "ldap_connect method returned null <br />";
}
else
{
echo "ldap_connect returned a handle! <br />";
}
$bind = ldap_bind($handle, 'domain'user', 'password');
echo "called ldap_bind <br />";
$errorCode2 = ldap_errno( $handle );
echo "error code: $errorCode2 <br />";
$errorMsg2 = ldap_error( $handle );
echo "error message: $errorMsg2 <br />";
if (!$bind)
{
echo "ldap_bind method returned null <br />";
}
else
{
echo "ldap_bind returned a bind! <br />";
}
if(ldap_get_option($handle, LDAP_OPT_DIAGNOSTIC_MESSAGE, $extended_error))
{
echo "Error binding to LDAP: $extended_error";
}
else
{
echo "Error bind to LDAP: No additional information is available.";
}
?>
输出:
defined LDAP_OPT_DIAGNOSTIC_MESSAGE
called ldap_connect
error code: 0
error message: Success
ldap_connect returned a handle!
called ldap_bind
error code: -1
error message: Can't contact LDAP server
ldap_bind method returned null
Error bind to LDAP: No additional information is available.
我觉得"无法联系LDAP服务器"这条错误消息太笼统了,所以我尝试添加LDAP_OT_DIAGNOSTIC_message(http://php.net/manual/en/function.ldap-bind.php-第一条评论)。但这似乎并不奏效。
有什么想法吗?
经过进一步的调查,我发现通过命令行运行这个PHP文件可以成功绑定。它只是在从浏览器中查看时失败。
有了这些信息,我可以再问一个关于ServerFault的问题,并发现由于SELinux配置,这个绑定实际上失败了。
请在此处查看完整答案:https://serverfault.com/questions/677013/php-executes-with-different-results-in-command-line-than-when-browsed-to-in-apac