How do I solve ldap_start_tls() “Unable to start TLS: Connect error” in PHP?

Question

I\'m getting:

Warning: ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Connect error in /var/www/X.php on line Y

Answer 1

I was able to get this working properly with openldap on Amazon Linux (Elastic Beanstalk PHP 7.0) with MacOS Server 5 LDAP, with TLS set to demand.

in /etc/openldap/ldap.conf:

TLS_REQCERT demand

TLS_CACERT /etc/openldap/certs/yourcacert.pem

(note that if you are not using openldap, the path will be /etc/ldap/certs/yourcacert.pem). This setup did not work until I placed the certificate inside the certs folder; it did not work from any other path.

The certificate to be placed in that path is NOT the TLS certificate of the server. It is the CA (Certificate Authority) certificate of the authority whom issued the server/domain specific TLS certificate. Only the CA certificate placed in that path will allow TLS to work before attempting an LDAP bind in php. Get the CA certificate from your server or download it from the authority's site, they are freely available.

To test if LDAP bind is even working without TLS, set TLS_REQCERT never temporarily (may need to comment # out TLS_CACERT). If you get "Can't connect to LDAP" it is not a TLS error; it simply cannot connect to the server and you likely need to open port 389 (not 636 for TLS).

Remember to restart your Apache server every time you make a change to the config file or certificate.

Answer 2

1. In debian based systems:

   Install the package: ldap-utils and in the file /etc/ldap/ldap.conf, edit the line:

   TLS_CACERT /etc/ldap/cacerts/cacert.asc
   

   Create the directory /etc/ldap/cacerts and copy the cacert to /etc/ldap/cacerts/cacert.asc

   Restart apache.

2. In redhat based systems:

   Install the package: openldap-clients and in the file /etc/openldap/ldap.conf edit the line:

   TLS_CACERT /etc/openldap/cacerts/cacert.asc
   

   Create the directory /etc/openldap/cacerts and copy the cacert to /etc/openldap/cacerts/cacert.asc

   Restart httpd

Answer 3

You can ignore the validity in windows by issuing

putenv('LDAPTLS_REQCERT=never');

in your php code. In *nix you need to edit your /etc/ldap.conf to contain

TLS_REQCERT never

Another thing to be aware of is that it requires version 3 (version 2 is php default):

//$hostnameSSL example would be "ldaps://just.example.com:636" , just make sure it has ldaps://
$con = ldap_connect($hostnameSSL);
ldap_set_option($con, LDAP_OPT_PROTOCOL_VERSION, 3);

To get a better idea of what's going on, you can enable debug logging by:

ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);

This can be done before the ldap_connect takes place.

Answer 4

Some additional help for others, the certificate solution here solved my ldapsearch command line issue, but still PHP complained **Can't contact LDAP server**

Turned out to be SELinux on RHEL7 ( CentOS7 ) blocks HTTPD from using LDAP ports 389 and 636 by default, you can unblock with:

setsebool -P httpd_can_network_connect 1

Check your SELinux audit log file for things being blocked.

Answer 5

My solution/workaround is to use

/etc/ldap/ldap.conf:
#TLS_CACERT /etc/ssl/certs/ca.crt
TLS_REQCERT never

If you have any better idea, please post another answer.

Answer 6

The path for ldap.conf in Windows is fixed:

c:\openldap\sysconf\ldap.conf

A restart of the web server may be required to apply changes.