5
votes

I'm trying to authenticate over LDAP against a Windows 2008 Server from a Fedora box.

The following code works from the command line (prints "Success"):

if($ldap = ldap_connect('10.0.0.101'))
{
  ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
  $bind = ldap_bind($ldap,'[email protected]','XXXXXXX');
  print ldap_error($ldap);
}

...pulling the same file via Apache/mod_php prints "Can't contact LDAP server"

I've seen a lot of reports of issues like this, but no useful information on how to resolve it.

2
I had the same problem yesterday on Ubuntu 18.04 with the stock Apache, PHP 7.2, LDAP and libsasl2-modules-gssapi-mit, but only with LDAPS not LDAP, and it is gone now, and I can't tell you what made it go away :-(reinierpost

2 Answers

10
votes

I just fought this exact problem for a long time on centos6. The php.ini difference seem like a good place to check, but it didn't give me the answer. It turns out this was related to SELinux.

$ getsebool -a | grep httpd
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> on
httpd_can_network_memcache --> on
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_manage_ipa --> off
httpd_read_user_content --> off
httpd_run_stickshift --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_verify_dns --> off

You'll note, that in my case, httpd_can_network_connect was set to off. This is a boolean in SELinux and can be adjusted with the following command.

$ setsebool -P httpd_can_network_connect on

You can read more about this at http://wiki.centos.org/TipsAndTricks/SelinuxBooleans which explicitly uses the case of apache and ldap as an example. Hope it helps!

1
votes

You might be having this problem because Apache has one php.ini file and CLI might have another, and the Apache version might not have LDAP extension enabled.

Try checking which php.ini is loading with phpinfo() in both of your environments:

<?php print phpinfo(); ?>

You should see the path of php.ini and additional useful information:

Configuration File (php.ini) Path => /etc/php5/cli
Loaded Configuration File => /etc/php5/cli/php.ini
Scan this dir for additional .ini files => /etc/php5/cli/conf.d

An alternative method to see the configuration loaded on the CLI is by calling php with -i parameter:

$ php -i | grep 'php.ini'
Configuration File (php.ini) Path => /etc/php5/cli
Loaded Configuration File => /etc/php5/cli/php.ini