I am authenticating users using ladps from 3 different windows domains. Each has its own DC. I assign the certificates directly in the php code.
It works perfectly for only one domain.
Example:
After restarting Apache.
A user from domain1 logs in. It is authenticated and other users from domain1 can also authenticate.
If the user logs in from domain2 (or from another), he does not log in. An error of the certificate issuer failed to be verified appears in Apache’s error.log.
After restarting Apache.
A user from domain2 logs in. Users from domain1 (or from another) no longer.
important part of code:
$certpath=$this->globalparameter->parameters["constants"]["CertifPath"];
switch ($domainname) {
case "imofa":
$DC=$this->globalparameter->parameters["constants"]["DcIMF"];
$certname=$this->globalparameter->parameters["constants"]["CertifIMF"];
break;
case "havexmobility2":
$upn=str_ireplace("mobility2","mobility",$upn); //kvůli úpravě DC pro o365
$DC=$this->globalparameter->parameters["constants"]["DcHXM"];
$certname=$this->globalparameter->parameters["constants"]["CertifHXM"];
break;
default: // default je "havex2"
$upn=str_ireplace("havex2","havex",$upn); //kvůli úpravě DC pro o365
$DC=$this->globalparameter->parameters["constants"]["DcHXA"];
$certname=$this->globalparameter->parameters["constants"]["CertifHXA"];
}
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7); //zapnout debug
ldap_set_option(null, LDAP_OPT_X_TLS_CACERTDIR, $certpath);
ldap_set_option(null, LDAP_OPT_X_TLS_CACERTFILE, $certpath.'\'.$certname);
$s="ldaps://".$DC;
$ds= ldap_connect($s,636);
if ($ds) {
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
error_reporting(0);
ldap_start_tls($ds);
$r=ldap_bind ($ds, $upn, $password);
...
...
ldap_unbind($ds);
example log after restart apache – OK:
ldap_connect_to_host: TCP DCM1.HAVEXMOBILITY2.CZ:636
ldap_new_socket: 1660
ldap_prepare_socket: 1660
ldap_connect_to_host: Trying 192.168.30.250:636
ldap_pvt_connect: fd: 1660 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS certificate verification: depth: 1, err: 0, subject: /DC=cz/DC=havexmobility2/CN=havexmobility2-DCM1-CA, issuer: /DC=cz/DC=havexmobility2/CN=havexmobility2-DCM1-CA
TLS certificate verification: depth: 0, err: 0, subject: /CN=DCM1.havexmobility2.cz, issuer: /DC=cz/DC=havexmobility2/CN=havexmobility2-DCM1-CA
TLS trace: SSL_connect:SSLv3/TLS read server certificate
TLS trace: SSL_connect:SSLv3/TLS read server key exchange
TLS trace: SSL_connect:SSLv3/TLS read server certificate request
TLS trace: SSL_connect:SSLv3/TLS read server done
example the same domain unable to get local issuer certificate:
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS certificate verification: depth: 0, err: 20, subject: /CN=DCM1.havexmobility2.cz, issuer: /DC=cz/DC=havexmobility2/CN=havexmobility2-DCM1-CA
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS: can't connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate).
ldap_err2string
Is it possible somewhere to force a reset before ldap_connect?