Category Archives: php

Connect to OpenLDAP server with PHP5 (CentOS 7)

Here is a short PHP sample script of how to connect to an OpenLDAP server using the secure LDAPS protocol (port 636).

PHP uses the LDAP settings from the LDAP base packages. in the case of CentOS 7 they are configured in /etc/openldap/ldap.conf . Following two entries are the only ones that are important:

TLS_CACERTDIR   /etc/openldap/certs
TLS_REQCERT     demand

The first line gives the location of the public CA certificate that was used to sign the LDAP server certificate. The second line rejects all invalid certificates. To make the first line work, we need to import the public CA certificate into the local NSS database. For that we use the certutil command line utility (root privileges required):

certutil -A -n ldap -t "C,," -d dbm:/etc/openldap/certs -i /etc/ssl/certs/ldap-ca.pem
certutil -L -d dbm:/etc/openldap/certs

The first line imports an existing CA certificate into the database (with the nickname "ldap" which should be unique). The certificate database uses the old Berkeley DB format, so we need to prefix the location with "dbm:". There are 2 files that make up the certificate database:

  • cert8.db
  • key3.db

The second line of the code example merely lists all existing database entries. It should now include our new CA certificate for LDAP connections:

[root@centos7]# certutil -L -d dbm:/etc/openldap/certs 
Certificate Nickname                                         Trust Attributes 
                                                             SSL,S/MIME,JAR/XPI 
 
ldap                                                         C,,

Notice the 3 trust attributes for our new CA certificate. In our case the first field needs to include the trust "C". For a description of all possible values, see "man certutil".

Now that we installed the CA certificate for LDAPS connections, we can actually try to make a connection to the LDAP server with PHP5.

<?php 
$server = "ldaps://ldap.example.org"; 
 
echo "Connecting to $server ...\n"; 

#ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7); 
 
$ldapconn = ldap_connect($server, 636) 
        or die("ERROR: Unable to connect to $server\n"); 
 
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3); 
 
$ldapbind = ldap_bind($ldapconn) 
        or die("ERROR: Unable to bind to $server\n"); 
 
echo "Ok, now connected to $server\n"; 
 
ldap_unbind($ldapconn); 
?>

Here we make an anonymous connection to the LDAP server. You can also provide a username and password for the ldap_bind() function call. Now call this script from the command line (needs yum package "php-cli"):

$ php php-test.php
Connecting to ldaps://ldap.example.org ... 
Ok, now connected to ldaps://ldap.example.org

Important things to note:

  • Call ldap_set_option() to activate debug output.
  • ldap_connect() does not actually connect to the LDAP server. It only initializes internal data structures and variables. The network connection to port 636 will be made by ldap_bind().
  • You need to explicitly set the LDAP protocol version to 3. Otherwise version 2 will be used, which will not work with contemporary OpenLDAP servers.
Share

.htaccess: php_flag not allowed here

Many websites suggest that you add "AllowOverride All" to your apache configuration to allow the use of php_flag in .htaccess files. But in fact you only have to add "Options", like this:

Directory "/var/www/example"
<Directory "/var/www/example">
AllowOverride  FileInfo Limit Options
...
</Directory>

Check this link to see if a specific php value can be set in an .htaccess file:
http://php.net/manual/de/ini.list.php

Share

Browser blank page / white page with php script (WordPress, etc.)

I recently had a completely white / blank browser page when I tried to reset my WordPress password. It was from a local WordPress installation on my Debian 8 Jessie server. I was resetting my password for the admin login. It turned out that there was a problem with my php.ini settings. I had to add the following paths to the open_basedir variable:

open_basedir = /usr/share/php:/usr/share/php5

When resetting the WordPress password, WordPress includes some php files to send a reset email in wp-includes/pluggable.php:

require_once ABSPATH . WPINC . '/class-phpmailer.php';
require_once ABSPATH . WPINC . '/class-smtp.php';

The problem is that with the standard wordpress package on Debian 8 Jessie, class-phpmailer.php and class-smtp.php are symbolic links to /usr/share/php/... . If this path is not included in open_basedir, the php script just terminates without sending any error messages. I couldn't find anything in the apache logs either. The browser showed a blank page.

This might also be a problem with other php web applications. So if you experience a similar situation (no output of php script, blank page) you might want to check the open_basedir variable in you php.ini and make sure that all required / included php files and symbolic links are part of it.

If you have any ideas how to find out if a php script is trying to include a file outside of open_basedir, please leave a comment.

Share