1

We have a PHP application deployed on a RHEL6 machine that relies on some ldap calls to function. In particular, ldap_connect and ldap_bind are used to verify users and also to look up their details.

This mechanism works just fine on our development server, which runs on Ubuntu server. On our production machine, which runs on RHEL6, the process fails. In both cases, we connect to the same LDAP server using the same credentials, so clearly something is wrong on the RHEL6 server. We're using basic LDAP, no SSL stuff.

I can confirm that there is no firewall or network issue on the new server. Pinging to the LDAP server works just fine. Also, a ldap_connect call is succesful as well.

To isolate the issue from our application, I used the below simple PHP test script:

<?php 
// Set the ldap server
$ldapurl = "[snipped]";
$ldapuser = "[snipped]";
$ldappass = "[snipped]";
// Set the debug flag
$debug = true;

// Set debugging
if ($debug) {
  ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
}

// connect to ldap server
echo "Trying to connect<br/>";
echo "1: " . date('l jS \of F Y h:i:s A') . "<br/>";
$ldapconn = ldap_connect($ldapurl) or die ("Couldn't connect"); 
echo "2: " . date('l jS \of F Y h:i:s A') . "<br/>";

// binding to ldap server
echo "Trying to bind with $ldapuser - $ldappass<br/>";
echo "3: " . date('l jS \of F Y h:i:s A') . "<br/>";
$ldapbind = @ldap_bind($ldapconn, $ldapuser, $ldappass);
echo "4: " . date('l jS \of F Y h:i:s A') . "<br/>";

if (!$ldapbind) {
echo "Unable to bind to server $ldapurl\n";
echo "OpenLdap error message: " . ldap_error($ldapconn) . "\n";
exit;
}

// Rest of code goes here

?>

I'm running the above script on both servers. On our development server, all is well. On our RHEL6 server, the connect works, but the bind fails after a delay of over a minute:

OpenLdap error message: Can't contact LDAP server

I'm not a sysadmin at all, therefore most discussions found regarding this error online I do not fully grasp. I am hoping someone here is able to help me with this. Many thanks in advance.

Fer
  • 187
  • 2
  • 7
  • How do you know the connect works? And, perhaps not using the `@` to hide error messages would be better? – user1686 Dec 04 '13 at 16:04
  • @grawity Thanks for thinking along. I know the connect works because it does not throw an error (die). Also, I can ping and telnet. You're right about the "@". I removed it but for now it makes no difference. – Fer Dec 05 '13 at 07:59

2 Answers2

1

Unlike RHEL5, RHEL6 requires ssl certificates (more specifically TLS) to connect to openldap. I went round and round trying to find a workaround and finally settled with the fact that using a ssl certificate was easier and more secure than finding a way not to use it.

This link might help: http://www.linuxquestions.org/questions/linux-enterprise-47/rhel-6-ldap-now-requires-tls-843917/

You can try to force legacy mode, and that may work, but I found that it doesn't completely work and you may see issues later down the road.

authconfig --enableldap --enableldapauth --forcelegacy=yes --ldapserver=myldapserver.com --ldapbasedn="dc=example,dc=com" --update
Jeight
  • 198
  • 1
  • 6
-1

For centos7/RHEL7, change for your values:

authconfig --enableforcelegacy --enableshadow --enablemd5 --enableldap --enableldapauth --disableldaptls --ldapserver=127.0.0.1 --ldapbasedn="dc=**ldap,dc=***.uk" --enablemkhomedir --disablesssd --disablesssdauth  --update
sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
user171095
  • 1