ldap_start_tls

(PHP 4 >= 4.2.0, PHP 5, PHP 7)

ldap_start_tlsЗапускает TLS

Описание

bool ldap_start_tls ( resource $link )
Внимание

К настоящему времени эта функция еще не была документирована; для ознакомления доступен только список аргументов.

Коментарии

It should be mentioned, that TLS connections for LDAP *REQUIRE* you to use LDAP Protocol version 3.  By default, PHP uses Protocol 2. 
Therefore, if you do not know this, you may be puzzled as to why you get "TLS not supported" error.

To get around this, just use ldap_set_option to make the LDAP connection use Protocol 3 (if supported).

For example:

$ds = ldap_connect($LDAP_SERVER,$LDAP_PORT);
if ($ds) {
   if (!ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)) {
      fatal_error("Failed to set LDAP Protocol version to 3, TLS not supported.");
    }
    if (!ldap_start_tls($ds)) {
       fatal_error("Ldap_start_tls failed");
    }
    // now we need to bind anonymously to the ldap server
    $bth = ldap_bind($ds);
    //make your query
}
2002-07-22 23:19:34
http://php5.kiev.ua/manual/ru/function.ldap-start-tls.html
Note that (in my very limited experience) you cannot use the ldaps protocol with tls, or ldap_start_tls() will report "ldap_start_tls(): Unable to start TLS: Operations error", and ldap_error() will return error code 1.

I found that I had to call ldap_connect() with ldap:// rather than ldaps:// for ldap_start_tls() to succeed.  Hope this helps someone!
2004-06-28 18:10:43
http://php5.kiev.ua/manual/ru/function.ldap-start-tls.html
Please note there is a difference between ldaps and start-TLS for ldap.  start-TLS uses port 389, while ldaps uses port 636.  ldaps has been deprecated in favour of start-TLS for ldap.  Both encrypted (start-TLS ldap)  and unencrypted ldap (ldap) run on port 389 concurrently.

Errors encountered are generally due to misunderstanding how to implement TLS-encrypted ldap.
2005-04-13 13:42:53
http://php5.kiev.ua/manual/ru/function.ldap-start-tls.html
More on TLS start.

It seems that either you ldap_connect to ldaps://, port 636 or you ldap_tls_start.

In my case, using ldaps on port 636 (to be sure I enforce TLS) the connection will go like:

$LDAP_SERVER="ldaps://ldap.../";
$LDAP_PORT=636;

$ds = ldap_connect($LDAP_SERVER,$LDAP_PORT);
if ($ds) {
   if (!ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)) {
     fatal_error("Failed to set LDAP Protocol version to 3, TLS not supported.");
   }
/*** NO NEED ***
*   if (!ldap_start_tls($ds)) {
*      exit;
*   }
***/
   // now we need to bind anonymously to the ldap server
   $bth = ldap_bind($ds);
   //make your query
2006-08-07 03:00:18
http://php5.kiev.ua/manual/ru/function.ldap-start-tls.html
Автор:
If your version was linked against the OpenLDAP libraries, you may want to look at the ldap.conf file for more information about specifying SSL/TLS behavior. Apparently, the settings in ldap.conf make a different in the way SSL/TLS is handled by PHP.
2007-03-06 14:53:33
http://php5.kiev.ua/manual/ru/function.ldap-start-tls.html
I seemingly take forever to make use of ldap_start_tls work.
Especially lacking in document, I was frustrate and almost gave up until I saw this link in the php forum. 
I thought it is worth for put the link in here.

http://marc.info/?l=php-windows&m=116127873321748&w=2

it is really work, and it saves me.
2007-11-15 16:55:22
http://php5.kiev.ua/manual/ru/function.ldap-start-tls.html
INTEGRATING ACTIVE DIRECTORY WITH PHP-LDAP AND TLS 
==================================================

My configuration:
Apache/2.2.14 (Win32) mod_ssl/2.2.14 OpenSSL/0.9.8k PHP/5.2.11

NOTE 1: At the momment, the versión 5.3.1 fail with tls
NOTE 2: This example works on windows, but in linux is similar

1) Download the Certificate X.509 (PEM format) from a web browser, I used Firefox. I put the name webcert.crt
2) Create the folder c:\openldap\sysconf
3) Copy the file webcert.crt to c:\openldap\sysconf
4) With notepad you must create the file c:\openldap\sysconf\ldap.conf file. The file contents:
TLS_REQCERT never
TLS_CACERT c:\openldap\sysconf\webcert.crt
5) The code:

<?php
   $ldap
="ldap.myDomain.com";
   
$usr="user@myDomain.com";
   
$pwd="mypassword";
   
   
$ds=ldap_connect($ldap); 
   
$ldapbind=false;
   if(
ldap_set_option($dsLDAP_OPT_PROTOCOL_VERSION3))
      if(
ldap_set_option($dsLDAP_OPT_REFERRALS0)) 
         if(
ldap_start_tls($ds)) 
               
$ldapbind = @ldap_bind($ds$usr$pwd);   
   
ldap_close($ds);
   if(!
$ldapbind)
       echo 
"ERROR";
   else
       echo 
"OK";
?>
2009-11-26 05:04:24
http://php5.kiev.ua/manual/ru/function.ldap-start-tls.html
Tested in Linux, ubuntu 9.10, PHP/5.2.10-2 and Apache/2.2.1.2

INTEGRATING ACTIVE DIRECTORY WITH PHP-LDAP AND TLS IN LINUX
=============================================================

I'm not an expert, but it works.

1)I have installed ubuntu 9.10 desktop

2)Packages:
 apt-get install apache2
 apt-get install libapache2-mod-php5
 apt-get install libldap-2.4-2
 apt-get install ldap-utils
 apt-get install libsasl2-modules-ldap
 apt-get install openssl
 apt-get install libsasl2-2
 apt-get install libkrb5-3
 apt-get install php5-ldap
 apt-get install php5-sasl
 apt-get install php5-auth-pam

3)Put the PEM certificate.
 cd /etc/ldap
 mkdir certs
 copy /myhome/mycert.pem /etc/ldap/certs/mycert.pem
 NOTE:webcert.crt rename to mycert.pem. It's the same

4)Edit the file /etc/ldap/ldap.conf and Add:
  TLS_REQCERT never
  TLS_CACERT /etc/ldap/certs/mycert.pem

5)Create file /var/www/ldaptlstest.php:

<?php

   $ldap
="ldap.myDomain.com";
   
$usr="user@myDomain.com";
   
$pwd="mypassword";
   
   
$ds=ldap_connect($ldap); 
   
$ldapbind=false;
   if(
ldap_set_option($dsLDAP_OPT_PROTOCOL_VERSION3))
      if(
ldap_set_option($dsLDAP_OPT_REFERRALS0)) 
         if(
ldap_start_tls($ds)) 
               
$ldapbind = @ldap_bind($ds$usr$pwd);   
   
ldap_close($ds);

   if(!
$ldapbind)
      echo 
"ERROR";
   else
      echo 
"OK";
?>

6)Restart the server: /etc/init.d/apache2 restart

7)Open Firefox and write: http://localhost/ldaptlstest.php
;)
2009-12-01 07:10:54
http://php5.kiev.ua/manual/ru/function.ldap-start-tls.html
Note : if you are using OpenLdap client > v2 and PHP > 4.0.4, you don't have to use that function. You just have to specify it using
<?php 
ldap_connect
("ldaps://yourhostname"636);
?>

If you use both ldaps:// uri and ldap_start_tls function, you'll get a warning saying that a TLS/SSL session is already open.
2010-01-29 09:19:03
http://php5.kiev.ua/manual/ru/function.ldap-start-tls.html
ldaps:// (on port 636) is NOT the same as using STARTTLS on port 389.

The second method upgrades the security of a plain connection to an encrypted channel, which is strongly recommended for plain binding (DN/password).
2010-06-14 15:00:54
http://php5.kiev.ua/manual/ru/function.ldap-start-tls.html
Автор:
Note that, on Windows, due to a bug in the php_ldap extension for php 5.3.2, the location of the ldap.conf may change.

In this case, PHP expects the ldap.conf file to be in the root filesystem where the Webserver Document root is installed (for instance C:\ldap.conf).

This seems to be fixed in PHP 5.3.3RC1

See the following bug reference:
http://bugs.php.net/bug.php?id=48866
2010-10-19 09:11:00
http://php5.kiev.ua/manual/ru/function.ldap-start-tls.html
PHP Warning:  ldap_start_tls(): Unable to start TLS: Operations error in /path/to/script.php

Do not use ldap_start_tls() if you've already connected to the LDAP Server via SSL e.g. "ldaps://hostame".
2011-09-26 06:37:53
http://php5.kiev.ua/manual/ru/function.ldap-start-tls.html
Автор:
In my experience:

1)
PHP / openldap / whatever could NOT read .pem files.
They had to be .pfx or .cer
(I don't even know which one worked. I converted the .pem to both and called it done.)

2)
In /etc/openldap/ldap.conf you must:
Either set TLS_CACERT /etc/openldap/cacerts/YOURCERT.pfx
Or set TLS_CACERTDIR /etc/openldap/cacerts/
The first one constrains you to a specific cert.
The latter tries all of them in the directory.

3)
You have various options for TLS_REQCERT:
allow (use it if you need it)
require (must have a cert)
You'll have to read openldap docs for the rest.
I used allow, and it worked.
ymmv

4)
I did not change anything in the (very long) default /etc/ldap.conf file

5)
I did not change anything in the self-documenting /etc/autofs_ldap_auth.conf
Mainly because I just found it while typing this up, and I have no idea what it does.  Presumably 'autofs' implies you can mount some LDAP server as a mount point or something at boot... Sounds funky to me, but knock yourself out playing with it.

This was all with various versions of PHP ranging from 5.2 to 5.3  No promises about other versions.

6)
ldapsearch -VV says it's 2.3.43
Dunno if that comes with openldap or I downloaded it separately. Long time ago.  Very handy CLI tool for mucking around without PHP in the middle, so you can cross-check that it's PHP or not.
2012-03-02 19:28:43
http://php5.kiev.ua/manual/ru/function.ldap-start-tls.html
When you have this error:
Warning: ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Connect error in /var/www/X.php on line Y

It's probably because of a certificate validity issue. You can check the error by adding debug level:
<?php 
ldap_set_option
(NULLLDAP_OPT_DEBUG_LEVEL7); 
?>
This can be done before the ldap_connect takes place.

To fix the certificate validity issue:
add
TLS_REQCERT never
in file (create it if not exist)
c:\openldap\sysconf\ldap.conf    <= Windows
/etc/ldap.conf     <= linux
A restart of the web server may be required to apply changes
It's probably not the best solution but it works ...

Another thing to be aware of is that it requires version 3 (version 2 is php default):
<?php
$con 
ldap_connect($hostnameSSL);
ldap_set_option($conLDAP_OPT_PROTOCOL_VERSION3);
?>

Another tip : the second parameter of ldap_connect is not used if you use an URL like "ldap://..." (port 389 automatically used) or "ldaps://..."  (port 636 automatically used).
2014-06-04 15:51:10
http://php5.kiev.ua/manual/ru/function.ldap-start-tls.html
For all users,admins how are using or taying to connect to Microsoft Active Directory with PHP openLDAP extension, Apache,OpenSSL and they are getting:
"Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server"
here is the solution as i did:
--------------------------------
upgrade to PHP 5.4.x
creat a directory as: C:\openldap\sysconf\ldap.conf

write into this file (ldap.conf):
TLS_CACERT path\to\your\CA\cert\file.crt

(like d:\monCA_Cert\ca.crt)

restart your apache web server, and refresh your page and tell me (allah yar7am lwalidin)in arabic

for more here's my mail:med.ezzairi@gmail.com
2014-09-12 01:05:53
http://php5.kiev.ua/manual/ru/function.ldap-start-tls.html
Windows only: you must add a ldaprc file in your current directory so ldap can validate the server certificate

something like :

# no verification here
TLS_REQCERT never
2018-01-22 11:30:12
http://php5.kiev.ua/manual/ru/function.ldap-start-tls.html
Security Warning:

To avoid the StripTLS attack vulnerability of StartTLS, code your application to not continue unless the connection is successfully upgraded to TLS.

For StripTLS attack vulnerability anatomy details please conduct a web search for "StripTLS".

There is a good article on Wikipedia titled "Opportunistic TLS".  The "Weaknesses and mitigations" section details the StripTLS attack vulnerability.
2019-10-12 08:34:29
http://php5.kiev.ua/manual/ru/function.ldap-start-tls.html
just moved CA certificate (b64 encoded) from 
/root/cert/ldaps.pem to 
/etc/openldap/certs/ldaps.pem
without permission setting, and it works fine

cp /root/cert/ldaps.pem  /etc/openldap/certs/ldaps.pem 

ls -l  /root/cert/ldaps.cert /etc/openldap/certs/ldaps.pem

-rw-r--r-- 1 root root 3696 Sep  3 16:12 /etc/openldap/certs/ldaps.pem
-rw-r--r-- 1 root root 3696 Sep 14 11:46 /root/cert/ldaps.pem

cat  /etc/openldap/ldap.conf

#TLS_CACERT /root/cert/ldaps.pem
TLS_CACERT /etc/openldap/certs/ldaps.pem
2021-09-14 12:55:20
http://php5.kiev.ua/manual/ru/function.ldap-start-tls.html
For a thorough walk through of how to support TLS with non-official certificates, check https://andreas.heigl.org/2020/01/31/handle-self-signed-certificates-with-phps-ldap-extension/
2024-02-25 19:12:42
http://php5.kiev.ua/manual/ru/function.ldap-start-tls.html

    Поддержать сайт на родительском проекте КГБ