LDAP Troubleshooting

PHP 7.2 now includes openssl directly compiled in.

You may just check that with:

$ /bin/php -r 'phpinfo();' | grep ssl

or if you’re like me using CentOS 7 and php via SCL:

$ /opt/rh/rh-php72/root/bin/php -r 'phpinfo();' | grep ssl

You may then also check if your linux box connects to your ldaps server with:

$ openssl s_client -connect yourldapsserver.domain.local:636

or ldap server using TLS

$ openssl s_client -connect yourldapsserver.domain.loca:389 -tls1_2

If those work, you may use ldapsearch to manually bind to your LDAP server and see what the problem might be. On CentOS, install it via:

$ sudo yum install openldap-clients

Simple LDAP Query

$ ldapseach -h yourldapserver.domain.local -p 389 -b \"dc=domain,dc=local\" -D \"CN=YourBindAccount,DC=domain,DC=local\" -W

Add -Z to the ldapsearch line to switch to TLS.

If you get

ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate)
ldap_result: Can't contact LDAP server (-1)

Your certificate might be bad. You can override certificate checking in “/etc/openldap/ldap.conf” by adding line:

TLS_REQCERT     allow

Don’t forget to restart php-fpm (or apache if using mod_php) for those settings to take effect.


Thanks to @deajan for this contribution