LDAP 可与 PHP CLI 一起使用，但不能通过 apache

问题描述

我正在尝试通过 LDAP 对 Fedora 机器上的 Windows 2008 服务器进行身份验证.

I'm trying to authenticate over LDAP against a Windows 2008 Server from a Fedora box.

以下代码可从命令行运行(打印Success"):

The following code works from the command line (prints "Success"):

if($ldap = ldap_connect('10.0.0.101'))
{
  ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
  $bind = ldap_bind($ldap,'administrator@domain.tld','XXXXXXX');
  print ldap_error($ldap);
}

...通过 Apache/mod_php 提取相同的文件会打印无法联系 LDAP 服务器"

...pulling the same file via Apache/mod_php prints "Can't contact LDAP server"

我已经看到很多关于此类问题的报告，但没有关于如何解决它的有用信息.

I've seen a lot of reports of issues like this, but no useful information on how to resolve it.

推荐答案

我刚刚在centos6上解决了这个确切的问题很长时间.php.ini 的区别似乎是一个检查的好地方，但它并没有给我答案.原来这与 SELinux 有关.

I just fought this exact problem for a long time on centos6. The php.ini difference seem like a good place to check, but it didn't give me the answer. It turns out this was related to SELinux.

$ getsebool -a | grep httpd
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> on
httpd_can_network_memcache --> on
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_manage_ipa --> off
httpd_read_user_content --> off
httpd_run_stickshift --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_verify_dns --> off

您会注意到，在我的例子中，httpd_can_network_connect 被设置为关闭.这是 SELinux 中的布尔值，可以使用以下命令进行调整.

You'll note, that in my case, httpd_can_network_connect was set to off. This is a boolean in SELinux and can be adjusted with the following command.

$ setsebool -P httpd_can_network_connect on

你可以在 http://wiki.centos.org/TipsAndTricks/SelinuxBooleans 阅读更多关于这个的内容，它明确使用以apache和ldap为例.希望对您有所帮助！

You can read more about this at http://wiki.centos.org/TipsAndTricks/SelinuxBooleans which explicitly uses the case of apache and ldap as an example. Hope it helps!

这篇关于LDAP 可与 PHP CLI 一起使用，但不能通过 apache的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持跟版网！