From:	Florian Racky	Date:	Fri Jan  9 11:00:45 2004
Subject:	Problems with ldap_start_tls ()

Hi,

I'm trying to get secure authentication with Novell EDirectory running. 
PHP Version is 4.3.1 compiled with ldap and openssl.


I copied the Novell root-certificate into the OpenSSL Certificate folder 
(/etc/ssl/certs) and made sure that the ssl handshake is fine:

# openssl s_client -CApath /etc/ssl/certs -connect servername:636

returns

Verify return code: 0 (ok)

BTW: The files in /etc/ssl/certs are world readable.


After that I configured the openldap-client (ldap.conf) adding:

TLS_CACERTDIR   /etc/ssl/certs

to make sure, the ldap client is able to find the trusted certificates 
and after that

# ldapsearch -x -H 'ldaps://servername/' -b 'o=baseDN' -D 'cn=myDN' -W

returns some data about me as a directory object :-)


The above steps took me about half a day :-( and I have no idea why this 
is not working:

<?php
   $ldap = ldap_connect ("ldaps://servername/");
   ldap_set_option ($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
   ldap_start_tls ($ldap);
   echo "<br />" . ldap_errno ($ldap) . ": " . ldap_error ($ldap);
   $bind = ldap_bind ($ldap, $myDN, $myPwd);
   ldap_close ($ldap);
?>

This is the output from the code above:

Warning: ldap_start_tls(): Unable to start TLS: Can't contact LDAP server...
81: Can't contact LDAP server

Any help or ideas about what might be wrong are really appreciated.

Flo