Estou tentando usar o PHP para editar usuários no diretório ativo por meio do LDAP. Minha máquina de teste está usando uma configuração simples do WAMP e NÃO está conectada ao domínio do Windows. Esta máquina pode se conectar ao LDAP no controlador de domínio muito bem sem criptografia. Não consegui conectá-lo via SSL após repetidas tentativas, mas consegui usar o TLS (ldap_start_tls), que me permite alterar a senha do usuário, que é o objetivo final. Não há problemas lá na caixa de teste.
O servidor web real é um membro do domínio e se recusa a trabalhar. A conexão falha com o TLS e o Controlador de Domínio relata um alerta fatal de schannel 48, o que significa que há uma CA raiz não confiável na cadeia de certificados. Instalei o certificado no servidor da Web e instalei o certificado de CA raiz no servidor da Web e no DC sem sucesso. Não tenho certeza para onde ir a partir daqui.
O que estou fazendo de errado? Por que o LDAP sobre TLS funcionaria bem em um computador fora do domínio, mas não em um que fosse parte do domínio?
Ultimamente eu tenho comparado as certs e correntes nas 3 máquinas. A única diferença que eu encontrei é a cadeia em ambos os servidores web (não-domínio) de trabalho e o DC é de três etapas: COMODO - > CA de servidor seguro de validação de domínio RSA da COMODO - > Meu cert O servidor da web no domínio é o mesmo, exceto que tudo é movido para baixo em um nível e o certificado de nível superior diz "USER Trust"
Esta diferença está causando o problema?
verifique o comando no arquivo cert original no servidor da Web que não funciona: Emissor:
CN=COMODO RSA Domain Validation Secure Server CA
O=COMODO CA Limited
L=Salford
S=Greater Manchester
C=GB
Subject:
CN=cjtrainor.com
OU=COMODO SSL Unified Communications
OU=Domain Control Validated
Cert Serial Number: bd4d0f693ab0104ac9f1b45003d6138d
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 3 Days, 16 Hours, 4 Minutes, 14 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 3 Days, 16 Hours, 4 Minutes, 14 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited,
L=Salford, S=Greater Manchester, C=GB
NotBefore: 6/8/2015 8:00 PM
NotAfter: 11/1/2015 7:59 PM
Subject: CN=cjtrainor.com, OU=COMODO SSL Unified Communications, OU=Domain Con
trol Validated
Serial: bd4d0f693ab0104ac9f1b45003d6138d
SubjectAltName: DNS Name=cjtrainor.com, DNS Name=NewServer.cjtrainor.local, DN
S Name=cjtrainor.local
41 fb 61 2e db f5 76 49 05 1e a9 73 66 cc 10 4a 71 6c 9a 15
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CRL (null):
Issuer: CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limite
d, L=Salford, S=Greater Manchester, C=GB
61 3b b6 5c 6f df 50 e7 9f 64 21 09 ab 11 8a f5 bc 11 5f 6c
Issuance[0] = 1.3.6.1.4.1.6449.1.2.2.7
Issuance[1] = 2.23.140.1.2.1
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford,
S=Greater Manchester, C=GB
NotBefore: 2/11/2014 8:00 PM
NotAfter: 2/11/2029 7:59 PM
Subject: CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited
, L=Salford, S=Greater Manchester, C=GB
Serial: 2b2e6eead975366c148a6edba37c8c07
33 9c dd 57 cf d5 b1 41 16 9b 61 5f f3 14 28 78 2d 1d a6 39
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CRL (null):
Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salfor
d, S=Greater Manchester, C=GB
ca e2 4c d2 71 15 63 f3 a9 0f 6a fb 8c 60 7f 73 6b b9 b6 79
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford,
S=Greater Manchester, C=GB
NotBefore: 1/18/2010 8:00 PM
NotAfter: 1/18/2038 7:59 PM
Subject: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford
, S=Greater Manchester, C=GB
Serial: 4caaf9cadb636fe01ff74ed85b03869d
af e5 d2 44 a8 d1 19 42 30 ff 47 9f e2 f8 97 bb cd 7a 8c b4
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing
Application[4] = 1.3.6.1.5.5.7.3.8 Time Stamping
Application[5] = 1.3.6.1.4.1.311.10.3.4 Encrypting File System
Application[6] = 1.3.6.1.5.5.7.3.6 IP security tunnel termination
Application[7] = 1.3.6.1.5.5.7.3.7 IP security user
Exclude leaf cert:
80 98 de 5e 8f 00 8a b8 19 21 23 cd 96 bd f4 ae a8 5c 9e cc
Full chain:
9c 7b 73 21 92 d4 b7 70 36 52 f5 e8 9f cb 16 25 a6 6a b9 77
------------------------------------
Verified Issuance Policies:
1.3.6.1.4.1.6449.1.2.2.7
2.23.140.1.2.1
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
1.3.6.1.5.5.7.3.2 Client Authentication
Cert is an End Entity certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
verifique o comando no servidor da Web de trabalho:
Issuer:
CN=COMODO RSA Domain Validation Secure Server
O=COMODO CA Limited
L=Salford
S=Greater Manchester
C=GB
Name Hash(sha1): 7ae13ee8a0c42a2cb428cbe7a605461
Name Hash(md5): 737301010f9ec759d54329bbb1553aa2
Subject:
CN=cjtrainor.com
OU=COMODO SSL Unified Communications
OU=Domain Control Validated
Name Hash(sha1): d75889ccf0886cb2b6873fedbdcf079
Name Hash(md5): a584a7d4ec9fb308a698d4921379f5bd
Cert Serial Number: bd4d0f693ab0104ac9f1b45003d613
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x2000000
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXC
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERR
ChainContext.dwRevocationFreshnessTime: 19 Hours,
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRE
SimpleChain.dwRevocationFreshnessTime: 19 Hours, 1
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=
Issuer: CN=COMODO RSA Domain Validation Secure S
L=Salford, S=Greater Manchester, C=GB
NotBefore: 6/8/2015 8:00 PM
NotAfter: 11/1/2015 7:59 PM
Subject: CN=cjtrainor.com, OU=COMODO SSL Unified
trol Validated
Serial: bd4d0f693ab0104ac9f1b45003d6138d
SubjectAltName: DNS Name=cjtrainor.com, DNS Name
S Name=cjtrainor.local
159a6c714a10cc6673a91e054976f5db2e61fb41
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_
CRL (null):
Issuer: CN=COMODO RSA Domain Validation Secure
d, L=Salford, S=Greater Manchester, C=GB
ThisUpdate: 7/8/2015 8:26 PM
NextUpdate: 7/12/2015 8:26 PM
bf512c78f12e36d6fd4b8d7430d38b516c49368c
Issuance[0] = 1.3.6.1.4.1.6449.1.2.2.7
Issuance[1] = 2.23.140.1.2.1
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authen
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authen
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=
Issuer: CN=COMODO RSA Certification Authority, O
S=Greater Manchester, C=GB
NotBefore: 2/11/2014 8:00 PM
NotAfter: 2/11/2029 7:59 PM
Subject: CN=COMODO RSA Domain Validation Secure
, L=Salford, S=Greater Manchester, C=GB
Serial: 2b2e6eead975366c148a6edba37c8c07
39a61d2d782814f35f619b1641b1d5cf57dd9c33
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_
CRL (null):
Issuer: CN=COMODO RSA Certification Authority,
d, S=Greater Manchester, C=GB
ThisUpdate: 7/8/2015 10:49 PM
NextUpdate: 7/12/2015 10:49 PM
291aa1576538dd0005d5daf2bfc9c9695ad3d668
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authen
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authen
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=
Issuer: CN=COMODO RSA Certification Authority, O
S=Greater Manchester, C=GB
NotBefore: 1/18/2010 8:00 PM
NotAfter: 1/18/2038 7:59 PM
Subject: CN=COMODO RSA Certification Authority,
, S=Greater Manchester, C=GB
Serial: 4caaf9cadb636fe01ff74ed85b03869d
b48c7acdbb97f8e29f47ff304219d1a844d2e5af
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authen
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authen
Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing
Application[4] = 1.3.6.1.5.5.7.3.8 Time Stamping
Application[5] = 1.3.6.1.4.1.311.10.3.4 Encrypti
Application[6] = 1.3.6.1.5.5.7.3.6 IP security t
Application[7] = 1.3.6.1.5.5.7.3.7 IP security u
Exclude leaf cert:
184db2fbca0995333804bb28f9d0cb6026978692
Full chain:
7dd2a6cd15b069fb11faca26f40bf48b2d7197a4
------------------------------------
Verified Issuance Policies:
1.3.6.1.4.1.6449.1.2.2.7
2.23.140.1.2.1
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
1.3.6.1.5.5.7.3.2 Client Authentication
Cert is an End Entity certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.