test php ldap with starttls

ldaps-test.php

<?php
// basic sequence with LDAP is connect, bind, search, interpret search
// result, close connection

echo "<h3>LDAP query test</h3>";
echo "Connecting ...";
if (! $ds=ldap_connect("<INSERT_LDAPS_SERVER_THAT_SUPPORTS_STARTTLS_HERE>")) {
  echo "Failed to connect to LDAP server\n";
  exit;
}
echo "connect result is " . $ds . "\n";

ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);

ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);

if (! ldap_start_tls($ds)) {
  echo "Could not start TLS." . ldap_errno($ds) . " " . ldap_error($ds) . "\n";
  exit;
} else {
  echo "start tls success\n";
}

?>

With the LDAP_OPT_DEBUG_LEVEL set to 7, you will get a ton of useful output. Here is an example of how this was used to track down the error to an empty /etc/openldap/certs dir:

GOOD:

$ php ~joe/ldaps-test.php

<h3>LDAP query test</h3>Connecting ...connect result is Resource id #4
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.ucdavis.edu:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 128.120.32.63:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x7fcc9c38f5f0 msgid 1
wait4msg ld 0x7fcc9c38f5f0 msgid 1 (infinite timeout)
wait4msg continue ld 0x7fcc9c38f5f0 msgid 1 all 1
** ld 0x7fcc9c38f5f0 Connections:
* host: ldap.ucdavis.edu  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Jul 15 18:54:29 2014


** ld 0x7fcc9c38f5f0 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7fcc9c38f5f0 request count 1 (abandoned 0)
** ld 0x7fcc9c38f5f0 Response Queue:
   Empty
  ld 0x7fcc9c38f5f0 response count 0
ldap_chkResponseList ld 0x7fcc9c38f5f0 msgid 1 all 1
ldap_chkResponseList returns ld 0x7fcc9c38f5f0 NULL
ldap_int_select
read1msg: ld 0x7fcc9c38f5f0 msgid 1 all 1
read1msg: ld 0x7fcc9c38f5f0 msgid 1 message type extended-result
read1msg: ld 0x7fcc9c38f5f0 0 new referrals
read1msg:  mark request completed, ld 0x7fcc9c38f5f0 msgid 1
request done: ld 0x7fcc9c38f5f0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ldap_parse_result
ldap_msgfree
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/certs prefix .
TLS: certificate [CN=ldap.ucdavis.edu,OU=IET-DCCS,O="University of California, Davis",STREET=One Shields Ave,L=Davis,ST=CA,postalCode=95616,C=US] is valid
TLS certificate verification: subject: CN=ldap.ucdavis.edu,OU=IET-DCCS,O="University of California, Davis",STREET=One Shields Ave,L=Davis,ST=CA,postalCode=95616,C=US, issuer: CN=InCommon Server CA,OU=InCommon,O=Internet2,C=US, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0
start tls success
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed

BAD:

php ~joe/ldaps-test.php
<h3>LDAP query test</h3>Connecting ...connect result is Resource id #4
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.ucdavis.edu:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 128.120.32.63:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x7f1a0efc4be0 msgid 1
wait4msg ld 0x7f1a0efc4be0 msgid 1 (infinite timeout)
wait4msg continue ld 0x7f1a0efc4be0 msgid 1 all 1
** ld 0x7f1a0efc4be0 Connections:
* host: ldap.ucdavis.edu  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Jul 15 19:10:54 2014


** ld 0x7f1a0efc4be0 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7f1a0efc4be0 request count 1 (abandoned 0)
** ld 0x7f1a0efc4be0 Response Queue:
   Empty
  ld 0x7f1a0efc4be0 response count 0
ldap_chkResponseList ld 0x7f1a0efc4be0 msgid 1 all 1
ldap_chkResponseList returns ld 0x7f1a0efc4be0 NULL
ldap_int_select
read1msg: ld 0x7f1a0efc4be0 msgid 1 all 1
read1msg: ld 0x7f1a0efc4be0 msgid 1 message type extended-result
read1msg: ld 0x7f1a0efc4be0 0 new referrals
read1msg:  mark request completed, ld 0x7f1a0efc4be0 msgid 1
request done: ld 0x7f1a0efc4be0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ldap_parse_result
ldap_msgfree
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/openldap/certs', error -8018:Unknown PKCS #11 error.
TLS: certificate [CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
TLS: error: connect - force handshake failure: errno 0 - moznss error -8172
TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user..
ldap_err2string
PHP Warning:  ldap_start_tls(): Unable to start TLS: Connect error in /data/home/joe/ldaps-test.php on line 18
ldap_err2string
Could not start TLS.-11 Connect error
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed