20

I'm trying to bind to an LDAP server using PHP. It's a fairly straightforward process, except that I can't get around a certificate error that I'm getting. My auth credentials are fine, since I can connect to the server with Apache Directory Studio. Is there any way to just automatically accept the server cert? Similar to how you click "Accept this cert.." with Apache directory studio? I know it's not good security, but I just need to make it work at this point and can square away the cert issue later.

Thanks

Jack Slingerland
  • 2,651
  • 5
  • 34
  • 56
  • possible duplicate of [How do I solve ldap\_start\_tls() "Unable to start TLS: Connect error" in PHP?](http://stackoverflow.com/questions/2689629/how-do-i-solve-ldap-start-tls-unable-to-start-tls-connect-error-in-php) – flu Nov 12 '14 at 11:51

2 Answers2

40

You don't specify the environment, so here's the answer (found elsewhere on this site: How do I solve ldap_start_tls() "Unable to start TLS: Connect error" in PHP? ):

Linux: on the client machine (PHP web server) modify the ldap.conf file that the systems is using, in RH/Fedora the file you want is /etc/openldap/ldap.conf (not /etc/ldap.conf, that is for system authentication...) . Add/modify the following line:

TLS_REQCERT never

Windows: Add a system environment variable like the following:

LDAPTLS_REQCERT=never

Or in your PHP code, before the ldap_connect, put the following:

putenv('LDAPTLS_REQCERT=never');

These will insure the client web server PHP instance never checks the FQDN of the server against the CN (common name) of the certificate. Very helpful in cluster environments where a virtual IP and certificate for that is used. But since this also makes it so that the other tools/applications in the entire OS on the web server machine will not check this either, please insure that your environment allows this change (high-security environments might not allow it).

Community
  • 1
  • 1
dbman
  • 416
  • 5
  • 3
  • Thanks! In my case php was installed on MacOS through HomeBrew - so the `ldap.conf` path is `/usr/local/etc/openldap/ldap.conf` (even though the OS openldap config does exists on `/etc/openldap`) – Yaron U. Oct 25 '18 at 08:27
  • I am on a wamp server. I added `putenv('LDAPTLS_REQCERT=never');` to my PHP script but it didn't work for me. I had to create the `C:\OpenLDAP\sysconf\ldap.conf` file and add the `TLS_REQCERT never` to it. [This](https://stackoverflow.com/questions/42782920/deploy-php-with-ldap-conf) helped me know where to put the conf file. – Andrew Jul 07 '21 at 03:22
-5

Use a web browser, point at ldaps://ipaddress/

when the cert pop up box shows up, view the cert, look at the cert chain, find the trusted root (not the specific cert being used, rather the parent who signed it) then export THAT cert. Save in in PEM and B64 format. (Binary and B64 encoded).

Then use that to get it into the PHP keystore format, whichever that is. Java keystores are easy. Not sure what PHP uses.

geoffc
  • 4,030
  • 7
  • 44
  • 51