0

I am trying to create a connection from php to an active directory server over ldaps. I am able to make a connection to the server if I just use ldap to connect but it isn't a secure connection. When I point php to the secure connection, it wont connect. A co-worker has given me his python code that he is using for the same connection but I am running into a problem trying to implement it in php. Here is my php code:

$connection = ldap_connect($this->ldapserver);
  $adminBind = false;
  if (ldap_set_option($connection, LDAP_OPT_PROTOCOL_VERSION, 3))
    if (ldap_set_option($connection, LDAP_OPT_REFERRALS, 0))
      if(ldap_set_option($connection, LDAP_OPT_X_TLS_REQUIRE_CERT, 0))
        $adminBind = ldap_bind($connection, $this->ldapadmindn, $this->ldapadminpw);
  if(!$adminBind)
    return false; //server down or admin account unavailable

And here is part of the python he sent me ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)

The problem comes from the line ldap_set_option($connection, LDAP_OPT_X_TLS_REQUIRE_CERT, 0). I am getting a Use of undefined constant LDAP_OPT_X_TLS_REQUIRE_CERT error when I try to run this section. According to the php page for set option, this is one of the available options. Does anyone know how to get this option to work?

One answer that I have seen is to write "TLS_REQCERT never" in the ldap.conf file. I am hoping for this one connection to ignore the certificate because the web server regularly connects to another active directory and I need that to use the certificate.

Thanks for the help.

dpeekstok
  • 31
  • 1
  • 6

2 Answers2

0

The LDAP_OPT_X_TLS_REQUIRE_CERT constant is available since PHP 7.1. The documentation should probably be corrected to reflect that (My mistake actually, since I submitted the patch to get them added to the docs, hah).

Another option would be to get the needed certificates on the machine you're connecting from instead of ignoring the certificate. There is some good information in this question for getting the certificate:

How to save the LDAP SSL Certificate from OpenSSL

Community
  • 1
  • 1
ChadSikorra
  • 2,829
  • 2
  • 21
  • 27
  • I have tried to save the certificate to the file that ldap looks for certificates but it doesn't recognize the new certificate. Is there any thing specific that I need to do in order for it to find the new certificate? I am using ubuntu with apache for the web server. – dpeekstok Oct 18 '16 at 16:45
  • What does your ldap.conf file look like? Do you have `TLS_CACERT` defined? – ChadSikorra Oct 18 '16 at 18:45
  • I do have TLS_CACERT defined and the certificate is in the file. I have tried doing some debugging with `ldapsearch -d5`and it does recognize the cert from the server and matches it with the cert I have installed. However, my php program still doesn't think that it is a valid cert. By adding `ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);` before the `ldap_connect` and then looking through the logs, I get this message `TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure`. Any thoughts? Thanks for your help – dpeekstok Oct 20 '16 at 14:30
  • @hellstorm42 I recently devised a way to grab the peer certificate chain, which would contain the CA cert you likely need. The CA cert needs the be the cert of the CA that signed your DCs cert. If you use [this answer's function](http://stackoverflow.com/a/40120544/2242593), then save the output from the `peer_certificate_chain` part to a file (for instance save it to `/etc/ldap/certs/adcacert.pem`), then reference that via `TLS_CACERT /etc/ldap/certs/adcacert.pem`. – ChadSikorra Oct 20 '16 at 15:13
  • Just to add to the above: It's probably easiest to save the string of both `peer_certificate` and each of `peer_certificate_chain` to a file called `ca-bundle.crt` then reference that file in `TLS_CACERT`. Seems like that needs a file that contains all certificates in the chain. So if you have an issuing CA cert and a root CA cert, you will need both certificates in that file. Hope that makes sense. – ChadSikorra Oct 20 '16 at 22:02
0

For CentOS 7, WHM - cPanel, this line solved the issue: putenv('LDAPTLS_REQCERT=never');

Put this before ldap_connect line.

Matej
  • 1