1

I'm using php 7 to connect to active directory using LDAP. I need to create manually a file under: C:\openLDAP\sysconf\ldap.conf and set TLS_REQCERT never. If I don't create this file ldap fails to connect.

How can I deploy this to, for example, azure machine that not includes C: disk?

Do you know a better aproach to solve this error?

I tried this: Need help ignoring server certificate while binding to LDAP server using PHP

   putenv('LDAPTLS_REQCERT=never');

But it doesn't works.

Community
  • 1
  • 1
Docu
  • 147
  • 1
  • 15
  • 2
    PHP 7.1 has options for this you can set without the config file, but I'm guessing you're stuck on PHP 7.0? You could connect to a console session of your webapp via the portal and figure out what your users home directory is and place a `.ldaprc` file in that location with the options you need. Or run a PHP file over the console with your LDAP_OPT_DIAGNOSTIC turned to 7 and see where it's looking for the config files. – ChadSikorra Mar 14 '17 at 13:42
  • Thank you very much for your awnser but one question, do you know how can I deploy openLDAP on a azure windows server automatically without an executable? – Docu Mar 16 '17 at 12:40

1 Answers1

1

I know its years but i had the same issue and this was what i did, which is what @ChadSikorra has said.

  1. place a .php script in site root (i did test/ldap.php) that has your connections to ldap, add the code below before the php ldap_connect()

    ini_set('display_errors', 1);

error_reporting(E_ALL);

ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);

  2. using Kudu CMD from site root, cd test, php ldap.php

this was the results

ldap.php logs

  1. Notice the 5th red line, Navigate to D:/ and create .ldaprc file

  2. edit the file and paste TLS_REQCERT never , save, repeat step 2.

  3. If your application is running, go to the application console and restart the server.

Done!

complete ldap.php file below

$username = "USERNAME";
$password = "PASSWORD";
$adServer = "IP"; //or domain
$adPort = 389;
$ldaprdn = "DOMAIN\\$username";

ldap_set_optioNULL, LDAP_OPT_DEBUG_LEVEL, 7);

putenv('LDAPTLS_REQCERT=never');

$ldap = ldap_connect("ldaps://$adServer", $adPort);

ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);

$bind = ldap_bind($ldap, $ldaprdn, $password);

if ($bind) {
    echo "Connection successful";
    @ldap_close($ldap);
} else {
    echo "Invalid email address / password";
}
Benjamin Ini
  • 185
  • 2
  • 8
  • 1
    Never, ever use TLS_REQUCERT=never unless you know **exactly** what you are doing. YOu are opening up your connection to MITM-attacks. [I blogged](https://andreas.heigl.org/2020/01/31/handle-self-signed-certificates-with-phps-ldap-extension/) about alternative solutions – heiglandreas Jan 06 '21 at 10:55
  • in my case, this was sitting as a service within a closed network. For Applications such as web apps, Please ignore that line. Thanks @heiglandreas – Benjamin Ini Jan 08 '21 at 17:39
  • So you knew exactly what you were doing ;-) – heiglandreas Jan 09 '21 at 13:55