18

We need to connect our php script to LDAP over tls using a certificate. LDAP connection works nicely without tls. More details here https://stackoverflow.com/questions/15260252/how-to-use-multiple-tls-certificates-for-ldap-from-php-zend

We managed to connect via tls from Windows using Softerra LDAP Browser. It asked us to install a certificate and whether we trust it.

My end result is to be able to authenticate with LDAP using TLS from php. I have been given a certificate of type .cer. It comes from a Windows Exchange machine. From what I can see SLES supports .pem certificates. So my question is ...

Q1: Do I need to convert from .cer to .pem first before I can install the certificate on the client (which is SLES server) and finally Q2: what is the best way to install this certificate on the server so my php application can access it and do its job. Note that on the SLES server we need to connect to different LDAP servers.

At present if we run

ldapsearch -H ldaps://localhost:9215 -W

we get

Enter LDAP Password: 
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable to get local issuer certificate)

I found lots of good info here http://www.php.net/manual/de/function.ldap-connect.php#36156 and especially this sentence is important in my eyes Once you've gotten the ldapsearch tool working correctly PHP should work also.

  • SUSE Linux Enterprise Server 11 (x86_64)
  • ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.26 (Sep 26 2012 13:14:42) $ abuild@baur:/usr/src/packages/BUILD/openldap-2.4.26/clients/tools (LDAP library: OpenLDAP 20426)
Community
  • 1
Radek
  • 2,943
  • 18
  • 39
  • 52
  • 1
    An alternate way to debug is to ignore the LDAP part and just look at the SSL: You can run "openssl s_client -connect localhost:9215" to spit out the cert the server uses and the validation results. – Kowh Mar 22 '13 at 02:06
  • OK. I'll pass it onto the developer. I still personally don't understand how I install certificate and it's linked to a server when I want to access it. – Radek Mar 22 '13 at 03:29

3 Answers3

41

That means certificate on the server has been expired or it is invalid.

As for the workaround, use the LDAPTLS_REQCERT variable to ignore the certificate, e.g.:

LDAPTLS_REQCERT=never ldapsearch -D "cn=drupal-test,ou=Services,dc=example,dc=com" -w my_pass -h ldap.example.com -b "ou=People,dc=example,dc=com" -s sub -x -ZZ "(uid=admin)"

Otherwise you can import the certificate and mark it as trusted.

kenorb
  • 20,250
  • 14
  • 140
  • 164
  • Works on cygwin too where there was no existing `ldap.conf` file to set the `TLS_REQCERT` parameter. – bvj Feb 10 '19 at 05:22
16

I'm not sure about the conversion from pem to cer, but to make ldapsearch use certs w/o having a ldap.conf or w/o the permissions to modify global certs you should be able to do this:

env LDAPTLS_CACERT=/path/to/cert ldapsearch
tink
  • 6,160
  • 2
  • 21
  • 30
5

Using

LDAPTLS_REQCERT=never

removes certificate validation of the LDAP server. This voids the security provided by TLS in the first place. Don't do this. You should fix the certificates if there is an issue, and then provide the LDAP client with the certificate authority as described by tink.

returntosender404
  • 151
  • 1
  • 1
  • True that you're bypassing certificate validation, but there's more to TLS than certificate validation. Not least, you still get encryption. – Ben Aveling May 03 '21 at 12:12
  • it is good for testing though, so do not dismiss this one. for example when accessing balanced servers with a public fqdn but you want to try connection with each local node, otherwise client will complain CN and address do not match and you wont be able to try. – Daniel Ferradal Oct 12 '22 at 23:33