We need to connect our php script to LDAP over tls using a certificate. LDAP connection works nicely without tls. More details here https://stackoverflow.com/questions/15260252/how-to-use-multiple-tls-certificates-for-ldap-from-php-zend
We managed to connect via tls from Windows using Softerra LDAP Browser. It asked us to install a certificate and whether we trust it.
My end result is to be able to authenticate with LDAP using TLS from php. I have been given a certificate of type .cer. It comes from a Windows Exchange machine. From what I can see SLES supports .pem certificates. So my question is …
Q1: Do I need to convert from .cer to .pem first before I can install the certificate on the client (which is SLES server) and finally Q2: what is the best way to install this certificate on the server so my php application can access it and do its job. Note that on the SLES server we need to connect to different LDAP servers.
At present if we run
ldapsearch -H ldaps://localhost:9215 -W
we get
Enter LDAP Password:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable to get local issuer certificate)
I found lots of good info here http://www.php.net/manual/de/function.ldap-connect.php#36156 and especially this sentence is important in my eyes Once you've gotten the ldapsearch tool working correctly PHP should work also.
- SUSE Linux Enterprise Server 11 (x86_64)
- ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.26 (Sep 26 2012 13:14:42) $
abuild@baur:/usr/src/packages/BUILD/openldap-2.4.26/clients/tools
(LDAP library: OpenLDAP 20426)
Best Answer
That means certificate on the server has been expired or it is invalid.
As for the workaround, use the
LDAPTLS_REQCERTvariable to ignore the certificate, e.g.:Otherwise you can import the certificate and mark it as trusted.