TLS_REQCERT and PHP with LDAPS

php active-directory openssl ldap
8,361

If your self-signed certificate is signed by your owned authority, you can check if the certificate provided is correct by check the server cert. To do this, add in your ldap.conf the line 'TLS_CACERT /etc/ssl/certs/ca.pem' with ca.pem is the file with public key of your authority. With 'TLS_REQCERT hard', it will check your connection, and refuse to speak if your certificate server is incorrect.

If you have just the certificate, you can MAYBE (I don't try) add your public key to TLS_CERT/TLS_CACERT.

Share:
8,361

Related videos on Youtube

John
Author by

John

Just a random person looking for ways to expand my knowledge and passion for technology.

Updated on September 17, 2022

Comments

  • John
    John almost 2 years

    Problem:
    Secure LDAP queries via command-line and PHP to an AD domain controller with a self-signed certificate.

    Background:
    I am working on a project where I need to enable LDAP look-ups from a PHP web application to a MS AD domain controller that is using a self-signed certificate. This self-signed certificate is also using a domain name that is not a FQDN - think of something like people.campus as the domain name. The web application would take the user's credentials and pass them on to the AD domain controller to verify if the credntials are a match or not. This seems simple, but I am having problems trying to get PHP and the self-signed certificate to work.

    Some people have suggested that I changed the TLS_REQCERT variable from "request" to "never" within the OpenLDAP configuration. I am concerned that this might have larger implications such as a man-in-the-middle attack and I am not comfortable changing this setting to never. I have also read some places online where one can take a certificate and place it as a trusted source within the openldap configuration file. I am curious if that is something that I could do for the situation that I have? Can I, from the command line, obtain the self-signed certificate that the AD domain controller is using, save it to a file, and then have openldap use that file for the trust that it needs so that I do not need to adjust the variable from request to never? I do not have access to the AD domain controller and as a result cannot export the certificate. If there is a way to obtain the certificate from the command line, what commands do I need to use? Is there an alternate method of handling this issue that would be better in the long run? I have some CentOS servers and some Ubuntu servers that I am working with to try and get this going on.

    Thanks in advance for your help and ideas.

    • Zoredache
      Zoredache over 13 years
      Use the command openssl s_client -connect dc.IPorFQDN:636 -showcerts from the command line to verify the DC allows connections and retrieve the certificates.
    • John
      John over 13 years
      @Zoredache that command worked. It displayed a lot of stuff on the screen and then just hung. I had to use CTRL-C to exit out of it.
    • Zoredache
      Zoredache over 13 years
      It didn't hang, it left you with an raw open connection to the server you could send data and get responses. Just like you can use netcat/telnet to debug unencrypted connections you can use the s_client to connect SSL/TLS services and manually send commands.
    • John
      John over 13 years
      @Zoredache is there a way then that I can extract the certificates to a file with this command so that I can use it with the OpenLDAP configuration to point to this extracted self-signed certificate as a trusted certificate for use with TLS_REQCERT?
    • ravi yarlagadda
      ravi yarlagadda over 13 years
      The -showcerts flag causes the cert to be printed out in PEM format during connection (as part of that wall of text, look for -----BEGIN CERTIFICATE-----); drop that in a .pem file and you should be able to trust it.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Using LDAP functions to get Active Directory tokenGroups attribute in PHP
LDAP Can't perform an authenticated bind - Windows Server 2008 R2 Using PHP/Apache
Password Self-serve Active Directory via LAMP environment
Is LDAP the only way to authenticate an web application against Active Directory?
Seamless SSO with Kerberos, IE, Firefox, LDAP Active Directory
Binding to LDAP using SSL keeps failing - Windows Server 2008
openssl s_client ignoring custom root CA certificate in /usr/share/ca-certificates
PHP LDAP Get user details of member which is a member of a group
Changing Active Directory user password with PHP script
PHP - ldap_search() filter. How to search for user