Re: Communicate from php/apache to openLDAP over LDAPS
Am Fri, 11 Jun 2010 10:53:59 +0200 schrieb Jérémy ESCOLANO jeremyescol...@gmail.com: Hi, Thankyou for replying, I went a bit deeper with my problem, I can now do LDAPS but without verifying certificate, here is what I did : on the openLDAP server: ---slapd.conf TLSCertificateFile ./ssl2/srvLDAP.cer TLSCertificateKeyFile ./ssl2/srvLDAP.key TLSCACertificateFile./ssl2/cacert.cer TLSVerifyClient never ---ldap.conf TLS_CACERT ./ssl2/cacert.cer TLS_REQCERT never Then ran my service using: slapd -h ldap:/// ldaps:/// -d 1 That's all for the openLDAP server, but not enought with apache. On the apache server I created a folder C:\openldap\sysconf in this directory i created openldap.conf and this contains : TLS_CACERT ./ssl/cacert.cer TLS_REQCERT never (with cacert.cer in c:\openldap\sysconf\ssl) It works from now BUT does NOT verify the certificate. [...] TLS: can't accept. TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate s3_srvr.c:2471 connection_read(1176): TLS accept error error=-1 id=0, closing connection_closing: readying conn=0 sd=1176 for close connection_close: conn=0 sd=1176 The question is now : How can I configure my certificate on apache SERVER so that I will be able to do LDAPS with PHP and certificates will be verified. (I know should ask it on Apache list too) bear in mind that apache is a ldap client operation, thus configure ldap clients to verify the server certificate and not the server to verfiy a client certificate. -Dieter -- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Re: Communicate from php/apache to openLDAP over LDAPS
According to what's you are saying, Apache has to verify which certificate ? the CA certificate ? the apache server certificate or the ldap certificate? Thank you for your information that help me to understand better. 2010/6/11 Dieter Kluenter die...@dkluenter.de Am Fri, 11 Jun 2010 10:53:59 +0200 schrieb Jérémy ESCOLANO jeremyescol...@gmail.com: Hi, Thankyou for replying, I went a bit deeper with my problem, I can now do LDAPS but without verifying certificate, here is what I did : on the openLDAP server: ---slapd.conf TLSCertificateFile ./ssl2/srvLDAP.cer TLSCertificateKeyFile ./ssl2/srvLDAP.key TLSCACertificateFile./ssl2/cacert.cer TLSVerifyClient never ---ldap.conf TLS_CACERT ./ssl2/cacert.cer TLS_REQCERT never Then ran my service using: slapd -h ldap:/// ldaps:/// -d 1 That's all for the openLDAP server, but not enought with apache. On the apache server I created a folder C:\openldap\sysconf in this directory i created openldap.conf and this contains : TLS_CACERT ./ssl/cacert.cer TLS_REQCERT never (with cacert.cer in c:\openldap\sysconf\ssl) It works from now BUT does NOT verify the certificate. [...] TLS: can't accept. TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate s3_srvr.c:2471 connection_read(1176): TLS accept error error=-1 id=0, closing connection_closing: readying conn=0 sd=1176 for close connection_close: conn=0 sd=1176 The question is now : How can I configure my certificate on apache SERVER so that I will be able to do LDAPS with PHP and certificates will be verified. (I know should ask it on Apache list too) bear in mind that apache is a ldap client operation, thus configure ldap clients to verify the server certificate and not the server to verfiy a client certificate. -Dieter -- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Re: Communicate from php/apache to openLDAP over LDAPS
Dieter Kluenter wrote: Jérémy ESCOLANOjeremyescol...@gmail.com writes: I see, so I need to configure the Apache server to make it able verify the ldap server certificate by using the certificate authority. That is what I don't know how to do it. If it can help, here is the error I get : SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate s3_srvr:2471 You have configured slapd to request a client certificate which the client does not provide, just set TLSVerifyClient never in slapd.conf and TLS_REQCERT try (or demand) in ldap.conf or any other client configuration file. Just don't specify TLS_REQCERT at all in ldap.conf. The default is demand and should not be changed. In all of this thread no one has asked or stated what version of OpenLDAP is being used... -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Communicate from php/apache to openLDAP over LDAPS
Hi I'm writing from france cuz i'm having a big problem with apache and ldap. let me explain : I would like to make an Apache server communicate in php with en openLDAP server (both servers are under win srv 2003), using LDAPS protocol. In order to activate LDAPS on my openLDAP srv (srvLDAP), I created self signed certificates with openSSL. I got 3 files: cacert.pem srvLDAP.pem srvLDAP.key I configured my slapd.con file and ldap.conf fil (openLDAP side) like this: slapd.conf TLSCertificateFile ./ssl/srvLDAP.pem TLSCertificateKeyFile ./ssl/srvLDAP.key TLSCACertificateFile./ssl/cacert.pem ldap.conf BASEma branche URI ldaps://srvLDAP/ TLS_CACERT ./ssl/cacert.pem TLS_REQCERT demand I launched my openLDAP service, and checked ldaps protocol was okay, using this command : C:\Program Files\OpenLDAPldapsearch -b o=exemple,dc=fr -s sub -x -w pass-D cn=admin,o=exemple,dc=fr -H ldaps://srvLDAP/ Now I would like, from the remote apache server, communicate with the openLDAP server using [b]LDAPS[/b] Protocol. Here is my simplified PHP code h2LDAP OPENLDAP LDAPS/h2 ?php $host=ldaps://srvldap; $port=636; $ds=ldap_connect($host,$port); ldap_set_option($ds,LDAP_OPT_PROTOCOL_VERSION,3); $r=ldap_bind($ds,cn=admin,o=exemple,dc=fr,pass ); $sr=ldap_search($ds,o=exemplec,dc=fr,(objectClass=maclasse )); $info=ldap_get_entries($ds,$sr); print $info[count]. enregistrements trouvés.; ? I get this errror: Unable to bind to server: Can't contact LDAP server I know i have to configure certificates in the Apache server configuration, I tried to to this according several internet ressources but didn't succeed. I also read this link [URL= http://forum.hardware.fr/hfr/OSAlternatifs/Logiciels-2/certificats-securisee-connexion-sujet_65365_1.htm]Here[/URL] which is a french link which speak about an ldap.con and ldaprc files to put in the apache server. I did it but nothing happened. Well, i'm lost in all this stuff, that is why i'm asking for help to configure my servers to use ldaps with php. Do you have information that could help me ? I thank you in advance
Re: Communicate from php/apache to openLDAP over LDAPS
Jérémy ESCOLANO wrote: I tried to put host=srvLDAP but it still doesn't work Actually the problem is configuring my APACHE server to make it considerate theses certificate. I know there is a ldap.conf in the openLDAP directory (on openLDAP server) where to have to put : TLS_CACERT ./ssl2/cacert.cer TLS_REQCERT demand but how can we specify it on apache server ? Ask on an Apache forum. Thanks 2010/6/10 Thierry Lacoste laco...@u-pec.fr mailto:laco...@u-pec.fr Seems to me that the $host variable is incorrect : should be $host=srvLDAP HTH, Thierry On 10 juin 10, at 10:57, Jérémy ESCOLANO wrote: Hi I'm writing from france cuz i'm having a big problem with apache and ldap. let me explain : I would like to make an Apache server communicate in php with en openLDAP server (both servers are under win srv 2003), using LDAPS protocol. In order to activate LDAPS on my openLDAP srv (srvLDAP), I created self signed certificates with openSSL. I got 3 files: cacert.pem srvLDAP.pem srvLDAP.key I configured my slapd.con file and ldap.conf fil (openLDAP side) like this: slapd.conf TLSCertificateFile ./ssl/srvLDAP.pem TLSCertificateKeyFile ./ssl/srvLDAP.key TLSCACertificateFile./ssl/cacert.pem ldap.conf BASE ma branche URI ldaps://srvLDAP/ TLS_CACERT ./ssl/cacert.pem TLS_REQCERT demand I launched my openLDAP service, and checked ldaps protocol was okay, using this command : C:\Program Files\OpenLDAPldapsearch -b o=exemple,dc=fr -s sub -x -w pass-D cn=admin,o=exemple,dc=fr -H ldaps://srvLDAP/ Now I would like, from the remote apache server, communicate with the openLDAP server using [b]LDAPS[/b] Protocol. Here is my simplified PHP code h2LDAP OPENLDAP LDAPS/h2 ?php $host=ldaps://srvldap; $port=636; $ds=ldap_connect($host,$port); ldap_set_option($ds,LDAP_OPT_PROTOCOL_VERSION,3); $r=ldap_bind($ds,cn=admin,o=exemple,dc=fr,pass ); $sr=ldap_search($ds,o=exemplec,dc=fr,(objectClass=maclasse )); $info=ldap_get_entries($ds,$sr); print $info[count]. enregistrements trouvés.; ? I get this errror: Unable to bind to server: Can't contact LDAP server I know i have to configure certificates in the Apache server configuration, I tried to to this according several internet ressources but didn't succeed. I also read this link [URL=http://forum.hardware.fr/hfr/OSAlternatifs/Logiciels-2/certificats-securisee-connexion-sujet_65365_1.htm]Here[/URL] which is a french link which speak about an ldap.con and ldaprc files to put in the apache server. I did it but nothing happened. Well, i'm lost in all this stuff, that is why i'm asking for help to configure my servers to use ldaps with php. Do you have information that could help me ? I thank you in advance -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/