Ldaps authentication from a php web page

Sat, 22 Sep 2012 08:02:43 -0700 

Hello,


I'm trying to get a php script to authenticate with ldaps but I can't
make it work for some reason.

A basic ldap query works in command line
$
ldapsearch -x -H ldaps://myserver.mydomain.fr -W -D cn=admin,dc=mydomain,dc=fr
-b '' -s base '(objectclass=*)' namingContexts

So I'm 90% sure that my
openldap server is properly configured more over I read that "TLSVerifyClient
never"

I think so the problem is on the client side. When I use the command
line, I think that /etc/openldap/ldap.conf is used by ldapsearch and in that
file I have:
URI ldaps://myserver.mydomain.fr
TLS_CACERT      
/etc/openldap/ssl/CA.crt
TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3

On the server
side I have in /etc/openldap/slapd.conf
TLSRandFile             /dev/urandom
TLSCipherSuite          HIGH:MEDIUM:+SSLv3
TLSCACertificateFile   
/etc/openldap/ssl/CA.crt
TLSCertificateFile     
/etc/openldap/ssl/openldap.crt
TLSCertificateKeyFile  
/etc/openldap/ssl/private/openldap.key
I use a self signed certificate


The
problem comes when I use a php script inside my chrooted Apache

<?php
 
$server = "ldaps://192.168.1.1";
  $racine = "dc=mydomain,dc=fr";
  $rootdn =
"cn=myadmin,dc=mydomain,dc=fr";
  $rootpw = "mypassword";
  echo
"Connexion...<br>";
  $ds=ldap_connect($server) or die("Can't connect to LDAP
$server2");
  if ($ds) {
    $r=ldap_bind($ds,$rootdn,$rootpw);
    if ($r) {
echo "LDAP Sucess..."; }
    else { echo "LDAP Failed..."; }
   
echo("msg:'".ldap_error($ds)."'</br>");
    echo "Disconnect...<br>";
   
ldap_close($ds);
  }
?>
If I use ldap://192.168.1.1 instead of
ldaps://192.168.1.1, it works.
When I use ldaps://192.168.1.1

I have the
following message in slapd
conn=1005 fd=14 ACCEPT from IP=192.168.1.1:45750
(IP=0.0.0.0:636)
TLS: can't accept: error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
conn=1005 fd=14 closed (TLS
negotiation failure)

And that message in 

PHP Warning:  ldap_bind(): Unable
to bind to server: Can't contact LDAP server in /htdocs/ldap.php on line 17
If I add in the begining of my script
putenv('LDAPTLS_REQCERT=never') or
die('Failed to setup the env');
It works, so to me it shows that the problem
was on the client side.


My questions are these:
- Where should I put this
instruction LDAPTLS_REQCERT=never (I tried php.ini, ldap.ini) so that I won't
have to add putenv in all my scripts ?
- Where should I put some kind of TLS
CACERT so that the client side will consider my certificate valid ?

I hope
someone will have an idea, thank you

Reply via email to