Hello,
I'm trying to get a php script to authenticate with ldaps but I can't make it work for some reason. A basic ldap query works in command line $ ldapsearch -x -H ldaps://myserver.mydomain.fr -W -D cn=admin,dc=mydomain,dc=fr -b '' -s base '(objectclass=*)' namingContexts So I'm 90% sure that my openldap server is properly configured more over I read that "TLSVerifyClient never" I think so the problem is on the client side. When I use the command line, I think that /etc/openldap/ldap.conf is used by ldapsearch and in that file I have: URI ldaps://myserver.mydomain.fr TLS_CACERT /etc/openldap/ssl/CA.crt TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3 On the server side I have in /etc/openldap/slapd.conf TLSRandFile /dev/urandom TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCACertificateFile /etc/openldap/ssl/CA.crt TLSCertificateFile /etc/openldap/ssl/openldap.crt TLSCertificateKeyFile /etc/openldap/ssl/private/openldap.key I use a self signed certificate The problem comes when I use a php script inside my chrooted Apache <?php $server = "ldaps://192.168.1.1"; $racine = "dc=mydomain,dc=fr"; $rootdn = "cn=myadmin,dc=mydomain,dc=fr"; $rootpw = "mypassword"; echo "Connexion...<br>"; $ds=ldap_connect($server) or die("Can't connect to LDAP $server2"); if ($ds) { $r=ldap_bind($ds,$rootdn,$rootpw); if ($r) { echo "LDAP Sucess..."; } else { echo "LDAP Failed..."; } echo("msg:'".ldap_error($ds)."'</br>"); echo "Disconnect...<br>"; ldap_close($ds); } ?> If I use ldap://192.168.1.1 instead of ldaps://192.168.1.1, it works. When I use ldaps://192.168.1.1 I have the following message in slapd conn=1005 fd=14 ACCEPT from IP=192.168.1.1:45750 (IP=0.0.0.0:636) TLS: can't accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca. conn=1005 fd=14 closed (TLS negotiation failure) And that message in PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /htdocs/ldap.php on line 17 If I add in the begining of my script putenv('LDAPTLS_REQCERT=never') or die('Failed to setup the env'); It works, so to me it shows that the problem was on the client side. My questions are these: - Where should I put this instruction LDAPTLS_REQCERT=never (I tried php.ini, ldap.ini) so that I won't have to add putenv in all my scripts ? - Where should I put some kind of TLS CACERT so that the client side will consider my certificate valid ? I hope someone will have an idea, thank you