Using LDAPS with PHP / certificates
in [General]
|
Prev: connect openLDAP server using LDAP (apache + windows)
Next: Why is there HTML in the error_log output? Please make it stop.
From: =?ISO-8859-1?Q?J=E9r=E9my_ESCOLANO?= on 11 Jun 2010 05:47 Hi, I'm trying to contact an openLDAP from Apache server (on windows) using PHP using LDAPS Here is my sample code : $host="ldaps://srvLDAP"; $port="636"; $ds=ldap_connect($host,$port); ldap_set_option($ds,LDAP_OPT_PROTOCOL_VERSION,3); $r=ldap_bind($ds,"cn=admin,o=exemple,dc=fr","exemple" ); $sr=ldap_search($ds,"o=exemple,dc=fr",("objectClass=exemple" )); $info=ldap_get_entries($ds,$sr); print $info["count"]." enregistrements trouvés."; I passed lot of time trying configuring my servers and here is what i have done : First i configured my openLDAP server : slapd.conf: #cert requested for the ldapserver TLSCertificateFile ./ssl2/srvLDAP.cer TLSCertificateKeyFile ./ssl2/srvLDAP.key #CA cert TLSCACertificateFile ./ssl2/cacert.cer TLSVerifyClient never ldap.conf: TLS_CACERT ./ssl2/cacert.cer TLS_REQCERT never On my apache server i created a folder C:\openldap\sysconf and created a file ldap.conf : TLS_CACERT ./ssl/cacert.cer TLS_REQCERT never (I also created a folder c:\openldap\sysconf\ssl and put my CA certificate inside it) (of course I activated ldap and ssl in my php.ini) From now it DOES work BUT it doesn't verify any certificate. I want now to make it verifying the certificate. I know i have to change TLS_REQCERT never to TLS_REQCERT demand on openldap server and apache server. I tryed but it doesn't work. I can't contact ldap server... On the openLDAP I have this following error: connection_read(1176): checking for input on id=0 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write certificate request A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(1176): got connid=0 connection_read(1176): checking for input on id=0 TLS trace: SSL3 alert write:fatal:handshake failure TLS trace: SSL_accept:error in SSLv3 read client certificate B TLS: can't accept. TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate s3_srvr.c:2471 connection_read(1176): TLS accept error error=-1 id=0, closing connection_closing: readying conn=0 sd=1176 for close connection_close: conn=0 sd=1176 That means that the openLDAP can't check the client certificate cuz PHP and Apache don't send any to it. I heard about a ldaprc file but I can't find any information about it... Is there somebody who can help me with this ? Thank you very much in advance. |