Need help ignoring server certificate while binding to LDAP server using PHP
I'm trying to bind to an LDAP server using PHP. It's a fairly straightforward process, except that I can't get around a certificate error that I'm getting. My auth credentials are fine, since I can connect to the server with Apache Directory Studio. Is there any way to just automatically accept the server cert? Similar to how you click "Accept this cert.." with Apache di开发者_StackOverflow中文版rectory studio? I know it's not good security, but I just need to make it work at this point and can square away the cert issue later.
Thanks
You don't specify the environment, so here's the answer (found elsewhere on this site: How do I solve ldap_start_tls() "Unable to start TLS: Connect error" in PHP? ):
Linux: on the client machine (PHP web server) modify the ldap.conf file that the systems is using, in RH/Fedora the file you want is /etc/openldap/ldap.conf
(not /etc/ldap.conf
, that is for system authentication...) . Add/modify the following line:
TLS_REQCERT never
Windows: Add a system environment variable like the following:
LDAPTLS_REQCERT=never
Or in your PHP code, before the ldap_connect, put the following:
putenv('LDAPTLS_REQCERT=never');
These will insure the client web server PHP instance never checks the FQDN
of the server against the CN
(common name) of the certificate. Very helpful in cluster environments where a virtual IP and certificate for that is used. But since this also makes it so that the other tools/applications in the entire OS on the web server machine will not check this either, please insure that your environment allows this change (high-security environments might not allow it).
Use a web browser, point at ldaps://ipaddress/
when the cert pop up box shows up, view the cert, look at the cert chain, find the trusted root (not the specific cert being used, rather the parent who signed it) then export THAT cert. Save in in PEM and B64 format. (Binary and B64 encoded).
Then use that to get it into the PHP keystore format, whichever that is. Java keystores are easy. Not sure what PHP uses.
精彩评论