Need help ignoring server certificate while binding to LDAP server using PHP

Question

I\'m trying to bind to an LDAP server using PHP. It\'s a fairly straightforward process, except that I can\'t get around a certificate error that I\'m getting. My auth cred

Answer 1

Use a web browser, point at ldaps://ipaddress/

when the cert pop up box shows up, view the cert, look at the cert chain, find the trusted root (not the specific cert being used, rather the parent who signed it) then export THAT cert. Save in in PEM and B64 format. (Binary and B64 encoded).

Then use that to get it into the PHP keystore format, whichever that is. Java keystores are easy. Not sure what PHP uses.

Answer 2

You don't specify the environment, so here's the answer (found elsewhere on this site: How do I solve ldap_start_tls() "Unable to start TLS: Connect error" in PHP? ):

Linux: on the client machine (PHP web server) modify the ldap.conf file that the systems is using, in RH/Fedora the file you want is /etc/openldap/ldap.conf (not /etc/ldap.conf, that is for system authentication...) . Add/modify the following line:

TLS_REQCERT never

Windows: Add a system environment variable like the following:

LDAPTLS_REQCERT=never

Or in your PHP code, before the ldap_connect, put the following:

putenv('LDAPTLS_REQCERT=never');

These will insure the client web server PHP instance never checks the FQDN of the server against the CN (common name) of the certificate. Very helpful in cluster environments where a virtual IP and certificate for that is used. But since this also makes it so that the other tools/applications in the entire OS on the web server machine will not check this either, please insure that your environment allows this change (high-security environments might not allow it).