I want to make a secure ldap connection(ldaps) from a Linux(Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux) client to a Windows 2012 server, to change user passwords in active directory, through php.
For that, I’ve created a self-signed certificate(using Windows Server Manager) on the server, but when I try to connect, I get the following error(by turning debugging option on:
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);):
ldap_create ldap_url_parse_ext(ldaps://xxx.xxx.xxx.xxx) ldap_bind_s ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP xxx.xxx.xxx.xxx:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying xxx.xxx.xxx.xxx:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). ldap_err2string PHP Warning: ldap_bind(): Unable to bind to server
It seems the client is not able to trust the certificate since it’s self-signed.
What steps should I take to make a secure connection? The client side certificates are stored in
You have to explicitly tell the LDAP client to ignore untrusted certificates. You can do so by adding the following to your ldap.conf file:
This solution is not the preferred one though. You should add the required CA root to your client and ensure that the certificate is correctly generated with the server’s name in it (and if my memory serves me right the complete CA chain) otherwise nothing would stop someone to perform a MITM attack.
Your LDAP server is using a self-signed certificate so, in order to trust that, the LDAP client needs the certificate for the CA that created that cert.
- Put your CA’s certificate file in
/etc/ldap/certs/myca.pem(you may have to
mkdirthe certs directory).
Add a new line with
/etc/ldap/ldap.conf. (You may see a similar line with “/etc/ssl/certs/ca-certificates.crt”.)
$ php -a Interactive mode enabled php > ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7); ... ldap_init: using /etc/ldap/ldap.conf ... php > $conn = ldap_connect("your_ldap_server"); php > ldap_start_tls($conn);
Without the configuration change, you’d see
PHP Warning: ldap_start_tls(): Unable to start TLS: Connect error in php shell code on line 1. The comments for the function documentation provide further reading but everyone seems to go straight at setting “TLS_REQCERT never”. Working != secure.
demand is the default setting and I’d leave it that way (or explicitly set that). The documentation on TLS_REQCERT is here. (It also appears that if you do set “never” but follow with a later “TLS_CACERT” line, it ignores the never. Ugh.)
Note: I know you used “ldaps://” and ldap_bind(), but try the preferred ldap_start_tls().
STARTTLS is an alternative approach that is now the preferred method
of encrypting an LDAP connection.
For those that stumble across this, PHP7.1 now allows you to set the CA file and CA directory via
ldap_set_option() rather than having to update a server configuration file.
See the documentation for
ldap_set_option here, paying attention to the
LDAP_OPT_X_TLS_ options: https://secure.php.net/manual/en/function.ldap-set-option.php
One caveat: It seems there may be a bug where
LDAP_OPT_X_TLS_CACERTFILE is only accepted when
LDAP_OPT_X_TLS_CACERTDIR is also set, see https://bugs.php.net/bug.php?id=73558. I haven’t verified this yet.