Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Configuring apache to use LDAP over SSL on PHP |
|
| Author |
|
gostbuster
Joined: 10 Jun 2010
Posts: 3
|
 Posted: Thu 10 Jun '10 10:29 Post subject: Configuring apache to use LDAP over SSL on PHP |
 |
|
Hi
I'm writing from france cuz i'm having a big problem with apache and ldap. let me explain :
I would like to make an Apache server communicate in php with en openLDAP server (both servers are under win srv 2003), using LDAPS protocol.
In order to activate LDAPS on my openLDAP srv (srvLDAP), I created self signed certificates with openSSL. I got 3 files:
| Code: |
cacert.pem
srvLDAP.pem
srvLDAP.key
|
I configured my slapd.con file and ldap.conf fil (openLDAP side) like this:
slapd.conf
| Code: |
TLSCertificateFile ./ssl/srvLDAP.pem
TLSCertificateKeyFile ./ssl/srvLDAP.key
TLSCACertificateFile ./ssl/cacert.pem
|
ldap.conf
| Code: |
BASE <ma branche>
URI ldaps://srvLDAP/
TLS_CACERT ./ssl/cacert.pem
TLS_REQCERT demand
|
I launched my openLDAP service, and checked ldaps protocol was okay, using this command :
| Code: |
C:\Program Files\OpenLDAP>ldapsearch -b o=exemple,dc=fr -s sub -x -w pass-D
cn=admin,o=exemple,dc=fr -H ldaps://srvLDAP/
|
Now I would like, from the remote apache server, communicate with the openLDAP server using LDAPS Protocol.
Here is my simplified PHP code
| Code: |
<h2>LDAP OPENLDAP LDAPS</h2>
<?php
$host="ldaps://srvldap";
$port="636";
$ds=ldap_connect($host,$port);
ldap_set_option($ds,LDAP_OPT_PROTOCOL_VERSION,3);
$r=ldap_bind($ds,"cn=admin,o=exemple,dc=fr","pass" );
$sr=ldap_search($ds,"o=exemplec,dc=fr",("objectClass=maclasse" ));
$info=ldap_get_entries($ds,$sr);
print $info["count"]." enregistrements trouvés.";
?>
|
I get this errror:
| Code: |
Unable to bind to server: Can't contact LDAP server
|
I know i have to configure certificates in the Apache server configuration, I tried to to this according several internet ressources but didn't succeed. I also read this link [URL="http://forum.hardware.fr/hfr/OSAlternatifs/Logiciels-2/certificats-securisee-connexion-sujet_65365_1.htm"]Here[/URL] which is a french link which speak about an ldap.con and ldaprc files to put in the apache server. I did it but nothing happened.
Well, i'm lost in all this stuff, that is why i'm asking for help to configure my servers to use ldaps with php.
Do you have information that could help me ?
I thank you in advance |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7298
Location: Germany, Next to Hamburg
|
| Posted: Thu 10 Jun '10 13:36 Post subject: |
|
|
Do you use php as module or over fcgid? Does apache run as a service? If it runs as a service
When using LDAP with SSL and a LDAP server which uses a self-signed SSL certificate normally no connection will be established. Therefor you have to allow such connections explicitly.
Add TLS_REQCERT never to ldap.conf |
|
| Back to top |
|
gostbuster
Joined: 10 Jun 2010
Posts: 3
|
| Posted: Thu 10 Jun '10 14:05 Post subject: |
|
|
Hi,
Thankyou for replying,
I use PHP as a module. Apache is running as a service under windows server 2003.
Are you talking about the ldap.conf file on the openLDAP server ?
I tryed to change
TLS_REQCERT demand
by TLS_REQCERT never
and it still doesn't work.
I heard about a ldaprc file and a ldap.conf file needed to be put on the apache server, but where to put them so that apache can considerate them ?
I may give some for information about what I did to get certificates :
First I installed the windows 2003 certificate authority.
I got the CA certificate from the certsrv interface (it's a base 64 cer file).
Then I asked a certificate providing srvLDAP as common name.
I made the key exportable.
Finally I got three files :
cacert.cer (the CA certificate)
srvLDAP.cer (the certificate I asked for my openldapserver)
srvLDAP.key (the key)
These are the file specified on the openLDAP server configurations file (slapd.conf and ldap.conf)
I took the CA certificate for my Apache server, and asked (and got) a certificate for my srvWEB server (apache).
I finally got srvWEB.cer, and srvWEB.key.
Here is my trouble, how can I configure apache to use this certificate so that when I'll do a ldaps connection with PHP it will work?
Thank you in advance |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7298
Location: Germany, Next to Hamburg
|
| Posted: Thu 10 Jun '10 17:12 Post subject: |
|
|
| gostbuster wrote: |
Are you talking about the ldap.conf file on the openLDAP server ?
|
Yepp that one.
Add these values to httpd.conf:
LDAPTrustedGlobalCert <encryption method> /path/to/certificate
LDAPVerifyServerCert Off
The encryption method I was using was 'CA_BASE64'. Check the encryption method with your LDAP/AD sysadmin. |
|
| Back to top |
|
gostbuster
Joined: 10 Jun 2010
Posts: 3
|
| Posted: Fri 11 Jun '10 10:41 Post subject: |
|
|
Hi, thank you for replying, I wen't a bit deeper with my problem and here it's what i've done :
First i configured my openldap server like this :
the slapd.conf file
| Code: |
#cert requested for the ldapserver
TLSCertificateFile ./ssl2/srvLDAP.cer
TLSCertificateKeyFile ./ssl2/srvLDAP.key
#CA cert
TLSCACertificateFile ./ssl2/cacert.cer
TLSVerifyClient never
|
the ldap.conf file
| Code: |
TLS_CACERT ./ssl2/cacert.cer
TLS_REQCERT never
|
I started my service using :
| Code: |
slapd -h "ldap:/// ldaps:///" -d 1
|
Then, on the APACHE SERVER,
I created a directory C:\openldap\sysconf
It seems that we have to do this cuz the php_ldap.dll check exactly this folder to do LDAPS.
in the directory openldap/sysconf i created a file 'ldap.conf'
| Code: |
TLS_CACERT ./ssl/cacert.cer
TLS_REQCERT never
|
I created a folder c:\openldap\sysconf\ssl\ and y put my CA cert inside.
After stop/start apache, i tryed to execute my PHP script and it WORKS ..BUT it doesn't verify the certificate.
I need no to configure apache so that when PHP does ldaps, it provides the certificates to the open LDAP.
Thankyou in advance |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7298
Location: Germany, Next to Hamburg
|
| Posted: Fri 11 Jun '10 11:38 Post subject: |
|
|
| As I posted above, I add to httpd.conf LDAPVerifyServerCert Off . I have no further experience with checking the certs. |
|
| Back to top |
|
|
|
|
|
|
