如何从php / Zend为LDAP使用多个TLS证书?
[英]How to use multiple TLS certificates for LDAP from php/Zend?
问题描述
In our web based application we support LDAP authentication. 
在基于Web的应用程序中,我们支持LDAP身份验证 It works fine with the code below. 它适用于下面的代码。 Now we want to support LDAP over TLS. 现在我们想要支持LDAP over TLS。 We host our product for our customers on SUSE Linux Enterprise Server 11 and each customer can have different TLS certificate. 我们在SUSE Linux Enterprise Server 11上为客户托管我们的产品,每个客户都可以拥有不同的TLS证书。
My questions are: 我的问题是:
- how to set up out SUSE server (that is LDAP client) - where to place certificates for each customer, do I need to edit any conf file? 如何设置SUSE服务器 (即LDAP客户端) - 在哪里为每个客户放置证书,我是否需要编辑任何conf文件?
- how to make LDAP authentication over TLS with different certificates from php . 如何使用PHP的不同证书通过TLS进行LDAP身份验证 。 What would be exact php syntax? 什么是精确的PHP语法?
- does it matter what type of the server is? 是什么类型的服务器是关键的? Exchange, OpenLDAP etc? Exchange,OpenLDAP等?
- right now we have .cer certificate from Exchange. 现在我们有来自Exchange的.cer证书。 Is that ok for OpenLDAP or it must be converted (how) to .pem? 这对OpenLDAP是否可以,或者必须转换(如何)到.pem?
SUSE server = LDAP client configuration SUSE服务器= LDAP客户端配置
- SUSE Linux Enterprise Server 11 (x86_64) SUSE Linux Enterprise Server 11(x86_64)
- ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.26 (Sep 26 2012 13:14:42) ldapsearch:@(#)$ OpenLDAP:ldapsearch 2。4。26(2012年9月26日13:14:42)
- PHP Version 5.4.9 PHP版本5.4.9
- Zend Engine v2.4.0 Zend Engine v2.4.0
From reading http://php.net/ldap_connect I understood that I can use different certificates but I didn't get how. 从阅读http://php.net/ldap_connect我明白我可以使用不同的证书,但我没有得到如何。
function authenticateZendAuth($username, $password){
require_once 'Zend/Auth.php';
$auth = Zend_Auth::getInstance();
$ldapOptions = getConfigVariableValue('->ldap');
$options = $ldapOptions->toArray();
unset($options['log_path']);
require_once 'Zend/Auth/Adapter/Ldap.php';
$adapter = new Zend_Auth_Adapter_Ldap($options, $username, $password);
$authenticated = $auth->authenticate($adapter);
$log_path = $ldapOptions->log_path;
if ($log_path) {
$messages = $authenticated->getMessages();
require_once("Zend/Log.php");
require_once("Zend/Log/Writer/Stream.php");
require_once("Zend/Log/Filter/Priority.php");
$logger = new Zend_Log();
$logger->addWriter(new Zend_Log_Writer_Stream($log_path));
$filter = new Zend_Log_Filter_Priority(Zend_Log::DEBUG);
$logger->addFilter($filter);
foreach ($messages as $i => $message) {
if ($i-- > 1) { // $messages[2] and up are log messages
$message = str_replace("\n", "\n ", $message);
$logger->log("Ldap: $i: $message", Zend_Log::DEBUG);
}
}
}
return $authenticated;
}
1 个解决方案
解决方案1
2 2013-03-26 21:05:12
How to set up our SUSE server (that is LDAP client) - where to place certificates for each customer, do I need to edit any conf file? 如何设置我们的SUSE服务器(即LDAP客户端) - 在哪里为每个客户放置证书,我是否需要编辑任何conf文件?
If you are using openssl (slapd) it doesn't really matter where you put the certificate, as long as you can set the configuration file to point to. 如果您使用openssl(slapd),只要您可以将配置文件设置为指向,那么放置证书的位置并不重要。 It will look something like this perhaps: 它可能看起来像这样:
TLSCACertificateFile /usr/var/openldap-data/cacert.pem
TLSCertificateFile /usr/var/openldap-data/servercrt.pem
TLSCertificateKeyFile /usr/var/openldap-data/serverkey.pem
You will need to request (or create your own) Certificates, these are the same as the certificates you use for HTTPS. 您需要请求(或创建自己的)证书,这些证书与您用于HTTPS的证书相同。 This is where the domain name is imported, when you create/request the cert, it needs to match the domain name that you are going to be using it on. 这是导入域名的地方,当您创建/请求证书时,它需要匹配您将使用它的域名。 See: http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html for more details. 有关详细信息,请参阅: http : //www.openldap.org/pub/ksoper/OpenLDAP_TLS.html 。
How to make LDAP authentication over TLS with different certificates from php. 如何使用PHP的不同证书通过TLS进行LDAP身份验证。 What would be exact php syntax? 什么是精确的PHP语法?
You really don't need to do anything special here. 你真的不需要在这里做任何特别的事情。 Make sure you set your LDAP server up with the appropriate domain named certificate. 确保使用名为certificate的相应域设置LDAP服务器。 And make sure that the signing authority for that cert is recognized by your local openladap client (running your php) via it's config file. 并确保您的本地openladap客户端(运行您的php)通过它的配置文件识别该证书的签名权限。 Then notice that many of the Zend Examples ( http://files.zend.com/help/Zend-Framework/zend.auth.adapter.ldap.html ) use a config file to set up the Zend LDPA client and turn on TLS. 然后请注意许多Zend示例( http://files.zend.com/help/Zend-Framework/zend.auth.adapter.ldap.html )使用配置文件来设置Zend LDPA客户端并打开TLS 。 You can also use Zend_Ldap::setOptions() - see the notes on http://framework.zend.com/manual/1.12/en/zend.auth.adapter.ldap.html 您还可以使用Zend_Ldap :: setOptions() - 请参阅http://framework.zend.com/manual/1.12/en/zend.auth.adapter.ldap.html上的注释。
Does it matter what type of the server is? 是什么类型的服务器是否重要? Exchange, OpenLDAP etc? Exchange,OpenLDAP等? No, not really. 不,不是真的。 I mean, configuring the LDAP server will matter, but the php client won't really care at all. 我的意思是,配置LDAP服务器很重要,但php客户端根本不会真正关心。
Right now we have .cer certificate from Exchange. 现在我们有来自Exchange的.cer证书。 Is that ok for OpenLDAP or it must be converted (how) to .pem? 这对OpenLDAP是否可以,或者必须转换(如何)到.pem?
See: http://www.sslshopper.com/article-most-common-openssl-commands.html 请参阅: http : //www.sslshopper.com/article-most-common-openssl-commands.html
openssl x509 -inform der -in certificate.cer -out certificate.pem
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.