用于OpenLdap配置的PHP证书SSL

Question

i work in local with LinuxMint and have in virtualbox installed UbuntuServer with openldap. Now i configure follow this guide http://help.ubuntu-it.org/12.04/server/serverguide/it/ubuntu-1204-server.pdf TLS/SSL auth. I have installed in the client (linuxmint) Xampp and i configure /etc/ldap/ldap.conf with:

TLS_CACERT      /etc/ssl/certs/192.168.1.46_slapd_cert.pem
TLS_REQCERT never

I try to connect with php function:

<?php
// This code goes directly to the 636 SSL port

$ldaphost = "ldaps://192.168.1.46";
$ldapUsername  = "cn=admin,dc=company,dc=com";
$ldapPassword = "secret";


$ds = ldap_connect($ldaphost);

if(!ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)){
print "Could not set LDAPv3\r\n";
}
else {
// now we need to bind to the ldap server
$bth = ldap_bind($ds, $ldapUsername, $ldapPassword) or die("\r\nCould not connect to LDAP server\r\n");
}
?>

but not works..

if i try in my terminal:

ldapsearch -x -H ldaps://192.168.1.46 -b "cn=company,cn=com"

it works!! but via php why?..i try to configure the ldap.conf in /opt/lampp/etc/openldap but no result..

Answer 1

I work with openldap an apache/php in centos . Maybe it's similar.

1. My ldap.conf is in /etc/ldap.conf
2. I configured *TLS_REQCERT allow*
3. I have to generate a hash of the Certificate as symlink in the same Directory:

ln -s /etc/ssl/certs/192.168.1.46_slapd_cert.pem `openssl x509 -hash -noout -in /etc/ssl/certs/192.168.1.46_slapd_cert.pem`.0

On my Ubuntu (without ldapsupport) exists the function c_rehash . If I install a revoke-list there, i have to rehash all revokelists with this function in this way:

cd /etc/ssl/certs/
c_rehash /etc/ssl/certs/

Maybe it creates the correct hashes for your CAs.