stackoom
  简体   繁体   中英

How to use multiple TLS certificates for LDAP from php/Zend?

 原文  2013-03-06 23:30:31       php/ zend-framework/ ldap/ certificate

Question

In our web based application we support LDAP authentication. It works fine with the code below. Now we want to support LDAP over TLS. We host our product for our customers on SUSE Linux Enterprise Server 11 and each customer can have different TLS certificate.

My questions are:

  • how to set up out SUSE server (that is LDAP client) - where to place certificates for each customer, do I need to edit any conf file?
  • how to make LDAP authentication over TLS with different certificates from php . What would be exact php syntax?
  • does it matter what type of the server is? Exchange, OpenLDAP etc?
  • right now we have .cer certificate from Exchange. Is that ok for OpenLDAP or it must be converted (how) to .pem?

SUSE server = LDAP client configuration

  • SUSE Linux Enterprise Server 11 (x86_64)
  • ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.26 (Sep 26 2012 13:14:42)
  • PHP Version 5.4.9
  • Zend Engine v2.4.0

From reading http://php.net/ldap_connect I understood that I can use different certificates but I didn't get how. 

function authenticateZendAuth($username, $password){
   require_once 'Zend/Auth.php';
   $auth = Zend_Auth::getInstance();

   $ldapOptions = getConfigVariableValue('->ldap');

   $options = $ldapOptions->toArray();
   unset($options['log_path']);

   require_once 'Zend/Auth/Adapter/Ldap.php';
   $adapter = new Zend_Auth_Adapter_Ldap($options, $username, $password);

   $authenticated = $auth->authenticate($adapter);

   $log_path = $ldapOptions->log_path;
   if ($log_path) {
       $messages = $authenticated->getMessages();

       require_once("Zend/Log.php");
       require_once("Zend/Log/Writer/Stream.php");
       require_once("Zend/Log/Filter/Priority.php");
       $logger = new Zend_Log();
       $logger->addWriter(new Zend_Log_Writer_Stream($log_path));
       $filter = new Zend_Log_Filter_Priority(Zend_Log::DEBUG);
       $logger->addFilter($filter);

       foreach ($messages as $i => $message) {
           if ($i-- > 1) { // $messages[2] and up are log messages
               $message = str_replace("\n", "\n  ", $message);
               $logger->log("Ldap: $i: $message", Zend_Log::DEBUG);
           }
       }
   }

   return $authenticated;
}

1 answers

solution1
 2  2013-03-26 21:05:12

How to set up our SUSE server (that is LDAP client) - where to place certificates for each customer, do I need to edit any conf file?

If you are using openssl (slapd) it doesn't really matter where you put the certificate, as long as you can set the configuration file to point to. It will look something like this perhaps: 

TLSCACertificateFile    /usr/var/openldap-data/cacert.pem 
TLSCertificateFile          /usr/var/openldap-data/servercrt.pem 
TLSCertificateKeyFile   /usr/var/openldap-data/serverkey.pem

You will need to request (or create your own) Certificates, these are the same as the certificates you use for HTTPS. This is where the domain name is imported, when you create/request the cert, it needs to match the domain name that you are going to be using it on. See: http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html for more details.

How to make LDAP authentication over TLS with different certificates from php. What would be exact php syntax?

You really don't need to do anything special here. Make sure you set your LDAP server up with the appropriate domain named certificate. And make sure that the signing authority for that cert is recognized by your local openladap client (running your php) via it's config file. Then notice that many of the Zend Examples ( http://files.zend.com/help/Zend-Framework/zend.auth.adapter.ldap.html ) use a config file to set up the Zend LDPA client and turn on TLS. You can also use Zend_Ldap::setOptions() - see the notes on http://framework.zend.com/manual/1.12/en/zend.auth.adapter.ldap.html

Does it matter what type of the server is? Exchange, OpenLDAP etc? No, not really. I mean, configuring the LDAP server will matter, but the php client won't really care at all.

Right now we have .cer certificate from Exchange. Is that ok for OpenLDAP or it must be converted (how) to .pem?

See: http://www.sslshopper.com/article-most-common-openssl-commands.html 

openssl x509 -inform der -in certificate.cer -out certificate.pem

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to read TLS certificates websockets using PHP? PHP with TLS for secure LDAP How do I solve ldap_start_tls() “Unable to start TLS: Connect error” in PHP? php7 ldap connect and bind via TLS How to set multiple LDAP object classes with PHP? How to determine what version tls/ssl security protocol is connecting to LDAP (PHP)? PHP LDAP Multiple Binds How to use SSRS Reports in PHP Zend Application? how to use PHP session variable in zend framework How to use this php code in zend framework 1.12
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM