1

Trying to use SSL with LDAP authentication, I keep seeing connection attempts failing in the server log:

May 18 23:52:49 lemongrab slapd[5666]: conn=162733 fd=21 ACCEPT from IP=192.168.244.129:52174 (IP=0.0.0.0:636)
May 18 23:52:49 lemongrab slapd[5666]: conn=162733 fd=21 closed (TLS negotiation failure)

Works fine without SSL, and other applications are using SSL so I'm thinking it's a trust issue with the SSL certificate (which is signed by our internal CA.)

I'm using PHP 7, Laravel 5.2 and Adldap 2.

So, how do I specify a trusted CA cert for Adldap to use?

miken32
  • 42,008
  • 16
  • 111
  • 154
  • Based on the log I'm assuming this is OpenLDAP? Also, typically with LDAP you want to use TLS, not SSL. Are you running PHP from a Windows or Linux box? – ChadSikorra May 19 '16 at 14:09
  • My server is using SSL, and yes it's OpenLDAP. No Windows anywhere! – miken32 May 19 '16 at 14:12
  • 1
    Ok, to specifically determine if the issue is with a cert you can edit `/etc/ldap/ldap.conf` on the server running PHP and add the following line: `TLS_REQCERT never`. If it works after doing that then it's for sure a cert issue. That line just tells it to never do cert checking. That will at least help narrow it down. – ChadSikorra May 19 '16 at 14:16
  • Thanks, just needed a pointer to that file; the `TLS_CACERT` directive did the trick. Feel free to post an answer, otherwise I'll add one myself. – miken32 May 19 '16 at 17:47

1 Answers1

1

To avoid the security risk, you should get the certificate used by your OpenLDAP server, copy it to the server running PHP, and reference it in the /etc/ldap/ldap.conf file using

TLS_CACERT /path/to/openldap/cacert.pem
miken32
  • 42,008
  • 16
  • 111
  • 154
ChadSikorra
  • 2,829
  • 2
  • 21
  • 27