PHP LDAP StartTLS to OpenDS

Download OpenDSThe OpenDS server on my laptop is using a self-signed cert. This entry briefly describes using StartTLS to avoid sending passwords over the network in clear text, despite having a certificate that does not check out, because like a CA cert it is self-signed (and free as in beer).

This is certainly not for production. Instead here is a workaround for testing with the self-signed cert. Thanks to pataisjsu for posting this link, http://marc.info/?l=php-windows&m=116127873321748&w=2, on the PHP ldap_start_tls() function page.

You set up an ldap.conf file to let StartTLS proceed even if the server certificate does not check out with the client application.

  1. Set up an environment variable that points to ldap.conf.
    C:\\>echo %LDAPCONF%
    C:\\openldap\\sysconf\\ldap.conf
  2. Add one line to the ldap.conf file for the use PHP makes of OpenLDAP to indicate that the client not request or verify the server certificate:
    TLS_REQCERT never
  3. Add new code -- in auth.php and lookup.php if you downloaded the example -- just after the call to ldap_connect() to use StartTLS.
    ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
    ldap_start_tls($ldapconn) or die("StartTLS failed.");

That's it. Happy testing.

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

Mark Craig writes about Directory Services products and technologies. The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today