Hi,
I'm trying to contact an openLDAP from Apache server (on windows) using PHP
using LDAPS
Here is my sample code :
$host="ldaps://srvLDAP";
$port="636";
$ds=ldap_connect($host,$port);
ldap_set_option($ds,LDAP_OPT_PROTOCOL_VERSION,3);
$r=ldap_bind($ds,"cn=admin,o=exemple,dc=fr","exemple" );
$sr=ldap_search($ds,"o=exemple,dc=fr",("objectClass=exemple" ));
$info=ldap_get_entries($ds,$sr);
print $info["count"]." enregistrements trouvés.";
I passed lot of time trying configuring my servers and here is what i have
done :
First i configured my openLDAP server :
slapd.conf:
#cert requested for the ldapserver
TLSCertificateFile ./ssl2/srvLDAP.cer
TLSCertificateKeyFile ./ssl2/srvLDAP.key
#CA cert
TLSCACertificateFile ./ssl2/cacert.cer
TLSVerifyClient never
ldap.conf:
TLS_CACERT ./ssl2/cacert.cer
TLS_REQCERT never
On my apache server i created a folder C:\openldap\sysconf
and created a file ldap.conf :
TLS_CACERT ./ssl/cacert.cer
TLS_REQCERT never
(I also created a folder c:\openldap\sysconf\ssl and put my CA certificate
inside it)
(of course I activated ldap and ssl in my php.ini)
>From now it DOES work BUT it doesn't verify any certificate.
I want now to make it verifying the certificate. I know i have to
change TLS_REQCERT never to TLS_REQCERT demand on openldap server
and apache server. I tryed but it doesn't work. I can't contact ldap server..
On the openLDAP I have this following error:
connection_read(1176): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(1176): got connid=0
connection_read(1176): checking for input on id=0
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS: can't accept.
TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
return
a certificate s3_srvr.c:2471
connection_read(1176): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=1176 for close
connection_close: conn=0 sd=1176
That means that the openLDAP can't check the client certificate cuz PHP and
Apache don't send any to it.
I heard about a ldaprc file but I can't find any information about it...
Is there somebody who can help me with this ?
Thank you very much in advance.
