Resolving LDAPS connectivity issues for a self signed certificate

I was trying to connect to an LDAP server that had a self signed certificate. But somehow, the client didn’t like the self signed certificate installed on the server and failed to do an ldap_bind. I found a solution to enable ldap_bind with LDAPS. When using LDAP with SSL and a LDAP server which uses a self-signed SSL certificate normally no connection will be established. Therefor you have to allow such connections explicitly.
With Linux (e.g. Debian, Ubuntu) you have to add “TLS_REQCERT never” to your /etc/ldap/ldap.conf. On other distributions this config file may be located somewhere else.

Here’s the test script I used to test out the connection with the server:


$host = 'ldap-server.domain.com';
$port = '636';
$protocol = 'ldaps';
$base_dn = 'ou=corp,dc=organization,dc=pvt';
$domain = "@domain.pvtOrCom";

$username = "your.username";
$password = "YourPassword";

$connection_string = "$protocol://$host:$port";
$conn = @ldap_connect($connection_string) or die("Could not connect: $connection_string");
ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($conn, LDAP_OPT_REFERRALS, 0);

$ldaprdn = $username.$domain;
$ldapbind = @ldap_bind($conn, $ldaprdn, $password);
if ($ldapbind) {
    $search = ldap_search($conn, $base_dn, "(samaccountname=$username)");
    if ($search) {
        $result = ldap_get_entries($conn, $search);
        if ($result['count'] > 0) {
            echo "Valid login\n";
        }
        else {
            echo "Invalid login\n";
        }
    }
    else {
        echo "ldap_search did not return any response\n";
    }
}
else {
    echo "ldap_bind did not return any response\n";
}
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s