All geek questions in one place

Authentication of a self-signed certificate for LDAPS connection

I want to create a secure ldap (ldaps) connection from Linux (Linux 3.2.0-4-amd64 # 1 SMP Debian 3.2.51-1 x86_64 GNU / Linux) to a Windows 2012 server to change user passwords in the active directory, via php. To do this, I created a self-signed certificate (using Windows Server Manager) on the server, but when I try to connect, I get the following error (by turning on the debugging option: ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7); ):

 ldap_create ldap_url_parse_ext(ldaps://xxx.xxx.xxx.xxx) ldap_bind_s ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP xxx.xxx.xxx.xxx:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying xxx.xxx.xxx.xxx:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). ldap_err2string PHP Warning: ldap_bind(): Unable to bind to server

It seems that the client cannot trust the certificate because he signed it.

What steps should be taken to ensure a secure connection? Client side certificates are stored in /etc/ssl/certs/ca-certificates.crt

+5
source share
2 answers

You must explicitly tell the LDAP client to ignore untrusted certificates. You can do this by adding the following to your ldap.conf file:

 TLS_REQCERT never

This solution is not preferred. You must add the required CA root to your client and make sure that the certificate is correctly generated with the server name in it (and if my memory serves me as the correct full CA chain), otherwise nothing would stop someone who could carry out the attack MITM.

+5
source

Your LDAP server uses a self-signed certificate, so to trust this, the LDAP client needs a certificate for the CA that created this certificate.

  • Place the CA certificate file in /etc/ldap/certs/myca.pem (you may need the mkdir certs directory).

  • Add a new line with TLS_CACERT /etc/ldap/certs/myca.pem in /etc/ldap/ldap.conf . (You can see a similar line with "/etc/ssl/certs/ca-certificates.crt".)

     $ php -a Interactive mode enabled php > ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7); ... ldap_init: using /etc/ldap/ldap.conf ... php > $conn = ldap_connect("your_ldap_server"); php > ldap_start_tls($conn);

Without changing the configuration, you will see PHP Warning: ldap_start_tls(): Unable to start TLS: Connect error in php shell code on line 1 . The comments for the function documentation provide further reading, but everything seems to go right in the "TLS_REQCERT never" setting. Worker! = Safe. demand is the default value and I would leave it that way (or explicitly set this). TLS_REQCERT documentation here . (It also seems that if you set "never," and follow the later line "TLS_CACERT", it will never ignore it. Ugh.)

Note. I know that you used ldaps: // and ldap_bind (), but try preferably ldap_start_tls ().

STARTTLS is an alternative approach, which is now the preferred method of encrypting an LDAP connection.

+1
source

Source: https://habr.com/ru/post/1200827/

More articles:


All Articles