[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Communicate from php/apache to openLDAP over LDAPS



On 11/06/2010, at 7:27 PM, Jérémy ESCOLANO wrote:

> According to what's you are saying,
> Apache has to verify which certificate ? the CA certificate ? the apache
> server certificate or the ldap certificate?
> Thank you for your information that help me to understand better.

It should be the ldap CA certificate in this case, as apache needs to be aware of the LDAP CA.

> 
> 2010/6/11 Dieter Kluenter <dieter@dkluenter.de>
> 
>> Am Fri, 11 Jun 2010 10:53:59 +0200
>> schrieb Jérémy ESCOLANO <jeremyescolano@gmail.com>:
>> 
>>> Hi, Thankyou for replying,
>>> 
>>> I went a bit deeper with my problem, I can now do LDAPS but without
>>> verifying certificate,
>>> here is what I did :
>>> 
>>> on the openLDAP server:
>>> 
>>> --->slapd.conf
>>> TLSCertificateFile      ./ssl2/srvLDAP.cer
>>> TLSCertificateKeyFile   ./ssl2/srvLDAP.key
>>> TLSCACertificateFile    ./ssl2/cacert.cer
>>> TLSVerifyClient         never
>>> 
>>> --->ldap.conf
>>> TLS_CACERT      ./ssl2/cacert.cer
>>> TLS_REQCERT     never
>>> 
>>> Then ran my service using: slapd -h "ldap:/// ldaps:///" -d 1
>>> 
>>> That's all for the openLDAP server, but not enought with apache.
>>> 
>>> On the apache server I created a folder C:\openldap\sysconf
>>> in this directory i created openldap.conf and this contains :
>>> 
>>> TLS_CACERT ./ssl/cacert.cer
>>> TLS_REQCERT     never
>>> 
>>> (with cacert.cer in c:\openldap\sysconf\ssl)
>>> 
>>> It works from now BUT does NOT verify the certificate.
>> [...]
>>> TLS: can't accept.
>>> TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did
>>> not return
>>> a certificate s3_srvr.c:2471
>>> connection_read(1176): TLS accept error error=-1 id=0, closing
>>> connection_closing: readying conn=0 sd=1176 for close
>>> connection_close: conn=0 sd=1176
>>> 
>>> The question is now : How can I configure my certificate on apache
>>> SERVER so that I will be able to do LDAPS with PHP and certificates
>>> will be verified. (I know should ask it on Apache list too)
>> 
>> bear in mind that apache is a ldap client operation, thus configure
>> ldap clients to verify the server certificate and not the server to
>> verfiy a client certificate.
>> 
>> -Dieter
>> 
>> --
>> Dieter Klünter | Systemberatung
>> sip: +49.40.20932173
>> http://www.dpunkt.de/buecher/2104.html
>> GPG Key ID:8EF7B6C6
>> 
>>