[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Communicate from php/apache to openLDAP over LDAPS



According to what's you are saying,
Apache has to verify which certificate ? the CA certificate ? the apache server certificate or the ldap certificate?
Thank you for your information that help me to understand better.



2010/6/11 Dieter Kluenter <dieter@dkluenter.de>
Am Fri, 11 Jun 2010 10:53:59 +0200
schrieb Jérémy ESCOLANO <jeremyescolano@gmail.com>:

> Hi, Thankyou for replying,
>
> I went a bit deeper with my problem, I can now do LDAPS but without
> verifying certificate,
> here is what I did :
>
> on the openLDAP server:
>
> --->slapd.conf
> TLSCertificateFile      ./ssl2/srvLDAP.cer
> TLSCertificateKeyFile   ./ssl2/srvLDAP.key
> TLSCACertificateFile    ./ssl2/cacert.cer
> TLSVerifyClient         never
>
> --->ldap.conf
> TLS_CACERT      ./ssl2/cacert.cer
> TLS_REQCERT     never
>
> Then ran my service using: slapd -h "ldap:/// ldaps:///" -d 1
>
> That's all for the openLDAP server, but not enought with apache.
>
> On the apache server I created a folder C:\openldap\sysconf
> in this directory i created openldap.conf and this contains :
>
> TLS_CACERT ./ssl/cacert.cer
> TLS_REQCERT     never
>
> (with cacert.cer in c:\openldap\sysconf\ssl)
>
> It works from now BUT does NOT verify the certificate.
[...]
> TLS: can't accept.
> TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did
> not return
>  a certificate s3_srvr.c:2471
> connection_read(1176): TLS accept error error=-1 id=0, closing
> connection_closing: readying conn=0 sd=1176 for close
> connection_close: conn=0 sd=1176
>
> The question is now : How can I configure my certificate on apache
> SERVER so that I will be able to do LDAPS with PHP and certificates
> will be verified. (I know should ask it on Apache list too)

bear in mind that apache is a ldap client operation, thus configure
ldap clients to verify the server certificate and not the server to
verfiy a client certificate.

-Dieter

--
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6