Php ldap and Custom CA signed certificates

05:38 yalazi 0 Comments


Have you ever had a problem connecting a secure ldap server using php's ldap functions?

It is probably caused by certificate trust issues and 9 out of 10 times root cause is the custom CA can not be recognized by php interpreter.  And as any self respecting devops engineer would solve it by introducing CA's certificate to the system.

But php is a damned monster the normal way to do this, putting the certificate to cacerts dir never works. Even adding  
TLS_CACERT [full.path.to.ca.cert]
line into ldap.conf won't help you. Of course some lucky ones with special deals with Murphy may not have this issue. But believe me, php.net's documentation comments and the internet are full of unresolved ca issues. And sometimes the solution presented is "recompile php with openssl/gnutls/libressl with this custom conf".

If the hell has not opened doors and the earth is not full with demons this solution can not be accepted. there must be a solution.

And of course there is a simple one. PHP uses openssl and openssl respects some environment variables even if you can not make it respect an ldap.conf file. So adding the following lines to your php app with the corresponding paths to your case will fix the issue:

<?php
   putenv('LDAPTLS_CACERTDIR=/etc/ssl/certs/');
   putenv('LDAPTLS_CACERT=/etc/ssl/certs/myCustomCA.crt');
?>

But sometimes even adding ca cert can not be enough. You may have expired certificates or something. So you may need to scrape away the whole certificate validation process. Adding

<?php
   putenv('LDAPTLS_REQCERT=never');
?>
Line to the beginning of your script would solve this issue. And I strongly advice you against doing this.

But this is a simple work around which would work for small scripts or isolated incidents. If you have an established application and you can not modify it? It's one solution to set this environment variables globally in the php server or you may use php's mostly unknown and discarded gem auto_prepend_file.

Just create a file with only the envirionment variable setting lines and use php.ini to prepend this to all php files.





0 yorum: