You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jérémy ESCOLANO <je...@gmail.com> on 2010/06/10 10:48:20 UTC
[users@httpd] Configuring apache to use LDAP over SSL on PHP
Hi
I'm writing from france cuz i'm having a big problem with apache and ldap.
let me explain :
I would like to make an Apache server communicate in php with en openLDAP
server (both servers are under win srv 2003), using LDAPS protocol.
In order to activate LDAPS on my openLDAP srv (srvLDAP), I created self
signed certificates with openSSL. I got 3 files:
cacert.pem
srvLDAP.pem
srvLDAP.key
I configured my slapd.con file and ldap.conf fil (openLDAP side) like this:
slapd.conf
[code]
TLSCertificateFile ./ssl/srvLDAP.pem
TLSCertificateKeyFile ./ssl/srvLDAP.key
TLSCACertificateFile ./ssl/cacert.pem
[/code]
ldap.conf
[code]
BASE <ma branche>
URI ldaps://srvLDAP/
TLS_CACERT ./ssl/cacert.pem
TLS_REQCERT demand
[/code]
I launched my openLDAP service, and checked ldaps protocol was okay, using
this command :
C:\Program Files\OpenLDAP>ldapsearch -b o=exemple,dc=fr -s sub -x -w pass-D
cn=admin,o=exemple,dc=fr -H ldaps://srvLDAP/
Now I would like, from the remote apache server, communicate with the
openLDAP server using [b]LDAPS[/b] Protocol.
Here is my simplified PHP code
<h2>LDAP OPENLDAP LDAPS</h2>
<?php
$host="ldaps://srvldap";
$port="636";
$ds=ldap_connect($host,$port);
ldap_set_option($ds,LDAP_OPT_PROTOCOL_VERSION,3);
$r=ldap_bind($ds,"cn=admin,o=exemple,dc=fr","pass" );
$sr=ldap_search($ds,"o=exemplec,dc=fr",("objectClass=maclasse" ));
$info=ldap_get_entries($ds,$sr);
print $info["count"]." enregistrements trouvés.";
?>
I get this errror:
Unable to bind to server: Can't contact LDAP server
I know i have to configure certificates in the Apache server configuration,
I tried to to this according several internet ressources but didn't succeed.
I also read this link [URL="
http://forum.hardware.fr/hfr/OSAlternatifs/Logiciels-2/certificats-securisee-connexion-sujet_65365_1.htm"]Here[/URL]
which is a french link which speak about an ldap.con and ldaprc files to put
in the apache server. I did it but nothing happened.
Well, i'm lost in all this stuff, that is why i'm asking for help to
configure my servers to use ldaps with php.
Do you have information that could help me ?
I thank you in advance
RE: [users@httpd] Configuring apache to use LDAP over SSL on PHP
Posted by Emmanuel Bailleul <Em...@telindus.fr>.
>De : Jérémy ESCOLANO [mailto:jeremyescolano@gmail.com]
>Envoyé : jeudi 10 juin 2010 14:12
>À : users@httpd.apache.org
>Objet : Re: [users@httpd] Configuring apache to use LDAP over SSL on PHP
>Actually this is about configuring Apache server to allow it to communicate with LDAP server, >that is why i'm asking here, but of course I'll try to get so help on PHP list.
>Though, I heard about a ldaprc and ldap.conf file for apache? somebody can give me informations >about these files ? (what are they used for, and in which folder do we have to put them ?(on >windows server)
>Thanks
Hi Jérémy,
In fact it's not Apache that does LDAPS to your directory but php (see for example the php 'ldap_connect' directive to convince yourself).
Having already had to fight with this kind of setup, I found all I needed to know in this article :
http://forums.opensuse.org/network-internet/401522-performing-ldapsearch-over-tls-ssl-against-active-directory.html
and was able to get rid of my issues.
Please note that the ldap.conf file mentioned in the article does not belong to Apache distrib but rather to the client side of the ldap (openldap) config of your box.
Regards.
Emmanuel
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Configuring apache to use LDAP over SSL on PHP
Posted by Tom Evans <te...@googlemail.com>.
On Fri, Jun 11, 2010 at 10:17 AM, Jérémy ESCOLANO
<je...@gmail.com> wrote:
> Thank you for your help, I wen't a bit deeper with my problèm
> ...
> I just want to make clear that I don't wan't to do LDAP authentification
> with an apache folder but just do LDAPS with PHP.
> I thank you in advance.
>
Then it has nothing to do with apache, you really must go to a PHP mailing list:
http://www.php.net/mailing-lists.php
Cheers
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Configuring apache to use LDAP over SSL on PHP
Posted by Jérémy ESCOLANO <je...@gmail.com>.
Thank you for your help, I wen't a bit deeper with my problèm
Here is what I did:
On my openLDAP server :
slapd.conf:
#cert requested for the ldapserver
TLSCertificateFile ./ssl2/srvLDAP.cer
TLSCertificateKeyFile ./ssl2/srvLDAP.key
#CA cert
TLSCACertificateFile ./ssl2/cacert.cer
TLSVerifyClient never
ldap.conf:
TLS_CACERT ./ssl2/cacert.cer
TLS_REQCERT never
then,on the apache server, i created a folder C:\openldap\sysconf and inside
this folder a file ldap.conf:
TLS_CACERT ./ssl/cacert.cer
TLS_REQCERT never
It does WORK BUT it doesn't verify the certificate. I need now to make it
work with the certificate,
I know I have to change TLS_CACERT ./ssl/cacert.cer never to TLS_CACERT
./ssl/cacert.cer demand
But I think I also need to specify the certificate (and the key), I created
for my apache server...
But how ?
I just want to make clear that I don't wan't to do LDAP authentification
with an apache folder but just do LDAPS with PHP.
I thank you in advance.
2010/6/10 Tom Evans <te...@googlemail.com>
> On Thu, Jun 10, 2010 at 1:11 PM, Jérémy ESCOLANO
> <je...@gmail.com> wrote:
> > Actually this is about configuring Apache server to allow it to
> communicate
> > with LDAP server, that is why i'm asking here, but of course I'll try to
> get
> > so help on PHP list.
> > Though, I heard about a ldaprc and ldap.conf file for apache? somebody
> can
> > give me informations about these files ? (what are they used for, and in
> > which folder do we have to put them ?(on windows server)
> > Thanks
> >
>
> .ldaprc is a per-user configuration file for using configuring the
> tools of openldap. It should be in your home directory.
> ldap.conf is a per-system configuration file for doing the same thing
> as .ldaprc. On Unix, it is installed in $PREFIX/etc/openldap/ldap.conf
> .
> Both these files can be used to supply configuration settings for
> connecting to an LDAP server.
>
> You never mention it is for apache to communicate with LDAP, you
> showed us your slapd.conf, some PHP code and an error from your PHP
> code.
>
> If you want to do apache authentication with LDAP, then you had better
> say so, say what you've tried, and provide the appropriate error
> messages apache gives you.
>
> Cheers
>
> Tom
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Configuring apache to use LDAP over SSL on PHP
Posted by Tom Evans <te...@googlemail.com>.
On Thu, Jun 10, 2010 at 1:11 PM, Jérémy ESCOLANO
<je...@gmail.com> wrote:
> Actually this is about configuring Apache server to allow it to communicate
> with LDAP server, that is why i'm asking here, but of course I'll try to get
> so help on PHP list.
> Though, I heard about a ldaprc and ldap.conf file for apache? somebody can
> give me informations about these files ? (what are they used for, and in
> which folder do we have to put them ?(on windows server)
> Thanks
>
.ldaprc is a per-user configuration file for using configuring the
tools of openldap. It should be in your home directory.
ldap.conf is a per-system configuration file for doing the same thing
as .ldaprc. On Unix, it is installed in $PREFIX/etc/openldap/ldap.conf
.
Both these files can be used to supply configuration settings for
connecting to an LDAP server.
You never mention it is for apache to communicate with LDAP, you
showed us your slapd.conf, some PHP code and an error from your PHP
code.
If you want to do apache authentication with LDAP, then you had better
say so, say what you've tried, and provide the appropriate error
messages apache gives you.
Cheers
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Configuring apache to use LDAP over SSL on PHP
Posted by Jérémy ESCOLANO <je...@gmail.com>.
Actually this is about configuring Apache server to allow it to communicate
with LDAP server, that is why i'm asking here, but of course I'll try to get
so help on PHP list.
Though, I heard about a ldaprc and ldap.conf file for apache? somebody can
give me informations about these files ? (what are they used for, and in
which folder do we have to put them ?(on windows server)
Thanks
2010/6/10 Eric Covener <co...@gmail.com>
> On Thu, Jun 10, 2010 at 4:48 AM, Jérémy ESCOLANO
> <je...@gmail.com> wrote:
> > Hi
> > I'm writing from france cuz i'm having a big problem with apache and
> ldap.
> > let me explain :
>
>
> Configuring php to access an LDAP server is off-topic on this list,
> you'd probably have better luck on a PHP list.
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Configuring apache to use LDAP over SSL on PHP
Posted by Eric Covener <co...@gmail.com>.
On Thu, Jun 10, 2010 at 4:48 AM, Jérémy ESCOLANO
<je...@gmail.com> wrote:
> Hi
> I'm writing from france cuz i'm having a big problem with apache and ldap.
> let me explain :
Configuring php to access an LDAP server is off-topic on this list,
you'd probably have better luck on a PHP list.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Configuring apache to use LDAP over SSL on PHP
Posted by Tom Evans <te...@googlemail.com>.
On Thu, Jun 10, 2010 at 9:48 AM, Jérémy ESCOLANO
<je...@gmail.com> wrote:
> Hi
> I'm writing from france cuz i'm having a big problem with apache and ldap.
> let me explain :
> I would like to make an Apache server communicate in php with en openLDAP
> server (both servers are under win srv 2003), using LDAPS protocol.
Sorry, I don't know. Try specifying the IP address of the ldap server,
perhaps it cannot resolve the name.
You will have more luck asking this on a PHP list rather than an Apache list.
Cheers
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org