LDAPS setup
When using LDAPS, you must specify the "ldaps://" protocol at the beginning of the hostname and use port "636", for example: ldaps://passwork.local:636
To enable LDAPS functionality, the Passwork server must trust the CA certificates that issued the LDAPS server’s certificate.
Certificates must be in the .crt format
Create the directory /usr/local/share/ca-certificates/ if it does not exist:
Place the LDAPS server certificate in the following directory:
Update the trust store:
Allow dynamic configuration of the trust store:
Place the LDAPS server certificate in the /etc/pki/ca-trust/source/anchors/ directory:
Update the trust store:
To make a root LDAPS certificate a trusted one, you need to copy a .pem or .crt certificate in to ./conf/custom_ca and restart the PHP container:
PHP for Windows uses its own certificate store. As such, if Passwork is installed on a Windows Server, the PHP module responsible for LDAP will not accept the LDAP server certificate, even if it has been added to the Windows trusted certificate store.
For PHP to accept the certificate, you need to:
- Create an openldap folder in your system root directory
- Create a sysconf folder in the openldap folder
- Create a ldap.conf file in the sysconf folder with the following lines:
Where TLS_CACERT is the path to your certificate.
Please note:
- A certificate with the .cer extension must include both the root and all intermediate certificates to connect correctly to the LDAPS server;
- The certificate must be in base64 format. If you open the certificate file with Notepad, you will see the certificate hash.
To test for possible certificate issues during connection, execute the following command:
To verify the certificates, execute the following command:
- Use the -CAfile directive to specify the certificate of the CA that issued the LDPAS server certificate
- Use the -untrusted directive to specify the LDAPS server certificate and the certificates of intermediate servers in the chain (if you have them)
