LDAPS setup
When using LDAPS, you need to explicitly specify the ldaps:// protocol at the beginning of the host name, for example:
For LDAPS to work, your OS should have trusted certificates of the CA (certificate authority) that issued the LDAPS server certificate.
Certificates must be in the .crt format
1. Allow dynamic configuration of the trust store:
2. Place the LDAPS server certificate in the following directory:
3. Update the trust store:
1. Allow dynamic configuration of the trust store:
2. Place the LDAPS server certificate in the /etc/pki/ca-trust/source/anchors/ directory:
3. Update the trust store:
To make a root LDAPS certificate a trusted one, you need to copy a .pem or .crt certificate into ./conf/custom_ca and restart the PHP container:
PHP for Windows uses its own certificate store. As such, if Passwork is installed on a Windows Server, the PHP module responsible for LDAP will not accept the LDAP server certificate, even if it has been added to the Windows trusted certificate store.
For PHP to accept the certificate, you need to:
- Create an openldap folder in your system root directory
- Create a sysconf folder in the openldap folder
- Create a ldap.conf file in the sysconf folder with the following lines:
Where TLS_CACERT is the path to your certificate.
Please note:
- A certificate with the .cer extension must include both the root and all intermediate certificates to connect correctly to the LDAPS server;
- The certificate must be in base64 format. If you open the certificate file with Notepad, you will see the certificate hash.
To test for possible certificate issues during connection, execute the following command:
To verify the certificates, execute the following command:
- Use the -CAfile directive to specify the certificate of the CA that issued the LDPAS server certificate
- Use the -untrusted directive to specify the LDAPS server certificate and the certificates of intermediate servers in the chain (if you have them)
