LDAPS setup
When using LDAPS, you need to explicitly specify the ldaps:// protocol at the beginning of the host name, for example:
For LDAPS to work, your OS should have trusted certificates of the CA (certificate authority) that issued the LDAPS server certificate.
Certificates must be in the .crt format
1. Allow dynamic configuration of the trust store:
2. Place the LDAPS server certificate in the following directory:
3. Update the trust store:
1. Allow dynamic configuration of the trust store:
2. Place the LDAPS server certificate in the /etc/pki/ca-trust/source/anchors/ directory:
3. Update the trust store:
To make a root LDAPS certificate a trusted one, you need to copy a .pem or .crt certificate into ./conf/custom_ca and restart the PHP container:
PHP for Windows uses its own certificate store. As such, if Passwork is installed on a Windows Server, the PHP module responsible for LDAP will not accept the LDAP server certificate, even if it has been added to the Windows trusted certificate store.
For PHP to accept the certificate, you need to:
- Create an openldap folder in your system root directory
- Create a sysconf folder in the openldap folder
- Create a ldap.conf file in the sysconf folder with the following lines:
Where TLS_CACERT is the path to your certificate.
Make sure that the certificate is in base64 format. When opening a certificate file with notepad, you will see the certificate's hash. If the format is different, you need to export the required root certificate in base64.
To test for possible certificate issues during connection, execute the following command:
To verify the certificates, execute the following command:
- Use the -CAfile directive to specify the certificate of the CA that issued the LDPAS server certificate
- Use the -untrusted directive to specify the LDAPS server certificate and the certificates of intermediate servers in the chain (if you have them)
