Novell Home

Updated: How to Connect Securely to LDAP using PHP

Novell Cool Solutions: Tip
By Bryan Thoreson

Digg This - Slashdot This

Updated: 1 Mar 2006
 

To connect securely to LDAP using PHP,

1. Make sure your PHP install has both the ldap and openssl extensions enabled.

Windows/Linux Procedure

2. Verify the ldap.conf file settings.

a) For Windows, verify that the C:\openldap\sysconf\ldap.conf file exists.

b) For Linux, verify that the /etc/openldap/ldap.conf file exists. If it does not, create it.

c) For both Linux and Windows, the ldap.conf file should contain this line:

TLS_REQCERT     never

3. If you want php to verify the ldap server's ssl certificate with the Certificate Authority that issued the certificate, you need to put the root certificate here:

a. Export the trusted root Certificate. (For details, see Step 1 in How to test LDAP over SSL).

b. Use this command to convert the DER to PEM:

openssl x509 -in RootCert.der -inform DER -out RootCert.pem -outform PEM

c. On Windows you can download openssl binaries from these two sites:

4. Now copy the rootcert.pem to the certs folder:

a. For Linux, /etc/openldap/cert/rootcert.pem

b. For Windows, C:\openldap\sysconf\certs\rootcert.pem

c. For both Linux and Windows, the ldap.conf file should contain this line:

(Linux)  TLS_CACERT /etc/openldap/cert/rootcert.pem
(Windows) TLS_CACERT c:\OpenLDAP\sysconf\certs\rootcert.pem

Netware Procedure

Copy your tree's ROOTCERT.DER file to this location:
SYS:php5/certs.

Connection Code

Here are the snippets of code that should get you connected. Try either example.

Example 1

<?php
// This code uses the START_TLS command

$ldaphost = "ldap://ldap.hostname.something";
$ldapUsername  = "cn=username,o=novell";
$ldapPassword = "password";
 
 
$ds = ldap_connect($ldaphost);
 
if(!ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)){
print "Could not set LDAPv3\r\n";
}
else if (!ldap_start_tls($ds)) {
print "Could not start secure TLS connection";
}else {
// now we need to bind to the ldap server
$bth = ldap_bind($ds, $ldapUsername, $ldapPassword) or die("\r\nCould not connect to LDAP server\r\n");
}
?>
Example 2

<?php
// This code goes directly to the 636 SSL port

$ldaphost = "ldaps://ldap.hostname.something";
$ldapUsername  = "cn=username,o=novell";
$ldapPassword = "password";
 
 
$ds = ldap_connect($ldaphost);
 
if(!ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)){
print "Could not set LDAPv3\r\n";
}
else {
// now we need to bind to the ldap server
$bth = ldap_bind($ds, $ldapUsername, $ldapPassword) or die("\r\nCould not connect to LDAP server\r\n");
}
?>

If you have any questions you may contact Bryan at thor@umn.edu


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell