Making php on RHEL 6 use ldaps

This was not as straightforward as it should have been. If you need to do LDAPS (LDAP over SSL) connections in your php scripts the following may help.

There are actually 3 things that need to be done before you can even think about invoking an LDAPS connection in a php script on RHEL (Red Hat Enteprise Linux) 6 when you’re using self-signed certs (isn’t everyone?).

1. Edit /etc/openldap/ldap.conf to include the following:

TLS_REQCERT never
TLS_CACERTDIR /etc/pki/tls/certs

Setting TLS_REQCERT is not required here if your server’s cert was signed by an enterprise CA and that CA’s cert is in the path set by TLS_CACERTDIR (which I recommend you make /etc/pki/tls/certs to keep things consistent). You can retrieve server certs using the command:

openssl s_client -connect servername.example.com:636

Copy the text between “BEGIN CERTIFICATE” and “END CERTIFICATE” (including those lines), pasting into an empty file. For these sorts of certs I usually attach a “.pem” extension, so for example “ldap.example.com.pem”. The cert should then be copied into /etc/pki/tls/certs.

2. Create /var/www/.ldaprc with the same info as ldap.conf above. Make sure it is readable by the apache user. This is absolutely necessary as the Apache web server doesn’t know about ldap.conf, but php does. That particular path is actually the apache user’s $HOME on RHEL systems.

3. Use the uri of the LDAP server in place of the hostname in your ldap_connect definition.

For example, change this:

$dirHost = "ldap.example.com";
$ds = ldap_connect($dirHost);

So it looks like this:

$dirHost = "ldaps://ldap.example.com";
$ds = ldap_connect($dirHost);

This is more or less documented in the comments to php’s ldap_connect function, but those comments also contain lots of false leads as well so I decided it was time to make an authoritative, concise, statement of what’s required.

If you’re running LDAPS on a non-standard port (like 1636), then add the port to the uri thus:

$dirHost = "ldaps://ldap.example.com:1636";

Of course you could be redirecting inbound connections to that non-standard port from the standard port 636 if you followed my advice here.

These same configuration considerations would be necessary to support TLS connections, in addition to invoking ldap_start_tls().

The lack of flexibility here is due to the dependence of php-ldap on the underlying system’s openldap library configuration. This is in sharp contrast to the perl Net::LDAP module’s platform-independent methods for LDAPS connections, which among other things doesn’t require ldap.conf or a server certificate.

This entry was posted in Directory on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).