Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Authenticating a self-signed certificate for LDAPS connection

I want to make a secure ldap connection(ldaps) from a Linux(Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux) client to a Windows 2012 server, to change user passwords in active directory, through php. For that, I've created a self-signed certificate(using Windows Server Manager) on the server, but when I try to connect, I get the following error(by turning debugging option on: ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);):

ldap_create                                                                 
ldap_url_parse_ext(ldaps://xxx.xxx.xxx.xxx)                                 
ldap_bind_s                                                                 
ldap_simple_bind_s                                                          
ldap_sasl_bind_s                                                            
ldap_sasl_bind                                                              
ldap_send_initial_request                                                   
ldap_new_connection 1 1 0                                                   
ldap_int_open_connection                                                    
ldap_connect_to_host: TCP xxx.xxx.xxx.xxx:636                               
ldap_new_socket: 3                                                          
ldap_prepare_socket: 3                                                      
ldap_connect_to_host: Trying xxx.xxx.xxx.xxx:636                            
ldap_pvt_connect: fd: 3 tm: -1 async: 0                                     
TLS: peer cert untrusted or revoked (0x42)                                  
TLS: can't connect: (unknown error code).                                   
ldap_err2string                                                             
PHP Warning:  ldap_bind(): Unable to bind to server 

It seems the client is not able to trust the certificate since it's self-signed.

What steps should I take to make a secure connection? The client side certificates are stored in /etc/ssl/certs/ca-certificates.crt

like image 801
Anant Gupta Avatar asked Aug 21 '14 10:08

Anant Gupta


People also ask

Can you use a self-signed certificate for LDAPS?

Can I use a self-signed certificate for LDAPS with the Duo Authentication Proxy? Yes. Please note that if you use a self-signed certificate to secure LDAPS communications to your directory server, the certificate's key usage should include "Certificate Signing."

What certificate is needed for LDAPS?

LDAPS Server Certificate Requirements. LDAPS requires a properly formatted X. 509 certificate on all your Windows DCs. This certificate lets a DC's LDAP service listen for and automatically accept SSL connections for both LDAP and Global Catalog (GC) traffic.


1 Answers

You have to explicitly tell the LDAP client to ignore untrusted certificates. You can do so by adding the following to your ldap.conf file:

TLS_REQCERT never

This solution is not the preferred one though. You should add the required CA root to your client and ensure that the certificate is correctly generated with the server's name in it (and if my memory serves me right the complete CA chain) otherwise nothing would stop someone to perform a MITM attack.

like image 197
NaeiKinDus Avatar answered Oct 02 '22 14:10

NaeiKinDus