Force Encryption on LDAP Login

Hello everyone,

I was wondering how to force encryption on the LDAP login. I am currently using QueenCityCodeFactory LDAP plugin.

I have used LDAP_START_TLS with the ldapConnection variable in the plugin.

Error i get is "LDAP_START_TLS: Unable to start TLS: Connect Error

Any suggestions?

That looks like it’s an issue with the connection itself.
Is it a self-signed certificate?

I am not sure if it is the certificate that is the issue. The certificate seems to work regarding the https connection, because i am using it for SSL connection for apache, but as soon as i use it in regards to LDAPS settings then the LDAP connection stops working.

I hope you mean TLS and not SSL? (TLS is the standard for HTTPS nowadays).
Also, is it a valid certificate?

What you can do is modify your /etc/ldap.conf to contain the line TLS_REQCERT never.
This skips checking whether the certificate is valid.

If that doesn’t help, please check the logs and see if you find anything interesting there (you should have defined the log with the logErrors setting of the plugin).

I have resolved the issue. I am not sure i certificate is needed, but from what i can tell the communication is encrypted.

This is my solution:

In the LdapAuthenticate.php (in the qeencietycodefactory).



Right after the foreach loop regarding the options and values.

You also need to have to edited the openldap.conf file to have: TLS_REQCERT never
I have read on different forums regarding TLS_REQCERT.

As i understand it, it is not the optimal solution (regarding the reqcert option). But in my case it will suffice for now.

If you need that TLS_REQCERT never flag, that means your certificate is invalid (eg. self-signed).
It’s fairly easy to work around, though this is more in the scope of your SysOps rather than the developer (unless you do both).

Basically what you need to do is create your own CA and add it’s root certificate to the keychain of your device.
Every certificate signed by that CA now will be regarded as “valid” as long as the required root certificate is installed.
This setup is fine for communications internally (eg. between your load balancer and back-end server, or in this case your PHP server and your LDAP server) but not for external communication (eg. between a random visitor and your load balancer).

Thanks for the explenation. I greatly appreciate the help. The cert is not self signed (from my understanding). The certificate works with the SSL, so should not the same cert in theory work with TLS?

Does the cert need to be in a special format. Like .PEM ?

It might be some stupid questions but i am very new everything regarding certificates.

Hii there,

Why are you still using SSL in 2020? it’s latest version (3.0) has been deemed insecure since 2004, TLS (specifically version 1.2 and 1.3) is the new standard.

Back on your question, yes, the same exact certificate used for SSL can be used for TLS (without any additions like a special format).
When you use it with your apache and you visit the URL, do you get a warning from your browser saying the connection might be insecure?
Something like this:

If so, your certificate is most likely self-signed and thus is technically “invalid”.
If this is not the case, then I suspect something else might be going on with said certificate on the LDAP server (eg. it not actually using the right certificate).
You can see a more detailed output when you add the following code before the ldap_connect() function is called:

ldap_set_option(null, LDAP_OPT_DEBUG_LEVEL, 7); 

Is your LDAP server running on the same machine as the Apache server?

Well one reason was that i wanted to try and see if the cert was working.

Nope no warnings.

I am using wampserver64. Yes and it contains apache server in the application.

There is no problem when using the cert in ssl settings for apache, but as soon as i try to use it in the TLS setting it cannot start the TLS function. I will keep troubleshooting and see what i am doing wrong.

Thanks again for the answers.

Hmmm… that is odd… unfortunately, I don’t have much experience with LDAP outside of getting it to do basic things in my application (I always left the LDAP server to my SysOps).
If you find any solution down the line, please let me know :slight_smile:

Do you have any advice in how i can troubleshoot the issue. I am thinking it actually gets the information about where the Cert and key is placed.

It is difficult to only get the one (cannot start TLS) error

Try checking the certificate from your LDAP server to the one you have on your wampserver.
If you have the openssl utility installed, you can run this command against your LDAP server (if your HTTPS works fine, then you don’t need to check that).

openssl s_client -showcerts -connect <yourserver>:<port>

Eg. if your LDAP server is located at on port 868 (which I doubt cus that’s my domain :wink: ), then you’d have to enter:

openssl s_client -showcerts -connect

This produces a rather massive output but fret not, you pretty much only one thing you need to be interested in for now.
Somewhere in the middle of the output, you should see a line that says either:

Verification: OK


Verification error: unable to verify the first certificate

If you get the first one, then we can rule out that the certificate is invalid (and we can continue the search).
If you get the second one, then the certificate on the LDAP is invalid.

One small sidenote: this command can actually be run against anything that uses SSL/TLS, not just webservers or LDAP servers (so keep it somewhere in your arsenal, you never know when it’ll come in handy again).

I tried this against the server and the output said “Verification :ok”.

Good to have that kind of command in the back of the head. Seems like a good command to know when troubleshooting SSL/TLS connection via openssl. :smiley:

Hii there,

Sorry for the delayed response, I’ve been pretty busy :slight_smile:

If the verification is okay, then it’s a very odd error that I can’t help you with.
What you could do it test the connection manually using a more script (see PHP docs regarding LDAP for that).
All the script has to do is see if it can connect:

// Prepare to connect
$ldap = ldap_connect("ldaps://localhost"); // replace localhost with your server
ldap_set_option($ldap, LDAP_OPT_DEBUG_LEVEL, 7);  // Enable debug errors
if(!$ldap) throw new \Exception("Could not parse ldap uri");

// Try to connect
$user = "myuser";
$pass = "lamepassword";
$bind = ldap_bind($ldap, $user, $pass);

// Check if we are connected
if(!$bind) throw new \Exception("Could not connect to LDAP!");

// We made it!
echo "Whoop!"