Yesterday I had to do some debugging to find out why an LDAPS connection didn’t work.
The main trouble was that the authLdap plugin for WordPress didn’t work for someone. After a bit of back and forth we figured out that it worked for other applications but not for PHPs LDAP-extension.
The error they got was the usual cryptic
Continue reading Debug LDAP via TLS
Can't contact LDAP server which says nothing at all as that can mean so many different things.
Often I see questions on StackOverflow stating that connecting to LDAP-Servers secured with self-signed certificates is difficult and troublesome. Very often the accepted answer or the one with the most votes is actually the worst answer, as usually it requires to completely ignore certificates. So basically swapping the certificate would not be noticed, leaving the connection wide open for a Man-in-the-Middle attack and therefore somehow defeating the purpose of secure connections.
But how does one connect securely to an LDAP-Server secured with a self-signed certificate?
I did some tests and summarized my findings in a github-repo.
In essence it boils down to retrieving the current certificate either from the admin of the LDAP-Server or via OpenSSL using this command:
$ echo \
| openssl s_client -connect openldap:636 2> /dev/null \
| openssl x509 -text \
| sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' \
And then – at least when you have a supported PHP-Version – add the following lines to your ldap-code:
ldap_set_option(null, LDAP_OPT_X_TLS_CACERTDIR, '/path/to');
ldap_set_option(null, LDAP_OPT_X_TLS_CACERTFILE, '/path/to/cert.pem');
$ldap = ldap_connect('ldaps://ldap.example.org:636');
$ldap = ldap_connect('ldap://ldap.example.org:389');
Note: It’s important to call
ldap_set_option before the first LDAP-Command and use
null as the first argument. Otherwise it will not work 😉
You want more info? Have a look at the Repos README
Version 1.0.2 of the wordpress-plugin authLdap is now available.
Besides some small internal changes (thanks to firstname.lastname@example.org) I moved the code to github and activated the issue-tracker there. So for all bugs, feature-requests and so on, feel free to open an issue there at http://github.com/heiglandreas/authLdap/issues
This is a plugin that allows you use your LDAP to authenticate and authorise users to access your wordpress web-log.
Installation should be as simple as instalaltion of every wordpress-plugin. Simply unzip the downloaded file, put it into your wordpress-installations plugins-folder and activate it.
After activation you can configure the plugin via the options-panel.
Continue reading authLDAP