How to connect to an SSL OpenLdap

After a lot of troubleshooting I managed to connect to an ssl OpenLdap and I would like to share this information with you.

Some of the problems that you may encounter are:

Ldap host.

Verify, using ping if you have access to the ldap server.

I suggest you try both, IP and hostname. In some configurations the dns name of the ldap host is working fine, but sometimes it doesn't. So try both in case you have problems.

SSL specific problems

For php, try
ldap_connect("ldaps://host", port)
ldap_connect("ldaps://host:port")

If the host you are using to invoke the scripts does not have a ssl certificate installed then you have to add the following line to your ldap.conf:
TLS_REQCERT     never

Sample php script

Here is a sample script to connect to a secured OpenLdap. Also the script assumes that you DON'T have anonymous access to the LDAP server. In case you do have, then just do a bind with no credentials.
You must change the parameters in the beginning of the script in order to match your organization's OpenLdap configuration.


<?php
// Set the parameters below to fit your organization's openldap
$basedn = "DC=example,DC=com";
$login = "user";
$ldapuser = "uid=$login,ou=people,dc=example,dc=com";
$ldappass = "pass";
$filter = "(uid=$login)";
$ldapurl = "ldaps://ldap.example.com:XXX"; 
$LDAPFieldsToFind = array("cn", "mail");
$debug = false;

// Set debugging
if ($debug) {
  ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
}

// connect to ldap server
$ldapconn = ldap_connect($ldapurl) or die ("Couldn't connect");

// binding to ldap server
echo "Trying to bind with $ldapuser - $ldappass\n";
$ldapbind = @ldap_bind($ldapconn, $ldapuser, $ldappass);

if (!$ldapbind) {
  echo "Unable to bind to server $ldapurl\n";
  echo "OpenLdap error message: " . ldap_error($ldapconn) . "\n";
  exit;
}

echo "Bind succesfull\n";
echo "\nSearching in base_dn $basedn - filter: $filter\n";    
$userdetails = ldap_search($ldapconn, $basedn, $filter, $LDAPFieldsToFind);
$info = ldap_get_entries($ldapconn, $userdetails);

for ($x=0; $x<$info["count"]; $x++) {
$email=$info[$x]['mail'][0];
$nam=$info[$x]['cn'][0];
  print "\n\nOpenLdap attributes:\n";
  print "CN is: $nam \n";
  print "Mail is: $email\n";
}
  
if ($x==0) { echo "\nOops, was not found. Please try again."; }

?>

1 comment: