Welcome, Guest. Please login or register.

Author Topic: LDAPS - Ignore certificate ?  (Read 399 times)

michael

  • Newbie
  • *
  • Posts: 3
    • View Profile
LDAPS - Ignore certificate ?
« on: February 07, 2020, 09:16:19 AM »
Hi,
 
Following microsoft announcement over LDAP channel binding / signing requirements
https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows
 
I'm trying to move my working LDAP configuration to LDAPs.
Changing the servers to ldaps:// and port to 636 didn't work. The error message doesn't really help so I thought about a certificate error (Nedi doesn't know our AD certificates)
 
I didn't find the option to ignore server cert in nedi.conf
 
I found ideas with google, like putting "TLS_REQCERT never" in /etc/ldap/ldap.conf but that didn't work. I even tried to modify the php file by adding "putenv('LDAPTLS_REQCERT=never');" before ldap_connect same thing.
 
 
Did anyone manage to make it work ?

michael

  • Newbie
  • *
  • Posts: 3
    • View Profile
Re: LDAPS - Ignore certificate ?
« Reply #1 on: May 20, 2020, 09:35:30 AM »
Update to this topic, as I didn't find a solution :
- I exported our local CA root certificate with format Base-64 encoded X.509 (.CER) and imported it to Nedi
- To do so : copy the file to /usr/local/share/ca-certificates then run update-ca-certificates
- reconfigure ldap to ldaps (in nedi.conf change path from ldap:// to ldaps:// and port from 389 to 636)

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2763
    • View Profile
    • NeDi
Re: LDAPS - Ignore certificate ?
« Reply #2 on: May 25, 2020, 10:04:24 AM »
At least you found a way that works and posted it, tx!
I don't do much with LDAP, so I'm relying on others here...
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

michael

  • Newbie
  • *
  • Posts: 3
    • View Profile
Re: LDAPS - Ignore certificate ?
« Reply #3 on: May 25, 2020, 10:06:59 AM »
At least you found a way that works and posted it, tx!
I don't do much with LDAP, so I'm relying on others here...
No problem I hope that helps  ;)