How to use multiple TLS certificates for LDAP from php/Zend?

3
votes

In our web based application we support LDAP authentication. It works fine with the code below. Now we want to support LDAP over TLS. We host our product for our customers on SUSE Linux Enterprise Server 11 and each customer can have different TLS certificate.

My questions are:

  • how to set up out SUSE server (that is LDAP client) - where to place certificates for each customer, do I need to edit any conf file?
  • how to make LDAP authentication over TLS with different certificates from php. What would be exact php syntax?
  • does it matter what type of the server is? Exchange, OpenLDAP etc?
  • right now we have .cer certificate from Exchange. Is that ok for OpenLDAP or it must be converted (how) to .pem?

SUSE server = LDAP client configuration

  • SUSE Linux Enterprise Server 11 (x86_64)
  • ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.26 (Sep 26 2012 13:14:42)
  • PHP Version 5.4.9
  • Zend Engine v2.4.0

From reading http://php.net/ldap_connect I understood that I can use different certificates but I didn't get how.

function authenticateZendAuth($username, $password){
   require_once 'Zend/Auth.php';
   $auth = Zend_Auth::getInstance();

   $ldapOptions = getConfigVariableValue('->ldap');

   $options = $ldapOptions->toArray();
   unset($options['log_path']);

   require_once 'Zend/Auth/Adapter/Ldap.php';
   $adapter = new Zend_Auth_Adapter_Ldap($options, $username, $password);

   $authenticated = $auth->authenticate($adapter);

   $log_path = $ldapOptions->log_path;
   if ($log_path) {
       $messages = $authenticated->getMessages();

       require_once("Zend/Log.php");
       require_once("Zend/Log/Writer/Stream.php");
       require_once("Zend/Log/Filter/Priority.php");
       $logger = new Zend_Log();
       $logger->addWriter(new Zend_Log_Writer_Stream($log_path));
       $filter = new Zend_Log_Filter_Priority(Zend_Log::DEBUG);
       $logger->addFilter($filter);

       foreach ($messages as $i => $message) {
           if ($i-- > 1) { // $messages[2] and up are log messages
               $message = str_replace("\n", "\n  ", $message);
               $logger->log("Ldap: $i: $message", Zend_Log::DEBUG);
           }
       }
   }

   return $authenticated;
}
1
phpzend-frameworkldapcertificate
If i'm not totally wrong here, the number of certificates have no impact on the PHP Coding-side. The servers need to trust each others certificates. All you have to set within the Ldap-Adapter ist the config-option useStartTls=true. Imo this is server configuration, so maybe better served over at serverfault.comSam
I thought that I need to specify somehow which certificate is going to be used for particular LDAP connection ...Radek
See php.net/manual/de/function.ldap-connect.php#36156 - you can set those TLS_*-Stuff via putenv(), too. There's no "ZF-Way" of doing that ;)Sam
The thing I don't understand is how do I link particular server certificate with a server name. From the link you provided The name of the server you're connecting to is important. If they server name you specify in the "ldaps://" URI does not match the name of the server in it's certificate, it will complainRadek

1 Answers

2
votes

How to set up our SUSE server (that is LDAP client) - where to place certificates for each customer, do I need to edit any conf file?

If you are using openssl (slapd) it doesn't really matter where you put the certificate, as long as you can set the configuration file to point to. It will look something like this perhaps:

TLSCACertificateFile    /usr/var/openldap-data/cacert.pem 
TLSCertificateFile          /usr/var/openldap-data/servercrt.pem 
TLSCertificateKeyFile   /usr/var/openldap-data/serverkey.pem

You will need to request (or create your own) Certificates, these are the same as the certificates you use for HTTPS. This is where the domain name is imported, when you create/request the cert, it needs to match the domain name that you are going to be using it on. See: http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html for more details.

How to make LDAP authentication over TLS with different certificates from php. What would be exact php syntax?

You really don't need to do anything special here. Make sure you set your LDAP server up with the appropriate domain named certificate. And make sure that the signing authority for that cert is recognized by your local openladap client (running your php) via it's config file. Then notice that many of the Zend Examples (http://files.zend.com/help/Zend-Framework/zend.auth.adapter.ldap.html) use a config file to set up the Zend LDPA client and turn on TLS. You can also use Zend_Ldap::setOptions() - see the notes on http://framework.zend.com/manual/1.12/en/zend.auth.adapter.ldap.html

Does it matter what type of the server is? Exchange, OpenLDAP etc? No, not really. I mean, configuring the LDAP server will matter, but the php client won't really care at all.

Right now we have .cer certificate from Exchange. Is that ok for OpenLDAP or it must be converted (how) to .pem?

See: http://www.sslshopper.com/article-most-common-openssl-commands.html

openssl x509 -inform der -in certificate.cer -out certificate.pem