使用PHP绑定到LDAP服务器时需要忽略服务器证书的帮助 [英] Need help ignoring server certificate while binding to LDAP server using PHP

问题描述

我正在尝试使用PHP绑定到LDAP服务器.这是一个相当简单的过程，除了我无法避免遇到的证书错误.我的身份验证凭据很好，因为我可以使用Apache Directory Studio连接到服务器.有什么方法可以自动接受服务器证书?类似于您在Apache Directory Studio中单击接受此证书.."的方式?我知道这不是一个很好的安全性，但是我只需要在这一点上使其起作用，以后就可以解决证书问题.

I'm trying to bind to an LDAP server using PHP. It's a fairly straightforward process, except that I can't get around a certificate error that I'm getting. My auth credentials are fine, since I can connect to the server with Apache Directory Studio. Is there any way to just automatically accept the server cert? Similar to how you click "Accept this cert.." with Apache directory studio? I know it's not good security, but I just need to make it work at this point and can square away the cert issue later.

谢谢

推荐答案

您没有指定环境，所以这是答案(在此网站的其他地方找到:):

You don't specify the environment, so here's the answer (found elsewhere on this site: How do I solve ldap_start_tls() "Unable to start TLS: Connect error" in PHP? ):

Linux:在客户端计算机(PHP Web服务器)上，修改系统正在使用的ldap.conf文件，在RH/Fedora中，所需文件为/etc/openldap/ldap.conf(不是/etc/ldap.conf，即系统身份验证... ).添加/修改以下行:

Linux: on the client machine (PHP web server) modify the ldap.conf file that the systems is using, in RH/Fedora the file you want is /etc/openldap/ldap.conf (not /etc/ldap.conf, that is for system authentication...) . Add/modify the following line:

TLS_REQCERT never

Windows:添加系统环境变量，如下所示:

Windows: Add a system environment variable like the following:

LDAPTLS_REQCERT=never

或者在您的PHP代码中，在ldap_connect之前，放置以下内容:

Or in your PHP code, before the ldap_connect, put the following:

putenv('LDAPTLS_REQCERT=never');

这将确保客户端Web服务器PHP实例从不对照证书的CN(通用名称)检查服务器的FQDN.在使用虚拟IP和证书的群集环境中，这非常有帮助.但是，由于这样做也使得Web服务器计算机上整个操作系统中的其他工具/应用程序也不会对此进行检查，因此请确保您的环境允许进行此更改(高安全性环境可能不允许这样做).

These will insure the client web server PHP instance never checks the FQDN of the server against the CN (common name) of the certificate. Very helpful in cluster environments where a virtual IP and certificate for that is used. But since this also makes it so that the other tools/applications in the entire OS on the web server machine will not check this either, please insure that your environment allows this change (high-security environments might not allow it).

这篇关于使用PHP绑定到LDAP服务器时需要忽略服务器证书的帮助的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！