在使用 PHP 绑定到 LDAP 服务器时需要帮助忽略服务器证书 [英] Need help ignoring server certificate while binding to LDAP server using PHP

问题描述

我正在尝试使用 PHP 绑定到 LDAP 服务器.这是一个相当简单的过程，除了我无法解决我遇到的证书错误.我的身份验证凭据很好，因为我可以使用 Apache Directory Studio 连接到服务器.有没有办法自动接受服务器证书?类似于您在 Apache directory studio 中单击接受此证书.."的方式?我知道这不是很好的安全性，但我只需要在这一点上让它工作，然后可以解决证书问题.

I'm trying to bind to an LDAP server using PHP. It's a fairly straightforward process, except that I can't get around a certificate error that I'm getting. My auth credentials are fine, since I can connect to the server with Apache Directory Studio. Is there any way to just automatically accept the server cert? Similar to how you click "Accept this cert.." with Apache directory studio? I know it's not good security, but I just need to make it work at this point and can square away the cert issue later.

谢谢

推荐答案

你没有指定环境，所以这里是答案(在本网站的其他地方找到:如何解决 ldap_start_tls()无法启动 TLS:连接错误"; 在 PHP 中? ):

You don't specify the environment, so here's the answer (found elsewhere on this site: How do I solve ldap_start_tls() "Unable to start TLS: Connect error" in PHP? ):

Linux:在客户端机器(PHP Web 服务器)上修改系统正在使用的 ldap.conf 文件，在 RH/Fedora 中你想要的文件是 /etc/openldap/ldap.conf(不是/etc/ldap.conf，那是为了系统认证...).添加/修改以下行:

Linux: on the client machine (PHP web server) modify the ldap.conf file that the systems is using, in RH/Fedora the file you want is /etc/openldap/ldap.conf (not /etc/ldap.conf, that is for system authentication...) . Add/modify the following line:

TLS_REQCERT never

Windows:添加系统环境变量，如下所示:

Windows: Add a system environment variable like the following:

LDAPTLS_REQCERT=never

或者在您的 PHP 代码中，在 ldap_connect 之前，放置以下内容:

Or in your PHP code, before the ldap_connect, put the following:

putenv('LDAPTLS_REQCERT=never');

这些将确保客户端 Web 服务器 PHP 实例永远不会根据证书的 CN(通用名称)检查服务器的 FQDN.在使用虚拟 IP 和证书的集群环境中非常有用.但是由于这也使得网络服务器机器上整个操作系统中的其他工具/应用程序也不会检查这一点，请确保您的环境允许此更改(高安全性环境可能不允许这样做).

These will insure the client web server PHP instance never checks the FQDN of the server against the CN (common name) of the certificate. Very helpful in cluster environments where a virtual IP and certificate for that is used. But since this also makes it so that the other tools/applications in the entire OS on the web server machine will not check this either, please insure that your environment allows this change (high-security environments might not allow it).

这篇关于在使用 PHP 绑定到 LDAP 服务器时需要帮助忽略服务器证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！