在使用 PHP 绑定到 LDAP 服务器时需要帮助忽略服务器证书
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3866406/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Need help ignoring server certificate while binding to LDAP server using PHP
提问by Hyman Slingerland
I'm trying to bind to an LDAP server using PHP. It's a fairly straightforward process, except that I can't get around a certificate error that I'm getting. My auth credentials are fine, since I can connect to the server with Apache Directory Studio. Is there any way to just automatically accept the server cert? Similar to how you click "Accept this cert.." with Apache directory studio? I know it's not good security, but I just need to make it work at this point and can square away the cert issue later.
我正在尝试使用 PHP 绑定到 LDAP 服务器。这是一个相当简单的过程,只是我无法解决我遇到的证书错误。我的身份验证凭据很好,因为我可以使用 Apache Directory Studio 连接到服务器。有什么办法可以自动接受服务器证书?类似于您如何使用 Apache 目录工作室单击“接受此证书..”?我知道这不是很好的安全性,但我现在只需要让它工作,然后可以解决证书问题。
Thanks
谢谢
回答by dbman
You don't specify the environment, so here's the answer (found elsewhere on this site: How do I solve ldap_start_tls() "Unable to start TLS: Connect error" in PHP?):
您没有指定环境,所以这里是答案(在本网站的其他地方找到:How do I solve ldap_start_tls() "Unable to start TLS: Connect error" in PHP?):
Linux: on the client machine (PHP web server) modify the ldap.conf file that the systems is using, in RH/Fedora the file you want is /etc/openldap/ldap.conf(not /etc/ldap.conf, that is for system authentication...) . Add/modify the following line:
Linux:在客户端机器(PHP Web 服务器)上修改系统正在使用的 ldap.conf 文件,在 RH/Fedora 中,您想要的文件是/etc/openldap/ldap.conf(不是/etc/ldap.conf,用于系统身份验证...)。添加/修改以下行:
TLS_REQCERT never
Windows: Add a system environment variable like the following:
Windows:添加如下系统环境变量:
LDAPTLS_REQCERT=never
Or in your PHP code, before the ldap_connect, put the following:
或者在您的 PHP 代码中,在 ldap_connect 之前,放置以下内容:
putenv('LDAPTLS_REQCERT=never');
These will insure the client web server PHP instance never checks the FQDNof the server against the CN(common name) of the certificate. Very helpful in cluster environments where a virtual IP and certificate for that is used. But since this also makes it so that the other tools/applications in the entire OS on the web server machine will not check this either, please insure that your environment allows this change (high-security environments might not allow it).
这些将确保客户端 Web 服务器 PHP 实例永远不会根据证书FQDN的CN(通用名称)检查服务器的 。在使用虚拟 IP 和证书的集群环境中非常有用。但由于这也使得 Web 服务器计算机上整个操作系统中的其他工具/应用程序也不会检查这一点,请确保您的环境允许此更改(高安全性环境可能不允许)。
回答by geoffc
Use a web browser, point at ldaps://ipaddress/
使用网络浏览器,指向 ldaps://ipaddress/
when the cert pop up box shows up, view the cert, look at the cert chain, find the trusted root (not the specific cert being used, rather the parent who signed it) then export THAT cert. Save in in PEM and B64 format. (Binary and B64 encoded).
当证书弹出框出现时,查看证书,查看证书链,找到受信任的根(不是正在使用的特定证书,而是签署它的父证书),然后导出该证书。以 PEM 和 B64 格式保存。(二进制和 B64 编码)。
Then use that to get it into the PHP keystore format, whichever that is. Java keystores are easy. Not sure what PHP uses.
然后使用它来将其转换为 PHP 密钥库格式,无论哪种格式。Java 密钥库很容易。不确定 PHP 使用什么。
