hi, This might save some time to someone, so let me post it to the list.
TLDR, when using php to connect to an AD ldaps host using ADCS from IPA joined hosts modify /etc/openldap/ldap.conf or $HOME/.ldaprc and change the TLS_CACERT environment variable to TLS_CACERT /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem We have, like many folks, an Active Directory (AD) windows environment running side by side our IPA environment. Our IPA joined apache web servers running centos 6.5 need to talk using php to the AD ldap servers for several applications. A business requirement is that the connection is secure, so we need to use ldaps or starttls ldap. After joining the webservers to our linux domain, a file is created: /etc/openldap/ldap.conf file with these settings: $ cat /etc/openldap/ldap.conf #File modified by ipa-client-install URI ldaps://kdc02.unix.domain.tld BASE dc=unix,dc=domain,dc=tld TLS_CACERT /etc/ipa/ca.crt Now, this is ok for most people. The problem we are having is that I "installed" our AD Certificate Services CA file by copying the file to /etc/pki/ca-trust/source/anchors/, running update-ca-trust enable && update-ca-trust (great tool by the way). Using openssl s_client I get to verify the certificate $ openssl s_client -connect dc04.domainl.ocal:636 -showcerts ... Verify return code: 0 (ok) So that works, but the php application does not accept the new CA unless I modify /etc/openldap/ldap.conf or create a $HOME/.ldaprc with these settings: TLS_CACERT /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem By the way, using Perl's Net::LDAP library just works without all these problems ..., gotta love php. -- -- Groeten, natxo
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project