This might save some time to someone, so let me post it to the list.

TLDR, when using php to connect to an AD ldaps host using ADCS from IPA
joined hosts modify /etc/openldap/ldap.conf or $HOME/.ldaprc and change the
TLS_CACERT environment variable to
TLS_CACERT /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

We have, like many folks, an Active Directory (AD) windows environment
running side by side our IPA environment.

Our IPA joined apache web servers running centos 6.5 need to talk using php
to the AD ldap servers for several applications. A business requirement is
that the connection is secure, so we need to use ldaps or starttls ldap.

After joining the webservers to our linux domain, a file is created:
/etc/openldap/ldap.conf file with these settings:

$ cat /etc/openldap/ldap.conf
#File modified by ipa-client-install

URI ldaps://kdc02.unix.domain.tld
BASE dc=unix,dc=domain,dc=tld
TLS_CACERT /etc/ipa/ca.crt

Now, this is ok for most people. The problem we are having is that I
"installed" our AD Certificate Services CA file by copying the file to
/etc/pki/ca-trust/source/anchors/, running update-ca-trust enable &&
update-ca-trust (great tool by the way).

Using openssl s_client I get to verify the certificate

$ openssl s_client -connect dc04.domainl.ocal:636 -showcerts
  Verify return code: 0 (ok)

So that works, but the php application does not accept the new CA unless I
modify /etc/openldap/ldap.conf or create a $HOME/.ldaprc with these

TLS_CACERT /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

By the way, using Perl's Net::LDAP library just works without all these
problems ..., gotta love php.

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to