The OpenDS server on my laptop is using a self-signed cert. This entry briefly describes using StartTLS to avoid sending passwords over the network in clear text, despite having a certificate that does not check out, because like a CA cert it is self-signed (and free as in beer).
This is certainly not for production. Instead here is a workaround for testing with the self-signed cert. Thanks to pataisjsu for posting this link, http://marc.info/?l=php-windows&m=116127873321748&w=2, on the PHP ldap_start_tls() function page.
You set up an ldap.conf file to let StartTLS proceed even if the server certificate does not check out with the client application.
- Set up an environment variable that points to ldap.conf.
C:\>echo %LDAPCONF% C:\openldap\sysconf\ldap.conf
- Add one line to the ldap.conf file for the use PHP makes of OpenLDAP to indicate that the client not request or verify the server certificate:
TLS_REQCERT never
- Add new code -- in auth.php and lookup.php if you downloaded the example -- just after the call to ldap_connect() to use StartTLS.
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_start_tls($ldapconn) or die("StartTLS failed.");
That's it. Happy testing.
