niota

Prerequisitions

Configuration file ldap.conf must be created as a simple text file in the following folder

“c:\openldap\sysconf\ldap.conf”

This file path is hardcoded in the ldap related dll file of the php installation, therefore there is no soultion to place the ldap.conf file in any other place.

In the file ldap.conf the certificate-folder and certificate-file path can be set. The client certificate checking method can be specified as well. These can be set with the next three directives what you can define in the ldap.conf file:

TLS_REQCERT
This directive specifies which checks to perform on client certificates in an incoming TLS session, if any.

Accepted values are:

• never
• allow
• try
• demand

In the case of self-signed certificates it is recommended to use the never or the allow setting.

E.g.:

TLS_REQCERT allow

Important
Even if the setting is set to never the certificate must exist and the path must be set correctly! The setting does not mean that you do not have to own the certificate.

TLS_CACERT
Certificate file path. The certificate must not be placed in the same folder as the ldap.conf file but it is also not a problem to place it into the folder c:\openldap\sysconf

Example 1

TLS_CACERT c:\path\to\certification_dir\file.cer

Example 2

TLS_CACERT c:\openldap\sysconf\certificate.cer

Important
The certification file content must be in Base64 format. You can check it for example by opening the certificate in Notepad. Content should look like this example:

-----BEGIN CERTIFICATE-----
MIIDqjCCApKgAwIBAgIJAPsChKSq04oyMA0GCSqGSIb3DQEBCwUAMGYxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
...
-----END CERTIFICATE-----

TLS_CACERTDIR Certificate folder path. The certificate must not be placed in the same folder as the ldap.conf file but it is also not a problem to place this into that folder c:\openldap\sysconf.

Example 1

TLS_ CACERTDIR c:\path\to\certification_dir\

Example 2

TLS_ CACERTDIR c:\openldap\sysconf\

Note

There are openssl related php settings in the configuration file “c:\Program Files\php-7.3.8_x64\php.ini” (;openssl.cafile and ;openssl.capath) but those do not have effect on settings set in file “ldap.conf” or on LDAPS sonnection. So the proper settings must be set in file “c:\openldap\sysconf\ldap.conf”!