ZF2 LDAP SSL certificate untrusted

Question

I am leveraging the Zend Framework 2 Zend\Authentication\Adapter\Ldap to authenticate against Windows Active Directory. It all works perfectly when I do not attempt to use SSL. With SSL I cam getting the following error:

0x51 (Can't contact LDAP server; error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable to get local issuer certificate)):

I suspect this is because we use self-signed certificates. I would like to bypass the certificate check. Using the standard php ldap_set_option I could set TLS_REQCERT to never. I cannot find in the ldap options provided by the Zend authentication adaptor how to set this property. Is there a configuration setting I have just missed in the documentation that speaks to this?

Does anyone know how to set REQCERT = never inside ZF2?

Answer 1

On connect over SSL the client verifys the server certificate by default - one way to disable this is to set TLS_REQCERT never in your LDAP's ldap.conf file and restarting Apache.

If you really care about the server's cert you should put a cert on the web server.

Answer 2

I have to note that this does not excuse not validating your certificates, but for testing ZF2 and LDAP running on Apache/PHP or on the command line in case you are developing here is the answer.

For Apache 2.4

I believe you can place this globally for Apache in "httpd.conf", per Web site in a "VirtualHost" configuration, or more specifically in a local ".htaccess" folder as well. I can help further if you need to understand the differences between these files, but for now having some know how of a VirtualHost configuration for your specific ZF2 application would be useful so this is not applied everywhere to every site you are developing.

Be sure the mod_env module in Apache is enabled.

Add this under the VirtualHost for the ZF2 app:

<VirtualHost *:80>
  DocumentRoot /www/example1
  ServerName www.example.com

  # The following allows for not requiring the certificate when developing between LDAP and AD SSL.
  SetEnv LDAPTLS_REQCERT never
  # Other directives here for your ZF2/PHP LDAP based site

</VirtualHost>

Be sure to restart Apache! For more environment information, see http://httpd.apache.org/docs/current/mod/mod_env.html.

PHP Command Line Interface for Development (such as on Linux)

When you run PHP from the command line (in a bash shell), to test your ZF2 site, go to the public folder and run the following commands for development:

cd [path_to_ZF2_development_directory_without_brackets]/public

// sets the environment variable for this session only
LDAPTLS_REQCERT=never

// Runs PHP 5 's built in non-production Web server on the folder; listening on port 80 from all available sources.
php -S 0.0.0.0:1080 -t ./ 

Therefore, in my example I would go (cd) to my zf2-application/public folder and run those 2 other commands.

In all, these suggestions get rid of the error, but now you'll have to deal with any other LDAP to Active Directory issues you need to fix in your code or in Active Directory.