LDAPS configuration
When using LDAPS, you need to explicitly specify the ldaps:// protocol at the beginning of the host name, for example:
ldaps://passwork.local:636;
For LDAPS to work, your OS should have trusted certificates of the CA (certificate authority) that issued the LDAPS server certificate.
Installing certificates:
Certificate must be in .crt format.
Ubuntu/Debian
Create directory /usr/local/share/ca-certificates/:
mkdir /usr/local/share/ca-certificates/
Place your LDAPS certificate to created directory:
cp <full_path_to_the_certificate> /usr/local/share/ca-certificates/
Update OS trust store:
sudo update-ca-certificates
CentOS
Allow dynamic configuration:of the trust store:
update-ca-trust force-enable
Place your LDAPS certificate to /etc/pki/ca-trust/source/anchors/:
cp <full_path_to_the_certificate> /etc/pki/ca-trust/source/anchors/
Update OS trust store:
sudo update-ca-certificates
Docker
To make a root LDAPS certificate a trusted one, you need to copy a .pem or .crt certificate into ./conf/custom_ca and restart the PHP container:
docker compose restart passwork_php
Windows
Use Adding LDAPS certificate in Windows to add your certificate as OpenLDAP trusted certificate.
Debug LDAPS
To test for possible certificate issues during connection, execute the following command:
openssl s_client -connect dc1.local:636 -showcerts
To verify certificates execute following command:
openssl verify -CAfile RootCert.pem -untrusted Intermediate.pem UserCert.pem
- Use -CAfile flag to specify your CA certificate
- Use -untrusted flag to specify LDAPS server certificate and intermediate certificates in certification chain(if you have).