LDAPS configuration

When using LDAPS, you need to explicitly specify the ldaps:// protocol at the beginning of the host name, for example: ldaps://passwork.local:636;

For LDAPS to work, your OS should have trusted certificates of the CA (certificate authority) that issued the LDAPS server certificate.

Installing certificates:

info

Certificate must be in .crt format.

Ubuntu/Debian

Create directory /usr/local/share/ca-certificates/:

mkdir /usr/local/share/ca-certificates/

Place your LDAPS certificate to created directory:

cp <full_path_to_the_certificate> /usr/local/share/ca-certificates/

Update OS trust store:

sudo update-ca-certificates

CentOS

Allow dynamic configuration:of the trust store:

update-ca-trust force-enable

Place your LDAPS certificate to /etc/pki/ca-trust/source/anchors/:

cp <full_path_to_the_certificate> /etc/pki/ca-trust/source/anchors/

Update OS trust store:

sudo update-ca-certificates

Docker

To make a root LDAPS certificate a trusted one, you need to copy a .pem or .crt certificate into ./conf/custom_ca and restart the PHP container:

docker compose restart passwork_php

Windows

Use Adding LDAPS certificate in Windows to add your certificate as OpenLDAP trusted certificate.

Debug LDAPS

To test for possible certificate issues during connection, execute the following command:

openssl s_client -connect dc1.local:636 -showcerts

To verify certificates execute following command:

openssl verify -CAfile RootCert.pem -untrusted Intermediate.pem UserCert.pem

• Use -CAfile flag to specify your CA certificate
• Use -untrusted flag to specify LDAPS server certificate and intermediate certificates in certification chain(if you have).