LDAPS configuration

When using LDAPS, you need to specify the protocol "ldaps://" at the beginning of the hostname and port "636", for example: ldaps://passwork.local:636

For LDAPS to work, the Passwork server must trust the CA certificates that issued the LDAPS server certificate.

Installing certificates:

info

Certificates must have the extension .crt

Ubuntu/Debian

For Astra Linux, additionally install the package:

apt install libldap-common -y

Place the LDAPS server certificate in the directory:

cp ldap_certificate.crt /usr/local/share/ca-certificates/

Update the certificate store:

sudo update-ca-certificates

CentOS

Enable dynamic configuration of the certificate store:

update-ca-trust force-enable

Place the LDAPS server certificate in the directory /etc/pki/ca-trust/source/anchors/:

cp ldap_certificate.crt /etc/pki/ca-trust/source/anchors/

Update the certificate store:

sudo update-ca-certificates

Docker

To add the LDAPS root certificate to trusted certificates, copy the .pem or .crt certificate to the ./conf/custom_ca directory and restart the PHP container:

docker restart passwork_php

Windows

Use the section Adding LDAPS certificate in Windows.

LDAPS debugging

To test possible certificate issues during connection, run the following command:

openssl s_client -connect dc1.local:636 -showcerts

To verify certificates, run the following command:

openssl verify -CAfile RootCert.pem -untrusted Intermediate.pem UserCert.pem

Using the -CAfile directive, specify the CA certificate that issued the LDAPS server certificate.

Using the -untrusted directive, specify the LDAPS server certificate and intermediate certificates in the chain (if intermediate certificates exist).