TLDR:
PHP ldap_bind complains about CA's root certificate being self-signed.
Long version:
Hi everybody.
I've been searching for an answer for this problem for some time but can't seem to find a way around it that is good for production. Here are the details:
I am running a XAMPP distribution with PHP 8.2.4 installed on my Windows 11 Machine. It is configured to use OpenSSL and OpenLDAP. My goal is to write a Web-App that authenticates users against the university's Active Directory which uses ldaps. I wrote a mini script that checks the TLS connection and then binds to the LDAP Server with the bindDN and credentials.
Just like basically everybody, I also get the self-signed certificate error. I therefore tried the different solutions and it ended up working by setting the LDAP-protocol version to 3 and by not checking for self-signed certificates. I also read that that opens you to security vulnerabilities. I would therefore like to avoid this solution.
I therefore checked deeper to find out which certificate is actually self signed. It turns out that OpenSSL is complaining about the root certificate of 'DigiCert' (Global Root G2). From what I've read, root certificates are always self signed.
Is there a solution to this? I'm very new to Web certificates and would therefore appreciate an answer that is not purely technical. It's my first time dealing with this field.
The fix was fairly easy. As I am working on a windows machine I had to add the following folder structure
C:\OpenLdap\sysconf
In there I pasted the CA's Root Certificate with which the LDAP-Server was signed. In addition to that I created a file called ldap.conf in which I pasted the following lines of code
#--begin--
# Define location of CA Cert
TLS_CACERT c:\OpenLDAP\sysconf\[CA_ROOT_CERT]
TLS_CACERTDIR c:\OpenLDAP\sysconf\
TLS_REQCERT hard
#--end--
You have to replace [CA_ROOT_CERT] with your CA's root certificate's name. I didn't have to edit any environment variables.