Home → Admin Manual → Troubleshooting Guides → LDAP connections with Self-Signed SSL
12.13. LDAP connections with Self-Signed SSL
If an LDAP server being utilized with HelpSpot does not a have a publicly trusted cert the PHP LDAP DLL needs to be configured with the proper settings to allow it to connect.
This condition is indicated by an error in the HelpSpot log file stating:
BindException: Can’t contact LDAP server in C:\inetpub\wwwroot\vendor\adldap2\src\Auth\Guard.php
You should first confirm that there is no firewall rule blocking port 389 (standard LDAP) or port 636 (LDAPS).
If you can telnet to the LDAP server specified in HelpSpot's settings on the LDAP ports from the HelpSpot server, but it still fails to authenticate users, select one of the options below to resolve the issue.
Note: The Windows PHP libraries are hard-coded to look for an open ldap config file (ldap.conf
) in C:\openldap\sysconf\ldap.conf
. On Linux you should be able to find it in /etc/openldap/ldap.conf
Create the ldap.conf text file mentioned above - this is where you point to your certificate store. Once you create this file in the needed location, you can begin to edit it.
There are two options for resolution. The first option is the most secure, providing certificate verification by referencing a trusted certificate path. In a secured environment not publicly accessible, you may elect to bypass certificate verification using the second option.
Option 1: provide a path to a valid trusted certificate
- Create a cert file that contains the certificate hashes.
- Edit the
ldap.conf
file and add a line for the commandTLS_CACERT
likeTLS_CACERT=C:\path\to\my\cert.pem
- To add a certificate as a trusted in the cacert.pem file, simply get a copy of the public key of the certificate in question (this needs to be exported in base64 format).
Option 2: automatically trust all certs without verification
- Edit the
ldap.conf
file to include only the lineTLS_REQCERT never
After making the required changes, restart your web server.