# unable to start TLS in ldap queries

#### Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

•  Subject
• Author
• Posted on
When I try to use the ldap_search() function on an LDAP server and I've
connected to, I get the following error message:

Warning: ldap_search(): Search: Confidentiality required in
C:\path\to\script.php on line xxx

So I try to use ldap_start_tls() and get this error:

Wwarning: ldap_start_tls(): Unable to start TLS: Connect error in
C:\path\to\script.php on line xxx

I try to set LDAP_OPT_PROTOCOL_VERSION to 3, with ldap_set_option,
before doing ldap_start_tls, and get the same error.

Anyway, I'm not really sure what the problem is.  Any ideas?

## Re: unable to start TLS in ldap queries

Hi,

You might want to make sure the hostname you're using in ldap_connect
matches the CN in the server's certificate exactly. You could try using
ldaps:// as the protocol. You might also need to set your certificate
dir or file in the client's ldap.conf file too.

For example, using the stock package from RHEL4:

/etc/openldap/ldap.conf:

TLS_CACERT /usr/share/ssl/certs/slapd.pem  # self-signed cert

Client script:

<?

$ds = ldap_connect('ldaps://localhost.localdomain'); if ($ds === false) {
trigger_error('ldap_connect', E_USER_ERROR);
}

?>

yawnmoth wrote:

## Re: unable to start TLS in ldap queries

petersprc wrote:

I'm using Windows - not Linux.  Assuming I should still be using
ldap.conf, any ideas as to where it should go?

The following suggests that the location of where the ldap.conf file
should be is hard-coded:

http://www.php.net/manual/en/ref.ldap.php#47427

I tried that, though, and it doesn't work.  Maybe my *.conf file is
wrong?:

TLS_CACERT cacert.pem

The cacert.pem file is in the same directory as the *.conf file.