LDAPS configuration
When using LDAPS, you need to specify the protocol "ldaps://" at the beginning of the hostname and port "636", for example: ldaps://passwork.local:636
For LDAPS to work, the Passwork server must trust the CA certificates that issued the LDAPS server certificate.
Installing certificates:
Certificates must have the extension .crt
Ubuntu/Debian
For Astra Linux, additionally install the package:
apt install libldap-common -y
Place the LDAPS server certificate in the directory:
cp ldap_certificate.crt /usr/local/share/ca-certificates/
Update the certificate store:
sudo update-ca-certificates
CentOS
Enable dynamic configuration of the certificate store:
update-ca-trust force-enable
Place the LDAPS server certificate in the directory /etc/pki/ca-trust/source/anchors/:
cp ldap_certificate.crt /etc/pki/ca-trust/source/anchors/
Update the certificate store:
sudo update-ca-certificates
Docker
To add the LDAPS root certificate to trusted certificates, copy the .pem or .crt certificate to the ./conf/custom_ca directory and restart the PHP container:
docker restart passwork_php
Windows
Use the section Adding LDAPS certificate in Windows.
LDAPS debugging
To test possible certificate issues during connection, run the following command:
openssl s_client -connect dc1.local:636 -showcerts
To verify certificates, run the following command:
openssl verify -CAfile RootCert.pem -untrusted Intermediate.pem UserCert.pem
Using the -CAfile directive, specify the CA certificate that issued the LDAPS server certificate.
Using the -untrusted directive, specify the LDAPS server certificate and intermediate certificates in the chain (if intermediate certificates exist).