|
|
@@ -308,15 +308,16 @@ Array
|
|
|
<entry><emphasis><property>useStartTls</property></emphasis></entry>
|
|
|
<entry>
|
|
|
Whether or not the <acronym>LDAP</acronym> client should use
|
|
|
- <acronym>TLS</acronym> (aka <acronym>SSL</acronym>v2) encrypted transport. A value of
|
|
|
- <constant>TRUE</constant> is strongly favored in production
|
|
|
- environments to prevent passwords from be transmitted in clear text.
|
|
|
- The default value is <constant>FALSE</constant>, as servers frequently
|
|
|
- require that a certificate be installed separately after installation.
|
|
|
- The <property>useSsl</property> and <property>useStartTls</property>
|
|
|
- options are mutually exclusive. The <property>useStartTls</property>
|
|
|
- option should be favored over <property>useSsl</property> but not all
|
|
|
- servers support this newer mechanism.
|
|
|
+ <acronym>TLS</acronym> (aka <acronym>SSL</acronym>v2) encrypted
|
|
|
+ transport. A value of <constant>TRUE</constant> is strongly favored in
|
|
|
+ production environments to prevent passwords from be transmitted in
|
|
|
+ clear text. The default value is <constant>FALSE</constant>, as servers
|
|
|
+ frequently require that a certificate be installed separately after
|
|
|
+ installation. The <property>useSsl</property> and
|
|
|
+ <property>useStartTls</property> options are mutually exclusive. The
|
|
|
+ <property>useStartTls</property> option should be favored over
|
|
|
+ <property>useSsl</property> but not all servers support this newer
|
|
|
+ mechanism.
|
|
|
</entry>
|
|
|
</row>
|
|
|
<row>
|
|
|
@@ -485,14 +486,14 @@ Array
|
|
|
<note>
|
|
|
<para>
|
|
|
If you enable <emphasis>useStartTls = <constant>TRUE</constant></emphasis> or
|
|
|
- <emphasis>useSsl = <constant>TRUE</constant></emphasis> you may find that the <acronym>LDAP</acronym>
|
|
|
- client generates an error claiming that it cannot validate the server's
|
|
|
- certificate. Assuming the <acronym>PHP</acronym> <acronym>LDAP</acronym> extension
|
|
|
- is ultimately linked to the OpenLDAP client libraries, to resolve this issue you
|
|
|
- can set "<command>TLS_REQCERT never</command>" in the OpenLDAP client
|
|
|
- <filename>ldap.conf</filename> (and restart the web server) to indicate to the
|
|
|
- OpenLDAP client library that you trust the server. Alternatively, if you are
|
|
|
- concerned that the server could be spoofed, you can export the
|
|
|
+ <emphasis>useSsl = <constant>TRUE</constant></emphasis> you may find that the
|
|
|
+ <acronym>LDAP</acronym> client generates an error claiming that it cannot validate
|
|
|
+ the server's certificate. Assuming the <acronym>PHP</acronym>
|
|
|
+ <acronym>LDAP</acronym> extension is ultimately linked to the OpenLDAP client
|
|
|
+ libraries, to resolve this issue you can set "<command>TLS_REQCERT never</command>"
|
|
|
+ in the OpenLDAP client <filename>ldap.conf</filename> (and restart the web server)
|
|
|
+ to indicate to the OpenLDAP client library that you trust the server. Alternatively,
|
|
|
+ if you are concerned that the server could be spoofed, you can export the
|
|
|
<acronym>LDAP</acronym> server's root certificate and put it on the web server so
|
|
|
that the OpenLDAP client can validate the server's identity.
|
|
|
</para>
|
thomas