Small utility to retrieve the different parts of a ldaps certificate and bundle them together, and get passbolt to work with ldaps.

On your passbolt server (or any other server with a ldaps certificate issue), get composer then install project dependencies:

./composer.phar install

Edit the php script configuration with your host name. Replace host.yourldapdomain.com in the line $ldapServerHost = 'host.yourldapdomain.com';

Then, we run the command.

php ./get_certificate.php

At this point, the command should display a bundle certificate.

Let's copy the certificate where we need it:

php ./get_certificate.php | sudo tee /etc/ssl/certs/ldaps_bundle.crt

Ensure the certificate has correct rights (any user should be able to read the certificate):

sudo chown root:root /etc/ssl/certs/ldaps_bundle.crt
sudo chmod 644 /etc/ssl/certs/ldaps_bundle.crt

Finally, we edit the ldap.conf config file

nano /etc/ldap/ldap.conf

(The ldap.conf file can also be found in /etc/openldap/ldap.conf)

And we edit the line starting with TLS_CACERT to point to our new certificate:

TLS_CACERT /etc/ssl/certs/ldaps_bundle.crt

That's it. The LDAPS connection should now work.

The ldapsearch command is here to help (from the ldap-utils package on debian)

As passbolt will connect to your LDAP server as the web user, it is important to execute the ldapsearch command as this user (www-data for Debian/Ubuntu, wwwrun for openSUSE, nginx for RHEL based Linux distributions) and not as root user

Example:

sudo su -s /bin/bash -c 'ldapsearch -x -D "username" -W -H ldaps://your_ldap_host -b "dc=domain,dc=ext" -d 9' www-data

This work is just a ready to use version of the very detailed documentation provided by ldaptools: https://github.com/ldaptools/ldaptools/blob/master/docs/en/cookbook/Getting-Your-LDAP-SSL-Certificate.md Kudos to them for their great work.