Php – Binding to LDAP using SSL keeps failing – Windows Server 2008

active-directoryldapPHP

Our script continues to fail whenever attempting to bind to LDAP (active directory) using SSL, I am stumped. We can successfully connect using the unsecured method, but we are attempting to perform password changes which requires SSL. Our script snippets are as follows:

config.php

// SSL

 $LDAPDOMAIN="dc=campus,dc=local";
 $LDAPLOCALDOMAIN="campus.local";
 $LDAPHOST='ldaps://localhost';
 $LDAPPORT=636;
 $ldap = ldap_connect($LDAPHOST, $LDAPPORT) or die ('<p class="message">Error connecting');

 ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
 ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);

reset.php (uses config.php)

if ($ldap)  {

  $bind = @ldap_bind($ldap,$username."@".$LDAPLOCALDOMAIN,$password);
  if (!($bind)) {
    @ldap_close($ldap);
    die ('<p class="message">Your password is incorrect, please try again 
      <a href=javascript:history.back()>click here</a><br>');
  }

Whatever we do, the script "dies" in reset.php. When we were using regular LDAP, we at least could communicate. Our config.php code was as follows:

$ldap = ldap_connect($LDAPHOST) or die ('<p class="message">Error connecting to LDAP');

I appreciate any assistance and thank you ahead of time.

Update*

I tried running the following simple program to test my LDAP. SSL still does not work, however regular LDAP does. Is this a configuration issue? My certificates should be okay, I created a new one and enrolled my server. I've used an LDAP utility which binds and connects just fine. Just not PHP though.

<?php
    $ldap = ldap_connect("ldaps://localhost/");
    $username="USER@campus.uhsa.local";
    $password="password";

    if($bind = ldap_bind($ldap, $username,$password ))
    echo "logged in";
    else
        echo "fail";
        echo "<br/>done";
        ?>

My result is Fail.

Best Answer

Can you try running ldapsearch and giving us the error output? It would look something like this:

ldapsearch -x -d 1 -LLL -H ldaps://localhost -b 'dc=campus,dc=local' -D 'username' -W '(sAMAccountName=username)'

where the parameters are:

-x: forces the connection to use simple authentication instead of SASL (emulating the PHP ldap_bind() function)
-d 1: show debugging output, increase the number for more verbosity
-LLL: changes the output format to remove some LDIF information you don't need for debugging
-H: the host URI specifier; you can change this to "ldap://" to test non-SSL binding
-b: the bind DN
-D: the bind credential username, CN, or other identifying string
-W: forces ldapsearch to ask for a password

If you were using SASL to connect to an Active Directory server over LDAPS, it'd be necessary to set the "maxssf" parameter to zero. I'm not exactly sure how PHP's LDAP functions work, so it might be worth trying to set that parameter if you can figure out how.

Best Answer

Related Solutions

Ssl – LDAPS being redirected to 389

Php – Binding to LDAPS using PHP failing

Related Topic