Our script continues to fail whenever attempting to bind to LDAP (active directory) using SSL, I am stumped. We can successfully connect using the unsecured method, but we are attempting to perform password changes which requires SSL. Our script snippets are as follows:
config.php
// SSL
$LDAPDOMAIN="dc=campus,dc=local";
$LDAPLOCALDOMAIN="campus.local";
$LDAPHOST='ldaps://localhost';
$LDAPPORT=636;
$ldap = ldap_connect($LDAPHOST, $LDAPPORT) or die ('<p class="message">Error connecting');
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
reset.php (uses config.php)
if ($ldap) {
$bind = @ldap_bind($ldap,$username."@".$LDAPLOCALDOMAIN,$password);
if (!($bind)) {
@ldap_close($ldap);
die ('<p class="message">Your password is incorrect, please try again
<a href=javascript:history.back()>click here</a><br>');
}
Whatever we do, the script "dies" in reset.php. When we were using regular LDAP, we at least could communicate. Our config.php code was as follows:
$ldap = ldap_connect($LDAPHOST) or die ('<p class="message">Error connecting to LDAP');
I appreciate any assistance and thank you ahead of time.
Update*
I tried running the following simple program to test my LDAP. SSL still does not work, however regular LDAP does. Is this a configuration issue? My certificates should be okay, I created a new one and enrolled my server. I've used an LDAP utility which binds and connects just fine. Just not PHP though.
<?php
$ldap = ldap_connect("ldaps://localhost/");
$username="USER@campus.uhsa.local";
$password="password";
if($bind = ldap_bind($ldap, $username,$password ))
echo "logged in";
else
echo "fail";
echo "<br/>done";
?>
My result is Fail.
Best Answer
Can you try running
ldapsearch
and giving us the error output? It would look something like this:where the parameters are:
ldapsearch
to ask for a passwordIf you were using SASL to connect to an Active Directory server over LDAPS, it'd be necessary to set the "maxssf" parameter to zero. I'm not exactly sure how PHP's LDAP functions work, so it might be worth trying to set that parameter if you can figure out how.