Php – can not bind to the LDAP directory with secure connection with php

active-directorycaldapPHPssl

Installation Information:
I have two Windows servers. One (Windows Server 2008 R2) is a domain controller (DC) with Active Directory (AD).Its name is s1.xyz.com. The second (Windows Server 2003 R2) server is running IIS, PHP.SSL certificate is installed on second server.

I have installed Active Directory Certificate Services on DC server to act as a Certificate Authority (CA) and also enable LDAP over SSL(LDAPS) using below link:
http://www.christowles.com/2010/11/enable-ldap-over-ssl-ldaps-on-windows.html

What is the problem:
Actually, I want to set password for AD users so my requirement is secure connection(LDAPS) to do so.
I can successfully connect to the DC on unsecured port (389) and access AD data but
I can not bind user on secure connection (on port 636) using PHP ldap_bind() function.
When i run the script it gives "ldap_bind() [function.ldap-bind]: Unable to bind to server: Can't contact LDAP server" error.

Code:

$ip="xxx.xxx.xxx.xx";

$ldaps_url="ldaps://s1.xyz.com:636/";

$ldap_url="s1.xyz.com";

$ldapUsername ="Administrator@xyz.com";

$ldapPassword="x1y1z1";

$ds=ldap_connect($ldaps_url);

//$ds=ldap_connect($ip,636);

ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION,3);

ldap_set_option($ds, LDAP_OPT_REFERRALS,0);

$bth=ldap_bind($ds, $ldapUsername, $ldapPassword);

ldap_unbind($ds);

$ds="";

Best Answer

If you're using SSL (e.g. ldaps) and ldap_bind is throwing 'Unable to bind to server:' errors, check that the hostname used in the ldap_connect matches the 'CN' in the SSL certificate on the LDAP server. For example:

<?
    ldap_connect('ldaps://ldap01');
   // 'ldap01' should match the CN in your LDAP server's SSL cert, otherwise the subsequent ldap_bind() will throw a bind error

?>

You can have a look to your certificate using Microsoft MMC.

Related Solutions

What are the differences between LDAP and Active Directory

Active Directory is a database based system that provides authentication, directory, policy, and other services in a Windows environment

LDAP (Lightweight Directory Access Protocol) is an application protocol for querying and modifying items in directory service providers like Active Directory, which supports a form of LDAP.

Short answer: AD is a directory services database, and LDAP is one of the protocols you can use to talk to it.

Php – LDAP and PHP connection failure

The problem is not related to the actual binding process (invalid credentials) as the warning would be a different one if the LDAP server could not authenticate your credentials. But as Paul Dixon noted the use of ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3) should be required - even though I don't think that this is the cause of your problems.

Which LDAP server type are you connecting to? OpenLDAP, Active Directory or something else?
What's the operating system of the computer running your PHP program?
Are you using a self-signed SSL certificate on the LDAP server and is the certificate authority for the given certificate trusted by the machine running your PHP program?
Which port does the LDAP server run on? 636 would be the "official" port for LDAPS. Perhaps you can add the port explicitly to the server address: ldaps://<<server>>:636.

ext/ldap has some issues with SSL/TLS secured connections. You can try to add

TLS_REQCERT never

to the ldap.conf (/etc/ldap.conf or /etc/ldap/ldap.conf on *nix-based systems) or for Windows machines create a ldap.conf with the above content in C:\OpenLDAP\sysconf\ldap.conf (the path must be an exact match as it's hard-coded into the extension).

Related Topic