PHP + LDAP + SSL (LDAPS) authentication in Windows running Apache
Mon, 2012.04.02 - 13:18 — müzso
I tried to set up LDAPS (LDAP + SSL) based authentication in a Drupal site, but it didn't want to work. Here's how I managed to solve the issue.
First of all, I suggest you to create a simple PHP script to test with. The point is to make things as simple as possible before trying Drupal.
I assume you've already set up everything you think is necessary. We'll see.
Of course the openssl and ldap extensions must be enabled in
Now create the test script (eg.
):
The output of this script should help you further. It's quite likely that you try to connect to an LDAP server that has a self-signed SSL certificate or the certificate was signed by a local CA server. In either case, you'll have to tell PHP (more precisely OpenSSL) where to find the certificate of the CA. To do this, you've to create a config file in a fixed location:
Put this into the file:
and put the CA's certificate into the path/file above (
Test again from the commandline. Now it should work. If the
First of all, I suggest you to create a simple PHP script to test with. The point is to make things as simple as possible before trying Drupal.
I assume you've already set up everything you think is necessary. We'll see.
Of course the openssl and ldap extensions must be enabled in
php.ini to start with. Next put your PHP installation directory (eg. C:\Program Files\PHP) in your system path (see: Start Menu / Control Panel / System / Advanced / Environment variables ... but the exact method will depend on your Windows version).Now create the test script (eg.
ldap_test.php and place it in your web server's documentroot:<?php
ini_set('display_errors', 1);
error_reporting(E_ALL);
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
$conn = ldap_connect('ldaps://ldapserver.example.com/') or die("Failed to connect to ldap server.");
ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_bind($conn) or die("Failed to bind to ldap server: " + ldap_error($conn));
print("Successful LDAP bind.");
?>
I've found this comment quite useful, it shows how to enable the most detailed debug output of the ldap extension which is curcial in tracking down the SSL connection problems.
Now execute the script from the commandline ([code]cmd.exe"C:\Program Files\PHP\php.exe" "C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\ldap_test.php"The output of this script should help you further. It's quite likely that you try to connect to an LDAP server that has a self-signed SSL certificate or the certificate was signed by a local CA server. In either case, you'll have to tell PHP (more precisely OpenSSL) where to find the certificate of the CA. To do this, you've to create a config file in a fixed location:
C:\openldap\sysconf\ldap.confPut this into the file:
TLS_CACERT C:\openldap\sysconf\cacert.pemand put the CA's certificate into the path/file above (
cacert.pem).Test again from the commandline. Now it should work. If the
ldap_bind call is still unsuccessful, chanes are that your LDAP server does not allow anonymous binds. But from here on you should be able to solve further issues.
All of my own contents here (if not noted otherwise) are licensed under the
Creative Commons Attribution-NonCommercial-ShareAlike 4.0 License. My posts reflect my personal opinion and shall not be associated with any of my employers.
Creative Commons Attribution-NonCommercial-ShareAlike 4.0 License. My posts reflect my personal opinion and shall not be associated with any of my employers.
Recent comments
1 year 46 weeks ago
3 years 15 weeks ago
3 years 15 weeks ago
3 years 17 weeks ago
3 years 18 weeks ago
3 years 25 weeks ago
3 years 25 weeks ago
3 years 25 weeks ago
3 years 25 weeks ago
3 years 25 weeks ago