PHP + LDAP + SSL (LDAPS) authentication in Windows running Apache

I tried to set up LDAPS (LDAP + SSL) based authentication in a Drupal site, but it didn't want to work. Here's how I managed to solve the issue.

First of all, I suggest you to create a simple PHP script to test with. The point is to make things as simple as possible before trying Drupal.
I assume you've already set up everything you think is necessary. We'll see. Smile
Of course the openssl and ldap extensions must be enabled in php.ini to start with. Next put your PHP installation directory (eg. C:\Program Files\PHP) in your system path (see: Start Menu / Control Panel / System / Advanced / Environment variables ... but the exact method will depend on your Windows version).

Now create the test script (eg. ldap_test.php and place it in your web server's documentroot:
<?php
ini_set
('display_errors'1);
error_reporting(E_ALL);
ldap_set_option(NULLLDAP_OPT_DEBUG_LEVEL7);
$conn ldap_connect('ldaps://ldapserver.example.com/') or die("Failed to connect to ldap server.");
ldap_set_option(NULLLDAP_OPT_PROTOCOL_VERSION3);
ldap_bind($conn) or die("Failed to bind to ldap server: " ldap_error($conn));
print(
"Successful LDAP bind.");
?>


I've found this comment quite useful, it shows how to enable the most detailed debug output of the ldap extension which is curcial in tracking down the SSL connection problems.

Now execute the script from the commandline ([code]cmd.exe
):
"C:\Program Files\PHP\php.exe" "C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\ldap_test.php"

The output of this script should help you further. It's quite likely that you try to connect to an LDAP server that has a self-signed SSL certificate or the certificate was signed by a local CA server. In either case, you'll have to tell PHP (more precisely OpenSSL) where to find the certificate of the CA. To do this, you've to create a config file in a fixed location: C:\openldap\sysconf\ldap.conf
Put this into the file:
TLS_CACERT C:\openldap\sysconf\cacert.pem

and put the CA's certificate into the path/file above (cacert.pem).

Test again from the commandline. Now it should work. If the ldap_bind call is still unsuccessful, chanes are that your LDAP server does not allow anonymous binds. But from here on you should be able to solve further issues.