Topic: Apache on Windows 7 - Windows LDAP and SSL

[MikeM-2468]

I have Apache 2.2.17 running on Windows 7. I'm using PHP to query a Windows 2008 LDAP server. Everything works ok until I try to use LDAPS. Many of the resources I can find refer to a ldap.conf file and the certificates being the main problem. I don't have an ldap.conf file anywhere, so I put all of the relevant lines in the httpd.conf.

One of the things I'm not sure on is the certificate I'm getting from the 2008 AD server. I haven't found any tutorial that covers it with an implementation in Apache on Windows. Many tutorials cover using LDAP to authenticate to the site, but I need to use it for queries. I used the procedure at http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx#CustomServerAuthCert to get the certificate installed and exported. But I don't know a way to confirm that it's using the cert I think it is for LDAPS. All LDAPS tests work (LDP.EXE from Windows).

Here is my test script:

[James Blond]

We have there some topic about PHP and ldaps.

if you still have a question please ask again!

http://www.apachelounge.com/viewtopic.php?t=3547
http://www.apachelounge.com/viewtopic.php?p=7884
http://www.apachelounge.com/viewtopic.php?p=19858

[MikeM-2468]

I had already reviewed those and they don't address my specific question.

[James Blond]

[MikeM-2468]

I'm searching for the example.

I had tried specifying the port previously but that didn't change anything.

[MikeM-2468]

No luck finding the example. I guess we should forget I mentioned it. Sounds like it wasn't standard procedure anyway.

[MikeM-2468]

If LDAPVerifyServerCert Off is set, shouldn't it just work whether the certificate is setup correctly or not?

I have this set in httpd.conf. Is that the correct place?

[James Blond]

Ya, paste it into the httpd.conf very end

[MikeM-2468]

OK, so that's not the problem. Why else would it fail if LDAPVerifyServerCert Off is set?

[James Blond]

This is what I would do. Set the error_reporting in PHP to max. Run the relevant script part on the command line to see if apache if the issue or my code itself. Plus a heavy use of print_r() to see what is going on.

[MikeM-2468]

The only error in the log is "PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server"

The output from the bind command is "Can't contact LDAP server (-1)"

The ldap_connect command runs without error.

[James Blond]

On the manual I found that it is a security feature from PHP... http://de3.php.net/ldap_bind search for SSL in the user comments.

[MikeM-2468]

That goes back to my original question about ldap.conf. I don't have one of those or know where to put it.

[James Blond]

You have that file if you use OpenLDAP instead of M$ AD. I haven't figured out why what fails with PHP. But I think it is about the certificate.

[MikeM-2468]

Looks like I got this working. Your last link helped me find other resources.

I created a ldap.conf in C:\openldap\sysconf containing the following:

[James Blond]

[MikeM-2468]

It must be the client compiled into PHP. There is no other client.

Yes, I just created the folder and file.

[MikeM-2468]

But....

Using "TLS_REQCERT never" allows it to work, but it won't work for modify commands. Looks like I still have a certificate issue because I think the client needs to accept the cert, not ignore it for the modify commands to work.

[MikeM-2468]

I fixed the certificate issue, but still can't use the modify commands. I get "Server is unwilling to perform". I get similar error when using ldp.exe to run the same request. Maybe I have a syntax/formatting issue. I think Apache is ok.

[James Blond]

There can be a lot of reasons for that issue.
php ldap Server is unwilling to perform