Binding to LDAP using SSL keeps failing - Windows Server 2008
Can you try running ldapsearch and giving us the error output? It would look something like this:
ldapsearch -x -d 1 -LLL -H ldaps://localhost -b 'dc=campus,dc=local' -D 'username' -W '(sAMAccountName=username)'
where the parameters are:
- -x: forces the connection to use simple authentication instead of SASL (emulating the PHP ldap_bind() function)
- -d 1: show debugging output, increase the number for more verbosity
- -LLL: changes the output format to remove some LDIF information you don't need for debugging
- -H: the host URI specifier; you can change this to "ldap://" to test non-SSL binding
- -b: the bind DN
- -D: the bind credential username, CN, or other identifying string
- -W: forces
ldapsearchto ask for a password
If you were using SASL to connect to an Active Directory server over LDAPS, it'd be necessary to set the "maxssf" parameter to zero. I'm not exactly sure how PHP's LDAP functions work, so it might be worth trying to set that parameter if you can figure out how.
Related videos on Youtube
03 : 44
01 : 04 : 25
06 : 02
03 : 27
02 : 32
Sean
Updated on September 18, 2022Comments
-
Sean almost 2 years
Our script continues to fail whenever attempting to bind to LDAP (active directory) using SSL, I am stumped. We can successfully connect using the unsecured method, but we are attempting to perform password changes which requires SSL. Our script snippets are as follows:
config.php
// SSL $LDAPDOMAIN="dc=campus,dc=local"; $LDAPLOCALDOMAIN="campus.local"; $LDAPHOST='ldaps://localhost'; $LDAPPORT=636; $ldap = ldap_connect($LDAPHOST, $LDAPPORT) or die ('<p class="message">Error connecting'); ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);reset.php (uses config.php)
if ($ldap) { $bind = @ldap_bind($ldap,$username."@".$LDAPLOCALDOMAIN,$password); if (!($bind)) { @ldap_close($ldap); die ('<p class="message">Your password is incorrect, please try again <a href=javascript:history.back()>click here</a><br>'); }Whatever we do, the script "dies" in reset.php. When we were using regular LDAP, we at least could communicate. Our config.php code was as follows:
$ldap = ldap_connect($LDAPHOST) or die ('<p class="message">Error connecting to LDAP');I appreciate any assistance and thank you ahead of time.
Update*
I tried running the following simple program to test my LDAP. SSL still does not work, however regular LDAP does. Is this a configuration issue? My certificates should be okay, I created a new one and enrolled my server. I've used an LDAP utility which binds and connects just fine. Just not PHP though.
<?php $ldap = ldap_connect("ldaps://localhost/"); $username="[email protected]"; $password="password"; if($bind = ldap_bind($ldap, $username,$password )) echo "logged in"; else echo "fail"; echo "<br/>done"; ?>My result is Fail.
-
jscott almost 13 yearsWhat error code are you receiving? Are you using an SSL cert you created?
-
Sean almost 13 yearsYes we just created/enrolled a new certificate. For some reason when attempting to output the php error with "die (ldap_error($ldap));" instead of what I have above ("password is incorrect"), I receive: Warning: ldap_error(): 2 is not a valid ldap link resource in C:\inetpub\hosts\ADPasswordReset\passreset.php on line 50.
-
h0tw1r3 almost 13 yearshave you tried to connect (ldapsearch or whatever) from the command-line to determine if php is really the base problem?
-
Sean almost 13 yearsI've used an ldap utility to test binding and connection to SSL. I decided to try and simply connect using a small program. Again regular LDAP worked but SSL does not. My certificates should be okay. I updated my initial question with the code I just tried running.
-
n8whnp almost 13 yearsare you running the ldap server locally? If so turn up debugging on the ldap server and check for errors. This sounds like a ldap server configuration problem.
-
