Accessing an LDAP Server over SSL in Windows

(NOTE:  This information is at least several years old and may not be correct or useful. - GC - Oct 7, 2011)

I recently had to access an Active Directory (AD) server to authenticate users for my PHP application. I am running PHP under Apache on Windows. While I was able to write the code to access the AD/LDAP server from examples in the PHP online manual and elsewhere I struggled mightily to get it to work using Secure Sockets Layer (SSL).

I finally got it to work and I'm hoping that sharing my experience will help someone else solve the problem with much less thrashing.

I assume the following:

  1. You have Active Directory working - I'm not an AD guy and I can't tell you how to set it up or configure it
  2. You have a working web server with PHP properly installed and configured
  3. You already have written PHP code that connects to the LDAP server without SSL - There are plenty of other good references in the PHP online manual and elsewhere that tell you how to do this. The code changes to move to SSL are very minimal.

Here are the steps you will need to take with details following:

  1. Configure PHP to load the LDAP and SSL modules (may require recompilation on UNIX/LINUX)
  2. Copy DLL files to Windows system32 directory
  3. Place ldap.conf file in C:\openldap\sysconf
  4. Enable SSL over LDAP on Windows Domain Controller
  5. Obtain certificate for AD server (.cer file)
  6. Convert cert from .cer to .pem format
  7. Install the certificate by referencing it in the ldap.conf file

1. Configure PHP

In the php.ini file you need to have the LDAP and SSL modules loaded. Find the Windows Extensions section of the file and make sure you uncomment the following lines:
extension=php_ldap.dll
extension=php_openssl.dll

2. Copy DLLs to System

Several DLL files need to be copied from the PHP installation to the Windows SYSTEM directory (C:\WINDOWS\SYSTEM32)
For PHP <= 4.2.0: Copy libsasl.dll to your SYSTEM directory
For PHP >= 4.3.0: Copy libeay32.dll and ssleay32.dll to your SYSTEM directory

3. LDAP Config File

If it does not already exist you will need to create an LDAP configuration file where PHP will look for it. The file needs to reside in C:\openldap\sysconf\ldap.conf. As far as I know this is a hard coded location and is not changeable. Make sure the following directive line is in this file:
TLS_REQCERT never
I won't get into the specifics about what this does. You can find a reference on the directives of the ldap.conf file at: http://manpages.debian.net/cgi-bin/display_man.cgi?id=1764c345c61a6f62aac16e27fa3769f0&format=html

4. Enable SSL Over LDAP

Install an Enterprise Certificate Authority on the Windows server that has Active Directory enabled.

Choose Start->Settings->Add/Remove Software
Select the Add or Remove Windows Components icon
Check the box marked "Windows Certification Authority"
Click "OK"
Follow instructions and answer the questions to complete the setup

Once this is complete Active Directory begins to listen for LDAP connections over SSL port 636.

5. Obtain AD Certificate

Open the CA application (an MMC snap-in: Programs->Administrative Tools->Certification Authority)
Right click on the CA and choose "Properties" from the context pane.
Click "View Certificate" to bring up the Certificate page.
Click on the "Details" tab and then the "Copy to File..." button.
Click "Next".
Select the "Base-64 Encoded X.509(.cer) format" and click "Next".
Select a name for the certificate (the name of the server with the ".cer" extension is a good choice)
Click the "Browse" button to save the certificate to a location of your choosing.
Click "Next" and then "Finish" to complete the export process.

6. Convert Certificate Format

To convert the certificate from .cer to .pem format I used OpenSSL. (You can obtain this software from here: http://gnuwin32.sourceforge.net/packages/openssl.htm if you don't already have it.)

Copy the certificate file you generated in the previous step to the machine on which PHP is running. Run the following command:
\openssl x509 -in -out

For example:
C:\openssl\openssl x509 -in myserver.cer -out myserver.pem

This creates the certificate file in a form that OpenLDAP can use.

7. Install the Certificate

Place the .pem file generated in the previous step in a directory of your choosing (C:\openldap\sysconf may be a good choice since that directory already exists.)

Add the following line to your ldap.conf file:
TLS_CACERT

For example:
TLS_CACERT C:\openldap\sysconf\myserver.pem

This directive tells OpenLDAP where the certificate is so it can access it when needed.

That is pretty much it. At this point you should be able to change your code to access your LDAP server over SSL.

If you were doing something like this before:
<?php $conn = ldap_connect('myserver.mydomain.com'); ?>

then all you have to do now is use:
<?php $conn = ldap_connect('ldaps://myserver.mydomain.com/'); ?>

to connect securely over SSL.

Good luck!

(I used the following two references heavily in solving my problem and in writing this note. Some additional information is presented at these sites so if you are still experiencing any problems you might want to visit them for additional insight.
http://www.connexitor.com/forums/viewtopic.php?p=15&sid=b9d6f222ec30f39340b8d12d0decc2ce
http://meta.wikimedia.org/wiki/LDAP#Windows_Configuration

)