使用PHP连接到Active Directory时是否需要ldap.conf？

Question

I'm trying to authenticate to Active Directory using PHP (5.3.2)/Apache (2.0.59)/Windows (2003).

However, I'm getting the following error:

ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Connect error in E:\\my_page.php on line 15

Here is my current script:

putenv('LDAPTLS_REQCERT=never');

$resource = ldap_connect("xxx") 
    or die("Failed to connect to LDAP server."); 

echo "Connected to LDAP server.<br />"; 

//these options may not be necessary in all environments 
ldap_set_option($resource, LDAP_OPT_PROTOCOL_VERSION, 3);    
ldap_set_option($resource, LDAP_OPT_REFERRALS, 0); 

$result = ldap_start_tls($resource) or die("Failed to start TLS.<br />"); 

echo "Started TLS.<br />"; 

$result = ldap_sasl_bind($resource, NULL, '', 'GSSAPI', 'xxx', '', '') 
    or die("Failed to GSSAPI bind.<br />"); 

echo "GSSAPI bound."; 

I've looked at this question for help , however, I keep seeing references to ldap.conf.

Is this for OpenLDAP as in, the LDAP server your connecting to? If it is, I could ignore it due to using an existing enteprise Active Directory ?

Or is this for the PHP libraries connecting to an LDAP server (ie. ldap_connect())?

Edit #1

Screenshot of Wireshark...

I see in there, unknown CA... how would I go solving this (looking online ATM).

Edit #2

Update, I'm now getting a different error. I created ldap.conf on c:\\ and c:\\openldap\\sysconf

Content of ldap.conf:

#
# LDAP Defaults
#

TLS_REQCERT never

Now, it's stuck at the ldap_sasl_bind method which is normal - it's not installed.

Edit #3

Final product:

function isAuthenticated($user, $pass){
    //init
    $ldap_server = "";
    $ldap_user = "";
    $ldap_pass = "";
    $ldap_dn = "";
    $ldap_filter_fields = array("dn","cn","samaccountname");
    //establish connection
    $ldap_conn = ldap_connect($ldap_server) 
        or die("Failed to connect to LDAP server."); 

    //these options may not be necessary in all environments 
    ldap_set_option($resource, LDAP_OPT_PROTOCOL_VERSION, 3);    
    ldap_set_option($resource, LDAP_OPT_REFERRALS, 0); 

    //Magic happens here, encrypted tunnel starts!
    $result = ldap_start_tls($ldap_conn) or die("Failed to start TLS.<br />"); 

    $out = 0;
    //connect using our known user
    if($bind = ldap_bind($ldap_conn, $ldap_user, $ldap_pass)){  
        //search for the user
        $ldap_search_results = ldap_search($ldap_conn, $ldap_dn, "samaccountname=".$user, $ldap_filter_fields) or die ("Failed to search LDAP");
        //get entry
        $ldap_record = ldap_get_entries($ldap_conn, $ldap_search_results);
        debug($ldap_record);
        if($ldap_record["count"] > 0){
            //try to authenticate user here
            if($bind2 = @ldap_bind($ldap_conn, $ldap_record[0]["dn"], $pass))
                $out = 1;
            else
                //wrong password
                $out = 0;
        }
        else
            //user wasn't found
            $out = 3;       
    }
    else
        //something happened when connecting with our ldap_user
        $out = 2;

    return $out;    
}

Answer 1

You're on the right track with your unknown CA. I have had a similar issue with PHP on CentOS connecting to AD. I had to export the CA certificate from the AD server and configure it to be trusted on the CentOS system, which involved copying the certificate to /etc/openldap/cacerts and running OpenSSL's c_rehash . Unfortunately, I'm not sure how to tell you to get that same setup working under Windows.

Answer 2

Yes you are required to change the ldap.conf file and change the value of TLS_REQCERT to demand if you are trying to connect with the AD for which the trust has not been established on your host machine running Apache. If you have certificate from a trusted CA ie already installed on the machine OS keystore then it may run with the TLS_REQCERT set to never otherwise you will have to explicitly give the certificates and change the variable TLS_REQCERT.