使用Zend Ldap对Windows AD进行身份验证

Question

I am authenticating from a LAMP system against a Windows AD Server from a PHP app built using Zend Framework 1.12. I am using Zend_Ldap to connect. The authentication process works fine if I do not use a secure connection ie LDAP over LDAPS. However, I wish to be able to preform other operations from the Web App such as resetting passwords on the AD Server. However, this requires a secure connection.

Some background info first

My Web application runs from a HTTPS connection (https://intranet) with a self signed certificate. The self signed certificate has been add to the trusted store on the AD server.

When I run my script I get this error message:

Error: 0x51 (Can't contact LDAP server; TLS error -8179:Peer's Certificate issuer is not recognized.): ldaps://192.168.0.x

My code is as follows:

$options = array(
                 'host' => 192.168.0.2,
                 'accountDomainName' => domain.internal,
                 'accountDomainNameShort' => domain,
                 'accountCanonicalForm' => 3,
                 'baseDn' => "OU=Establishments,DC=domain,DC=internal"
                 'username' => 'admin',
                 'password' => 'password'
                 'useSsl' => true
                 );
$ldap = new Zend_Ldap($options);
$ldap->bind();

My question is:

Does my problem lie somewhere with my code or with my server configuration? Has any one had any experience with Zend_Ldap and AD?

Answer 1

Ok, a little bit of further reading revealed that my problem was server related.

I needed to import the CA Certificate from the Windows AD Server to the certificate store on my Linux box in /etc/openldap/certs and edit /etc/openldap/ldap.conf so that it reads:

TLS_CACERT /etc/openldap/certs/mydoamin.com.pem

I can now securely connect with LDAPS to Windows AD Server.