PHP ldap_connect using ldaps to connect to Active Directory getting Unknown CA error

Question

I am trying to connect to MS Active Directory using PHP 7 on a Windows 2012 server (running apache 2.4 but that should be irrelevant to the problem I am having).

I should also note that I am able to connect to AD from PHP using non-secure LDAP from the command line and the apache server.

When I execute the following PHP test file, source: http://muzso.hu/2012/04/02/php-ldap-ssl-ldaps-authentication-in-windows-running-apache , from a command line on the web server:

$AD_search_bind_DN = 'CN=someuser,OU=Users,DC=example,DC=com';
$AD_search_bind_PW = 'secret123';
ini_set('display_errors', 1);
error_reporting(E_ALL);
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
$conn = ldap_connect('ldaps://SomeDC.example.com/') or die("Failed to connect to ldap server.");
ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_bind($conn, $AD_search_bind_DN, $AD_search_bind_PW) or die("Failed to bind to ldap server: " + ldap_error($conn));
echo "Successful LDAP bind.";

I get the following output (I highlighted the error):

---

ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying %SYSCONFDIR%\\ldap.conf
ldap_init: HOME env is NULL
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
ldap_create
ldap_url_parse_ext(ldaps://SomeDC.example.com/)
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP SomeDC.example.com:636
ldap_new_socket: 244
ldap_prepare_socket: 244
ldap_connect_to_host: Trying {IP Address of SomeDC Removed}:636
ldap_pvt_connect: fd: 244 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 20, subject: /DC=com/DC=example/C
N=Self_Named-SHA256-SubCA, issuer: /CN=ITSS-Ent-SHA256-Root
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate).
ldap_err2string
PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in C:\\test_bind.php on line 10

---

I have both the php_ldap and php_openssl extensions UN-commented in my php.ini file.

I have copies of the AD CA cert in DER and PEM formats but I am not sure where to place these files on my web server. There are lots of posts related to linux OS's that simply say to place "TLS_CACERT C:\\openldap\\sysconf\\cacert.pem" in my ldap.conf file. I am not running openLDAP and I do not have a ldap.conf file.

I have openSSL installed but I am not entirely sure that the configuration is correct:

• The openssl.cfg file is unchanged: http://pastebin.com/KxnWThXh
• I added an environment variable 'OpenSSL' that points to the openssl.cfg file
• When I execute 'openssl version -a' from a cmd line, it shows: OPENSSLDIR: /usr/local/ssl which clearly makes no sense for windows. Complete output can be seen here: http://pastebin.com/h3ei3Pwp

== EDIT 1: ========================================

Gabriel, thanks for the suggestions / Reference.

I have now also tried these things without success:

• Created a ldap.conf and an openldap.conf file (Using many diferent formats based on various article suggestions, see the variations I've tried here: http://pastebin.com/aP94Nh4Y ) in C:\\ and C:\\openldap\\sysconf
• This article ( https://www.reddit.com/r/PHPhelp/comments/3tykpc/php_7_and_ldap/ ) says to create an environment variable called 'LDAPCONF' that points to the ldap.conf file (C:\\openldap\\sysconf\\ldap.conf). I did. No change.
• I noticed this in the output from executing my test php script (line 2 of the output): ldap_init: trying %SYSCONFDIR%\\ldap.conf . The SYSCONFDIR environment variable didn't yet exist so I added that one with a value of 'C:\\openldap\\sysconf\\'. -- no change.
• Introduced an obvious syntax error into all locations of my ldap.conf/openldap.conf files to see if I could change the test script output to know that it was at least looking at one of those files -- nothing changed.

== EDIT 2: ========================================

Gabriel, thanks for the process monitor tip. I can now at least confirm that PHP 7 is using the 'LDAPCONF' environment value path to locate and read the ldap.conf file that this ENV variable is pointing to.

It also appears that PHP 7 is not handling the 'SYSCONFDIR' environment variable correctly because it first tries to open a file in this literal path: E:\\httpd\\www\\%SYSCONFDIR%\\ldap.conf

It's still not working but now I can focus my effort in tweaking just the one file I know it is reading.

If anyone has any other tips for configuration or could share their ldap.conf file from a working windows installation I would appreciate it.

---

I am now still stuck and don't know what else to do. Please help!

Answer 1

The answer here should help: https://stackoverflow.com/a/6047293/1202807

Under XAMPP on Windows the ldap.conf must be either in the root of the system (c:\\ldap.conf, PHP 5.3.3 if I remember correctly) or in C:\\openldap\\sysconf\\ depending on the PHP version. It seems the path is not configurable because hardcoded in the Windows PHP DLLs. See the comments at http://se2.php.net/manual/en/ref.ldap.php

So create the ldap.conf file in c:\\ or C:\\openldap\\sysconf\\ if it doesn't exist already, and put your TLS_CACERT line in it.

Answer 2

I have similar problem, I have spent some time to resolve it. This behaviour was OpenLDAP bug in PHP. I have reported it and it was fixed and will be released soon. See: PHP BUG #73243 ( https://bugs.php.net/bug.php?id=73243 )

If you need immediate fix, which is a little bit hacking, try this (on your own risk):

• use some binary editor (eg HexEdit) to edit php_ldap.dll
• find the expression "%SYSCONFDIR%\\ldap.conf" and
• replace it with "c:\\ldap_conf\\ldap.conf", the new constant has to have the same length as the replaced constant
• copy the ldap configuration to new location

Hope, it helps :-)