PHP on IIS - unable to bind to Active Directory over LDAPS

0
votes

I'm working on a small password reset script for our users, using PHP5 on an IIS7.5 server. I have LDAP over SSL enabled on our Active Directory controllers, and tested that it is working properly using ldp.exe

Here's the code to connect to the server:

$ldap_server = "ldaps://AD02.district.local";
$ldap_port = "636";
$ldap_user = "[email protected]";
$ldap_pass = "(goes here)";

$ds = ldap_connect($ldap_server,$ldap_port);
ldap_bind($ds,$ldap_user,$ldap_pass); 
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);

However, when I execute the script, I get the following error:

Warning: ldap_bind() [function.ldap-bind]: Unable to bind to server: Can't contact LDAP server in D:\Sites\Lookup\search.php on line 11

If I set $ldap_server to use ldap:// instead of ldaps://, it'll connect (even with the port set to 636), but the actual reset function does not work ("server is unwilling to perform").

Is there a way to troubleshoot this further? Or does anyone know what may be wrong?dd

1
phpiisactive-directoryldap
Check two things: if ldap is enabled in php.ini; second make sure ldaps is enabled, maybe just regular ldap is enabled which the port is different in this caseJavad
php_ldap.dll is enabled in my php.ini file, and I'm able to connect to the AD server and perform searches when connecting over non-SSL LDAP. LDAP over SSL is enabled on my AD servers, and I can verify it working as I'm able to connect to it from other tools over SSL. Is there something I need to configure in my php.ini file to enable LDAP over SSL?Joey H
nothing in php.ini to enable LDAP over SSL except for enabling php_openssl.dll in php.ini. One more thing is LDAP connectivity is enabled in your AD, too?Javad
php_openssl.dll is enabled as well. LDAP connectivity is enabled on our AD, as we have several other applications that connect to AD via LDAP/LDAPS. Most notable is our SSO system, which uses LDAPS, but is in Java instead of PHP.Joey H
That's weird. I suggest to echo ldap_error I think the problem is not in connecting to LDAP the issue might be in ldap_bind. I guess you need to have base dn in your bind query to fix this issueJavad

1 Answers

0
votes

I know this is an old question. But today I encountered the same problem.

I had to apply the following solution to make it work:

  1. Create a folder: C:\OpenLDAP\sysconf
  2. Create a file 'ldap.conf' in C:\OpenLDAP\sysconf.
  3. Make the content of the file: 'TLS_REQCERT never' (no quotes).
  4. Save.

It should work now. According to the manual, “TLS_REQCERT never” prevents the server from requesting and/or checking any server certificate.