PHP Active Directory Authentication using Self Signed SSL Cert (LDAPS://)

Here is the steps I followed to get the domain controller’s SSL CA cert and configure PHP with LDAP to do LDAPS authentication on Active Directory (Domain Controller AD).

  • First let get the CA cert. If you dont have it, it can be done via openssl.
  • To get the CA cert

    openssl s_client -connect YOUR_WINDOWS_DOMAIN_NAME.YOUR_DOMAIN_EXTENTION:636

    you will see all the values but what we are interested in is the –BEGIN CERTIFICATE — and –END CERTIFICATE—
    so save all the output to a file :

    openssl s_client -connect YOUR_WINDOWS_DOMAIN_NAME.YOUR_DOMAIN_EXTENTION:636 > ca_cert.pem

    then edit it: vi ca_cert.pem (or xed ca_cert.pem) and delete everything only leaving the –BEGIN CERTIFICATE — …. –END CERTIFICATE— including the –BEGIN CERTIFICATE — and –END CERTIFICATE— tages.

    Rename the file to a more descriptive name for your CA
    mv ca_cert.pem MyCA.pem

    To make sure you have the right Domain you can always do a nslookup to verify the domain controllers.
    set type=ANY

  • Now to install the new CA cert on the server
  • To see where the cert dir is located do a : openssl version -d
    (Mine was /etc/openssl/certs)
    so I copy
    cp ca_cert.pem /etc/openssl/certs
    and to create the HASH (You can do below or try running c_rehash in /etc/openssl/certs )

    openssl x509 -noout -hash -in ca-certificate-file

    grab the output hash (ie 23456789d)
    then do a link
    ln -s MaCA.crt 23456789d.0

  • New verify the installed certificate

  • openssl s_client -connect ANY_OF_THE_LDAP_SERVERS_GET_LIST_FROM_NSLOOKUP:636 -CAfile
    /etc/ssl/certs/MyCA.pem -verify 0

  • Now to configure the LDAP to use secure LDAPS
  • Here is the tricky part. I have found that my PHP does not pick up the changes I have made on /etc/openldap/ldap.conf .
    but start there first edit : xed /etc/openldap/ldap.conf (or vi /etc/openldap/ldap.conf if you prefer)
    add these lines:
    TLS_CACERT /etc/ssl/certs/23456789d.0

    You can always add this to ensure that you accept all certificates
    TLS_REQCERT allow

    now test and to see any errors you can do a
    sudo tail -f /var/log/apache2/error_log to see the errors

    If it does not work (Like on my UNIX box HP-UX) then on your phpinfo(); page under “Environment” look for variable HOME and lets say its
    cp /etc/openldap/ldap.conf /srv/www/.ldaprc

  • Using PHP to autenticate
  • Now when its configured now you can use Active Directory Include from Source Forge

    Leave a Reply

    Your email address will not be published.

    CAPTCHA Image
    Reload Image