Here is the steps I followed to get the domain controller’s SSL CA cert and configure PHP with LDAP to do LDAPS authentication on Active Directory (Domain Controller AD).
To get the CA cert
openssl s_client -connect YOUR_WINDOWS_DOMAIN_NAME.YOUR_DOMAIN_EXTENTION:636
you will see all the values but what we are interested in is the –BEGIN CERTIFICATE — and –END CERTIFICATE—
so save all the output to a file :
openssl s_client -connect YOUR_WINDOWS_DOMAIN_NAME.YOUR_DOMAIN_EXTENTION:636 > ca_cert.pem
then edit it: vi ca_cert.pem (or xed ca_cert.pem) and delete everything only leaving the –BEGIN CERTIFICATE — …. –END CERTIFICATE— including the –BEGIN CERTIFICATE — and –END CERTIFICATE— tages.
Rename the file to a more descriptive name for your CA
mv ca_cert.pem MyCA.pem
To make sure you have the right Domain you can always do a nslookup to verify the domain controllers.
nslookup
set type=ANY
your_microsoft_domain.your_web_domain.com
To see where the cert dir is located do a : openssl version -d
(Mine was /etc/openssl/certs)
so I copy
cp ca_cert.pem /etc/openssl/certs
and to create the HASH (You can do below or try running c_rehash in /etc/openssl/certs )
openssl x509 -noout -hash -in ca-certificate-file
grab the output hash (ie 23456789d)
then do a link
ln -s MaCA.crt 23456789d.0
openssl s_client -connect ANY_OF_THE_LDAP_SERVERS_GET_LIST_FROM_NSLOOKUP:636 -CAfile
/etc/ssl/certs/MyCA.pem -verify 0
Here is the tricky part. I have found that my PHP does not pick up the changes I have made on /etc/openldap/ldap.conf .
but start there first edit : xed /etc/openldap/ldap.conf (or vi /etc/openldap/ldap.conf if you prefer)
add these lines:
TLS_CACERT /etc/ssl/certs/23456789d.0
You can always add this to ensure that you accept all certificates
TLS_REQCERT allow
now test and to see any errors you can do a
sudo tail -f /var/log/apache2/error_log to see the errors
If it does not work (Like on my UNIX box HP-UX) then on your phpinfo(); page under “Environment” look for variable HOME and lets say its
/svr/www
cp /etc/openldap/ldap.conf /srv/www/.ldaprc
Now when its configured now you can use Active Directory Include from Source Forge