{"id":123,"date":"2017-04-28T11:36:37","date_gmt":"2017-04-28T09:36:37","guid":{"rendered":"http:\/\/www.stepit.co.za\/wp\/?p=123"},"modified":"2018-12-04T11:42:19","modified_gmt":"2018-12-04T09:42:19","slug":"php-active-directory-authentication-using-self-signed-ssl-cert-ldaps","status":"publish","type":"post","link":"http:\/\/www.stepit.co.za\/wp\/blog\/2017\/04\/28\/php-active-directory-authentication-using-self-signed-ssl-cert-ldaps\/","title":{"rendered":"PHP Active Directory Authentication using Self Signed  SSL Cert (LDAPS:\/\/)"},"content":{"rendered":"<p>Here is the steps I followed to get the domain controller&#8217;s SSL CA cert and configure PHP with LDAP to do LDAPS authentication on Active Directory (Domain Controller AD).<\/p>\n<li>First let get the CA cert. If you dont have it, it can be done via openssl.<\/li>\n<p>To get the CA cert<br \/>\n<code><br \/>\nopenssl s_client -connect YOUR_WINDOWS_DOMAIN_NAME.YOUR_DOMAIN_EXTENTION:636<br \/>\n<\/code><br \/>\nyou will see all the values but what we are interested in is the &#8211;BEGIN CERTIFICATE &#8212; and &#8211;END CERTIFICATE&#8212;<br \/>\nso save all the output to a file :<br \/>\n<code><br \/>\nopenssl s_client -connect YOUR_WINDOWS_DOMAIN_NAME.YOUR_DOMAIN_EXTENTION:636 > ca_cert.pem<br \/>\n<\/code><br \/>\nthen edit it: vi ca_cert.pem (or xed ca_cert.pem) and delete everything only leaving the &#8211;BEGIN CERTIFICATE &#8212; &#8230;. &#8211;END CERTIFICATE&#8212;  including the &#8211;BEGIN CERTIFICATE &#8212; and &#8211;END CERTIFICATE&#8212; tages.<\/p>\n<p>Rename the file to a more descriptive name for your CA<br \/>\n  mv ca_cert.pem MyCA.pem<\/p>\n<p>To make sure you have the right Domain you can always do a nslookup to verify the domain controllers.<br \/>\nnslookup<br \/>\nset type=ANY<br \/>\nyour_microsoft_domain.your_web_domain.com<\/p>\n<li>Now to install the new CA cert on the server<\/li>\n<p>To see where the cert dir is located do a : openssl version -d<br \/>\n(Mine was \/etc\/openssl\/certs)<br \/>\nso I copy<br \/>\n  cp ca_cert.pem \/etc\/openssl\/certs<br \/>\nand to create the HASH (You can do below or try running c_rehash in \/etc\/openssl\/certs )<br \/>\n<code><br \/>\nopenssl x509 -noout -hash -in ca-certificate-file<br \/>\n<\/code><br \/>\ngrab the output hash (ie 23456789d)<br \/>\nthen do a link<br \/>\nln -s MaCA.crt 23456789d.0<\/p>\n<li>New verify the installed certificate<\/li>\n<p><code><br \/>\nopenssl s_client  -connect ANY_OF_THE_LDAP_SERVERS_GET_LIST_FROM_NSLOOKUP:636 -CAfile<br \/>\n\/etc\/ssl\/certs\/MyCA.pem -verify 0<br \/>\n<\/code><\/p>\n<li>Now to configure the LDAP to use secure LDAPS\n<li>\n<p>Here is the tricky part. I have found that my PHP does not pick up the changes I have made on \/etc\/openldap\/ldap.conf .<br \/>\nbut start there first edit : xed \/etc\/openldap\/ldap.conf (or vi \/etc\/openldap\/ldap.conf if you prefer)<br \/>\nadd these lines:<br \/>\nTLS_CACERT \/etc\/ssl\/certs\/23456789d.0<\/p>\n<p>You can always add this to ensure that you accept all certificates<br \/>\nTLS_REQCERT allow<\/p>\n<p>now test and to see any errors you can do a<br \/>\nsudo tail -f \/var\/log\/apache2\/error_log to see the errors<\/p>\n<p>If it does not work (Like on my UNIX box HP-UX)  then on your phpinfo(); page under &#8220;Environment&#8221; look for variable HOME  and lets say its<br \/>\n\/svr\/www<br \/>\ncp \/etc\/openldap\/ldap.conf \/srv\/www\/.ldaprc<\/p>\n<li>Using PHP to autenticate<\/li>\n<p>Now when its configured now you can use <a href=\"http:\/\/adldap.sourceforge.net\">Active Directory Include from Source Forge<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Here is the steps I followed to get the domain controller&#8217;s SSL CA cert and configure PHP with LDAP to do LDAPS authentication on Active Directory (Domain Controller AD). First let get the CA cert. If you dont have it, it can be done via openssl. To get the CA cert openssl s_client -connect YOUR_WINDOWS_DOMAIN_NAME.YOUR_DOMAIN_EXTENTION:636 &hellip; <\/p>\n<p class=\"link-more\"><a href=\"http:\/\/www.stepit.co.za\/wp\/blog\/2017\/04\/28\/php-active-directory-authentication-using-self-signed-ssl-cert-ldaps\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;PHP Active Directory Authentication using Self Signed  SSL Cert (LDAPS:\/\/)&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[9,11,14,8,7,12,10,13,6],"class_list":["post-123","post","type-post","status-publish","format-standard","hentry","category-linux-help","tag-active-directory-ad","tag-ad","tag-cert","tag-ldaps","tag-linux","tag-microsoft-domain-authentication","tag-openssl","tag-own-ca","tag-php"],"_links":{"self":[{"href":"http:\/\/www.stepit.co.za\/wp\/wp-json\/wp\/v2\/posts\/123","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.stepit.co.za\/wp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.stepit.co.za\/wp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.stepit.co.za\/wp\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.stepit.co.za\/wp\/wp-json\/wp\/v2\/comments?post=123"}],"version-history":[{"count":11,"href":"http:\/\/www.stepit.co.za\/wp\/wp-json\/wp\/v2\/posts\/123\/revisions"}],"predecessor-version":[{"id":335,"href":"http:\/\/www.stepit.co.za\/wp\/wp-json\/wp\/v2\/posts\/123\/revisions\/335"}],"wp:attachment":[{"href":"http:\/\/www.stepit.co.za\/wp\/wp-json\/wp\/v2\/media?parent=123"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.stepit.co.za\/wp\/wp-json\/wp\/v2\/categories?post=123"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.stepit.co.za\/wp\/wp-json\/wp\/v2\/tags?post=123"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}