1) Open ldap.conf located at C:\openldap\sysconf\ldap.conf (Windows. For Linux, it is typically /etc/openldap/ldap.conf) and make sure the following directive line is in this file:
2) Enable SSL Over LDAP
Install an Enterprise Certificate Authority on the Windows server that has Active Directory enabled.
- Choose Start->Settings->Add/Remove Software
- Select the Add or Remove Windows Components icon
- Check the box marked “Windows Certification Authority”
- Click “OK”
- Follow instructions and answer the questions to complete the setup
Once this is complete Active Directory begins to listen for LDAP connections over SSL port 636.
3) Obtain AD Certificate
- Open the CA application (an MMC snap-in: Programs->Administrative Tools->Certification Authority)
- Right click on the CA and choose “Properties” from the context pane.
- Click “View Certificate” to bring up the Certificate page.
- Click on the “Details” tab and then the “Copy to File…” button.
- Click “Next”.
- Select the “Base-64 Encoded X.509(.cer) format” and click “Next”.
- Select a name for the certificate (the name of the server with the “.cer” extension is a good choice)
- Click the “Browse” button to save the certificate to a location of your choosing.
- Click “Next” and then “Finish” to complete the export process.
- Convert Certificate Format
To convert the certificate from .cer to .pem format I used OpenSSL. (You can obtain this software from here: http://gnuwin32.sourceforge.net/packages/openssl.htm if you don’t already have it.)
Copy the certificate file you generated in the previous step to the machine on which PHP is running. Run the following command:
\openssl x509 -in -out
C:\openssl\openssl x509 -in myserver.cer -out myserver.pem
This creates the certificate file in a form that OpenLDAP can use.
- Install the Certificate
Place the .pem file generated in the previous step in a directory of your choosing (C:\openldap\sysconf may be a good choice since that directory already exists.)
Add the following line to your ldap.conf file:
This directive tells OpenLDAP where the certificate is so it can access it when needed.