LDAP Authentication

Is there anything special we need to do to allow LDAPs?

1518 views March 22, 2020 1


1) Open ldap.conf located at C:\openldap\sysconf\ldap.conf (Windows. For Linux, it is typically /etc/openldap/ldap.conf) and make sure the following directive line is in this file:


2) Enable SSL Over LDAP

Install an Enterprise Certificate Authority on the Windows server that has Active Directory enabled.

  • Choose Start->Settings->Add/Remove Software
  • Select the Add or Remove Windows Components icon
  • Check the box marked “Windows Certification Authority”
  • Click “OK”
  • Follow instructions and answer the questions to complete the setup

Once this is complete Active Directory begins to listen for LDAP connections over SSL port 636.

3) Obtain AD Certificate

  • Open the CA application (an MMC snap-in: Programs->Administrative Tools->Certification Authority)
  • Right click on the CA and choose “Properties” from the context pane.
  • Click “View Certificate” to bring up the Certificate page.
  • Click on the “Details” tab and then the “Copy to File…” button.
  • Click “Next”.
  • Select the “Base-64 Encoded X.509(.cer) format” and click “Next”.
  • Select a name for the certificate (the name of the server with the “.cer” extension is a good choice)
  • Click the “Browse” button to save the certificate to a location of your choosing.
  • Click “Next” and then “Finish” to complete the export process.
  1. Convert Certificate Format

To convert the certificate from .cer to .pem format I used OpenSSL. (You can obtain this software from here: http://gnuwin32.sourceforge.net/packages/openssl.htm if you don’t already have it.)

Copy the certificate file you generated in the previous step to the machine on which PHP is running. Run the following command:

\openssl x509 -in -out

For example:

C:\openssl\openssl x509 -in myserver.cer -out myserver.pem

This creates the certificate file in a form that OpenLDAP can use.

  1. Install the Certificate

Place the .pem file generated in the previous step in a directory of your choosing (C:\openldap\sysconf may be a good choice since that directory already exists.)

Add the following line to your ldap.conf file:


TLS_CACERT C:\openldap\sysconf\myserver.pem

This directive tells OpenLDAP where the certificate is so it can access it when needed.

Click here to go through the configuration steps to connect with LDAP server over LDAPS (LDAP over SSL:636).

Was this helpful?