LDAP Authentication

Is there anything special we need to do to allow LDAPs?

137 views January 2, 2018 July 9, 2018 0


1) Open ldap.conf located at C:\openldap\sysconf\ldap.conf (Windows. For Linux, it is typically /etc/openldap/ldap.conf) and make sure the following directive line is in this file:


2) Enable SSL Over LDAP

Install an Enterprise Certificate Authority on the Windows server that has Active Directory enabled.

  • Choose Start->Settings->Add/Remove Software
  • Select the Add or Remove Windows Components icon
  • Check the box marked “Windows Certification Authority”
  • Click “OK”
  • Follow instructions and answer the questions to complete the setup

Once this is complete Active Directory begins to listen for LDAP connections over SSL port 636.

3) Obtain AD Certificate

  • Open the CA application (an MMC snap-in: Programs->Administrative Tools->Certification Authority)
  • Right click on the CA and choose “Properties” from the context pane.
  • Click “View Certificate” to bring up the Certificate page.
  • Click on the “Details” tab and then the “Copy to File…” button.
  • Click “Next”.
  • Select the “Base-64 Encoded X.509(.cer) format” and click “Next”.
  • Select a name for the certificate (the name of the server with the “.cer” extension is a good choice)
  • Click the “Browse” button to save the certificate to a location of your choosing.
  • Click “Next” and then “Finish” to complete the export process.
  1. Convert Certificate Format

To convert the certificate from .cer to .pem format I used OpenSSL. (You can obtain this software from here: http://gnuwin32.sourceforge.net/packages/openssl.htm if you don’t already have it.)

Copy the certificate file you generated in the previous step to the machine on which PHP is running. Run the following command:

\openssl x509 -in -out

For example:

C:\openssl\openssl x509 -in myserver.cer -out myserver.pem

This creates the certificate file in a form that OpenLDAP can use.

  1. Install the Certificate

Place the .pem file generated in the previous step in a directory of your choosing (C:\openldap\sysconf may be a good choice since that directory already exists.)

Add the following line to your ldap.conf file:


TLS_CACERT C:\openldap\sysconf\myserver.pem

This directive tells OpenLDAP where the certificate is so it can access it when needed.

Was this helpful?