Kinda Stuck. Don't know what to try next. [SOLVED]

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
LA33R
Forum Newbie
Posts: 4
Joined: Mon Dec 09, 2013 4:01 pm

Kinda Stuck. Don't know what to try next. [SOLVED]

Post by LA33R »

Hi Guys,

New to the forum for first let me say HI! Hopefully you can help. I'm really stuck haha.

I'm trying to write some code to reset a User's password using PHP in a Windows Active Directory Environments.

I've got an AD Server with LDAP support setup, a self-signed SSL Certificate created and on the server and a '.crt' file waiting if I need it to get this working.

I can connect using LDAP-SSL using LDP.exe on the Domain Controller.



I have IIS 7.5.7600.16385 running on the Domain Controller, PHP Ver 5.5.3 installed, php_ldap.dll and php_openssl.dll installed. I've created the ldap.conf file in "C:\OpenLDAP\sysconf\" directory and inserted the one single line "TLS_REQCERT never".

I can connect using LDAP, non-secure with PHP, but when I attempt ldaps:// or ldap_start_tls() I get "Connect error-11" as the ldap_error() . ldap_errno().

I've attempted using "putenv('LDAPTLS_REQCERT=never')", "putenv('tls_cacert c:\certificate.crt')" and "putenv('TLS_REQCERT never')" without success. I have the correct LDAP options set after the connection, but before ldap_start_tls.

I'm now stuck at a dead end... can anyone help?

The Server is Windows Server 2008 R2 with Active Directory Domain Services, Active Directory Certification Services and Internet Information Services installed.



Here is the PHP code so far: http://pastebin.ca/raw/2495238





Thanks, ~LA33R.
Last edited by LA33R on Sun Dec 15, 2013 7:11 am, edited 1 time in total.
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Kinda Stuck. Don't know what to try next.

Post by requinix »

The syntax with putenv() should be

Code: Select all

putenv('LDAPTLS_REQCERT=never')
putenv('tls_cacert=c:\certificate.crt')
putenv('TLS_REQCERT=never')
You know, in the off chance using one of those fixes it...

Going off of this post on a bug report, try
  1. Export the root cert and copy it to the client
  2. Set TLS_CACERT=path to cert file
  3. Set TLS_CACERTDIR=directory of cert file
  4. Don't set TLS_REQCERT. Or maybe set it to "never"
In another comment is something about disabling the "AD Common Use Cases module".
LA33R
Forum Newbie
Posts: 4
Joined: Mon Dec 09, 2013 4:01 pm

Re: Kinda Stuck. Don't know what to try next.

Post by LA33R »

I'm afraid I've tried all those.

Doesn't seem to work still :(
LA33R
Forum Newbie
Posts: 4
Joined: Mon Dec 09, 2013 4:01 pm

Re: Kinda Stuck. Don't know what to try next.

Post by LA33R »

Just wanted to follow up on this, since it's now solved.

I don't actually know what was wrong with it because all I did was reinstall Server 2008.

Set up IIS, PHP, ADDS & ADCS again, which I could only do since it was a test environment, so if you were to have this problem on a deployed Domain controller, good luck.

However, once doing that I main the c:\openldap\sysconf\ldap.conf file and up in the line 'TLS_REQCERT never'.

Then, once restarting the DC, it all worked.

Don't actually know what happened, unless the directory to ldap.conf is case sensitive.

Anyway, hope this helps someone in the future!
masterblaster
Forum Newbie
Posts: 10
Joined: Mon Jul 25, 2011 11:33 am

Re: Kinda Stuck. Don't know what to try next.

Post by masterblaster »

LA33R wrote:Just wanted to follow up on this, since it's now solved.

I don't actually know what was wrong with it because all I did was reinstall Server 2008.

Set up IIS, PHP, ADDS & ADCS again, which I could only do since it was a test environment, so if you were to have this problem on a deployed Domain controller, good luck.

However, once doing that I main the c:\openldap\sysconf\ldap.conf file and up in the line 'TLS_REQCERT never'.

Then, once restarting the DC, it all worked.

Don't actually know what happened, unless the directory to ldap.conf is case sensitive.

Anyway, hope this helps someone in the future!
Thank you so much for this awesome hint. I had the same issue with an Windows Server 2012 R2 with PHP running on it.
I can't believe that the openldap directory is case sentitive... I spent 12 hours on troubleshooting before reading this.
Thanks again!
Post Reply