Page 1 of 1

Kinda Stuck. Don't know what to try next. [SOLVED]

Posted: Mon Dec 09, 2013 4:05 pm
by LA33R
Hi Guys,

New to the forum for first let me say HI! Hopefully you can help. I'm really stuck haha.

I'm trying to write some code to reset a User's password using PHP in a Windows Active Directory Environments.

I've got an AD Server with LDAP support setup, a self-signed SSL Certificate created and on the server and a '.crt' file waiting if I need it to get this working.

I can connect using LDAP-SSL using LDP.exe on the Domain Controller.



I have IIS 7.5.7600.16385 running on the Domain Controller, PHP Ver 5.5.3 installed, php_ldap.dll and php_openssl.dll installed. I've created the ldap.conf file in "C:\OpenLDAP\sysconf\" directory and inserted the one single line "TLS_REQCERT never".

I can connect using LDAP, non-secure with PHP, but when I attempt ldaps:// or ldap_start_tls() I get "Connect error-11" as the ldap_error() . ldap_errno().

I've attempted using "putenv('LDAPTLS_REQCERT=never')", "putenv('tls_cacert c:\certificate.crt')" and "putenv('TLS_REQCERT never')" without success. I have the correct LDAP options set after the connection, but before ldap_start_tls.

I'm now stuck at a dead end... can anyone help?

The Server is Windows Server 2008 R2 with Active Directory Domain Services, Active Directory Certification Services and Internet Information Services installed.



Here is the PHP code so far: http://pastebin.ca/raw/2495238





Thanks, ~LA33R.

Re: Kinda Stuck. Don't know what to try next.

Posted: Mon Dec 09, 2013 4:22 pm
by requinix
The syntax with putenv() should be

Code: Select all

putenv('LDAPTLS_REQCERT=never')
putenv('tls_cacert=c:\certificate.crt')
putenv('TLS_REQCERT=never')
You know, in the off chance using one of those fixes it...

Going off of this post on a bug report, try
  1. Export the root cert and copy it to the client
  2. Set TLS_CACERT=path to cert file
  3. Set TLS_CACERTDIR=directory of cert file
  4. Don't set TLS_REQCERT. Or maybe set it to "never"
In another comment is something about disabling the "AD Common Use Cases module".

Re: Kinda Stuck. Don't know what to try next.

Posted: Tue Dec 10, 2013 11:43 am
by LA33R
I'm afraid I've tried all those.

Doesn't seem to work still :(

Re: Kinda Stuck. Don't know what to try next.

Posted: Sun Dec 15, 2013 7:11 am
by LA33R
Just wanted to follow up on this, since it's now solved.

I don't actually know what was wrong with it because all I did was reinstall Server 2008.

Set up IIS, PHP, ADDS & ADCS again, which I could only do since it was a test environment, so if you were to have this problem on a deployed Domain controller, good luck.

However, once doing that I main the c:\openldap\sysconf\ldap.conf file and up in the line 'TLS_REQCERT never'.

Then, once restarting the DC, it all worked.

Don't actually know what happened, unless the directory to ldap.conf is case sensitive.

Anyway, hope this helps someone in the future!

Re: Kinda Stuck. Don't know what to try next.

Posted: Tue Jul 29, 2014 2:14 am
by masterblaster
LA33R wrote:Just wanted to follow up on this, since it's now solved.

I don't actually know what was wrong with it because all I did was reinstall Server 2008.

Set up IIS, PHP, ADDS & ADCS again, which I could only do since it was a test environment, so if you were to have this problem on a deployed Domain controller, good luck.

However, once doing that I main the c:\openldap\sysconf\ldap.conf file and up in the line 'TLS_REQCERT never'.

Then, once restarting the DC, it all worked.

Don't actually know what happened, unless the directory to ldap.conf is case sensitive.

Anyway, hope this helps someone in the future!
Thank you so much for this awesome hint. I had the same issue with an Windows Server 2012 R2 with PHP running on it.
I can't believe that the openldap directory is case sentitive... I spent 12 hours on troubleshooting before reading this.
Thanks again!