Wednesday, June 20, 2012

LDAPS, php, windows server 2008 r2 and the Unknown CA error

It's never a good day when I have to use IIS and PHP in the same sentence.  I was trying to set up an open source program to do an LDAP auth to my Active Directory servers and it worked fine without encryption on port 389.  Since I'm not fond of passing credentials in clear text across networks, I then tried to set it up for LDAPS at which time it started failing.  I ran a wireshark capture on it and the glaring fatal error of "Unkonwn CA" reared it's ugly head.  After spending considerable time making sure my AD certificates were up to date, the CA cert was imported to the local machine's certificate store, and several LDP.exe tests just to make sure, I turned my attention to figuring out how to make ldap skip past that error.  PHP had been installed using the microsoft platform installer so of course very little matched up with most of the articles I found since folders like c:\openldap\sysconf don't exist, much less then LDAP.conf file whose location appears to shift depending on which DLL your install came with.
Anyway, the key I needed was TLS_REQCERT never which would tell ldap to go fly a kite if it didn't like the CA.

So yes, that's all that you have to put in the ldap.conf file and then save it out as type "All Files" so notepad doesn't attach a hidden .txt to your filename.  Depending on your DLL, you'll either need to drop it in the root of your inetpub drive or in c:\openldap\sysconf.  Or do like I did and just dump it in both places.  Then run an IISRESET or reboot the server and voila, LDAPS starts working.

Yes, it is slightly less secure since it's not checking the CA but at least it's not clear text.