php LDAP bind on secure remote server Windows fail

Question

I am trying to query a remote LDAP server in a secure connection in a Windows php local test environment. I think I must have the access granted correctly because I can use an LDAP Browser application and that connects to the remote server fine. Also, if I do ' telnet remoteserverurl.com 636' then a blank screen shows up in command prompt, so I am at least connecting. But in my following .php code I get an error on bind: "PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in line..."

The same code works in a Linux server. I think there is some kind of missing LDAP libraries in my local php environment for secure LDAP connection? Anyway, here is the code:

$ds=ldap_connect("ldaps://serveraddress.com", "636");  // remote server
//$ds=ldap_connect("ldap://localhost", 389);  // works
//putenv('LDAPTLS_REQCERT=never');//doesn't help with secure ldap
//ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); //works for local LDAP server (Open LDAP)
$r=ldap_bind($ds, "cn=xxx,ou=proxy,o=xxx", "passwordxxxx");//throws error for remote

Any idea? Thanks!

Answer 1

Know this is older, but I recently ran into a similar issue when using wordpress 3.x & 4.x on windows 2008 & 2012 (IIS 7.x & 8.x, PHP 5.6).

I had written a plugin for ldap authentication for wordpress - as was trying to get LDAPS (ldap secure over port 636 working).

Couple things:

1. When using PHP LDAPS, the documentation states you simply prefix the LDAP server with ldaps://. So server1.domain.com for LDAPS should be ldaps://server1.domain.com/ ...note you don't need to pass the port at all for the connection method (per http://php.net/manual/en/function.ldap-connect.php). This is very similar to what the original question has in its submission.
2. The windows PHP libraries are hard-coded to look for an open ldap config file (ldap.conf) in C:\openldap\sysconf\ldap.conf.
3. Create the text file mentioned in #2 above - this is where you point to your certificate store. Once you create this file, you can put in TLS_REQCERT never … but this means no certs are verified and all are trusted automatically (essentially) - should only be for testing...never for production, as you defeat part of TLS/SSL security measures (i.e. certifying you are indeed talking to the host you believe you are connected to).
4. Instead of the insecure TLS_REQCERT never option that seems to be a popular (and perhaps misguided) suggestion on the interwebs...grab the common public cert authority list used by curl and similar - http://curl.haxx.se/ca/cacert.pem. This essentially is what firefox comes with for public certificate authority trusts (i.e. it's why you can install firefox and go to https://amazon.com without a cert warning, etc.).
5. Drop the cacert.pem file you downloaded (it's just a text file with a bunch of certificate hashes and descriptions) with your PHP install. For instance, say i dumped it with my php install in c:\php5\cacert.pem. Your location may differ, but put it somewhere it can be accessed and will be grouped with php stuff since it is related. Here's a couple shots of the contents of the cacert.pem file to give you an idea of what's inside.
6. Edit the C:\openldap\sysconf\ldap.conf and add a line for the command TLS_CACERT like pictured.
7. This should allow you to now trust public, valid certificates just like modern web browsers do, etc. Note that it won't fix internally-issued or self-signed certificate trust issues. But you can easily do that as well by adding your own cert hashs to the cacert.pem file.
8. To add another certificate as a trusted has in the cacert.pem file, simply get a copy of the certificate in question (you just need to export it to .cer in base64 format - don't need the private key and extension really doesn't matter - just needs to be a hash output). If you've exported it in the right format, you can open the certificate file and see the hash - it will be similar (but not identical) to the screenshot here of the Thawte Server CA example. Simply append the hash you exported to the cacert.pem file and it will be trusted. If you are looking to be clever, you can instead import the issuing certificate for your private-issued certificate - this would then trust any cert signed by the imported cert. If in doubt, you can always just import the presented certificate.
9. After making such changes, I found it best to restart the web server (iis manager -> web server node -> restart option) so everything using php was reset.
10. For extra credit, you can use the same cacert.pem file for the curl implementation by editing your php.ini file and putting the full path to the cacert.pem file in the line curl.cainfo =.
11. Again, I know this is an older post, but I wanted to share what I had learned while hooking up wordpress to eDirectory via LDAPS.