can not bind to the LDAP directory with secure connection with php

Question

Installation Information:
I have two Windows servers. One (Windows Server 2008 R2) is a domain controller (DC) with Active Directory (AD).Its name is s1.xyz.com. The second (Windows Server 2003 R2) server is running IIS, PHP.SSL certificate is installed on second server.

I have installed Active Directory Certificate Services on DC server to act as a Certificate Authority (CA) and also enable LDAP over SSL(LDAPS) using below link:
http://www.christowles.com/2010/11/enable-ldap-over-ssl-ldaps-on-windows.html

What is the problem:
Actually, I want to set password for AD users so my requirement is secure connection(LDAPS) to do so. I can successfully connect to the DC on unsecured port (389) and access AD data but I can not bind user on secure connection (on port 636) using PHP ldap_bind() function. When i run the script it gives "ldap_bind() [function.ldap-bind]: Unable to bind to server: Can't contact LDAP server" error.

Code:

$ip="xxx.xxx.xxx.xx";

$ldaps_url="ldaps://s1.xyz.com:636/";

$ldap_url="s1.xyz.com";

$ldapUsername ="Administrator@xyz.com";

$ldapPassword="x1y1z1";

$ds=ldap_connect($ldaps_url);

//$ds=ldap_connect($ip,636);

ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION,3);

ldap_set_option($ds, LDAP_OPT_REFERRALS,0);

$bth=ldap_bind($ds, $ldapUsername, $ldapPassword);

ldap_unbind($ds);

$ds="";

Are you sure that DC has this port open? try telnet s1.xyz.com 636 if it responds. — rkosegi, Jan 12 '12 at 13:39
Duplicate of http://stackoverflow.com/questions/5258556/problems-with-secure-bind-to-active-directory-using-php ? — Jon Skarpeteig, Jan 12 '12 at 14:00

score 3 · Answer 1 · answered Jan 12 '12 at 17:16

3

If you're using SSL (e.g. ldaps) and ldap_bind is throwing 'Unable to bind to server:' errors, check that the hostname used in the ldap_connect matches the 'CN' in the SSL certificate on the LDAP server. For example:

<?
    ldap_connect('ldaps://ldap01');
   // 'ldap01' should match the CN in your LDAP server's SSL cert, otherwise the subsequent ldap_bind() will throw a bind error

?>

You can have a look to your certificate using Microsoft MMC.

answered Jan 12 '12 at 17:16

JPBlanc

70,406
17
130
175

Thanks @JPBlanc.I looked my SSL cert using MS MMC and its subject field values is "s1.xyz.com" which actually i want to bind with.Right now my ssl certificate is in Certificates (Local Computer)->Personal->Certificates folder in MMC wizard.I have multiple certificates in it.I dont know what is the problem exactly.plz help. – sandy Jan 13 '12 at 05:36

score 0 · Answer 2 · answered Jan 12 '12 at 13:53

0

Maybe s1.xyz.com cannot be resolved. Try it with the ip instead. Like ldaps://ip.goes.here:636.

answered Jan 12 '12 at 13:53

Todd Murray

423
2
7

The problem with the IP address is that the server certificate might not be issued for this IP address (they're usually issued to host names). – Bruno Jan 12 '12 at 14:33
Thanks Todd Murray.I also tried to connect using IP address of domain controller(DC) server but it also fails. – sandy Jan 13 '12 at 05:19

can not bind to the LDAP directory with secure connection with php

2 Answers2