I spent a lot of time figuring out how to configure force LDAP PHP module to accept self signed certifactes on windows with XAMPP and WAMP servers.
Here is my configuration:
- Windows XP Professional SP3
- ApacheFriends XAMPP version 1.7.7
- Apache 2.2.21
- MySQL 5.5.16 (Community Server)
- PHP 5.3.8 (VC9 X86 32bit thread safe) + PEAR
- OpenSSL 1.0.0e
- WAMP version 2.2a x32
- Apache 2.2.21
- MySQL 5.5.16
- PHP 5.3.8
- OpenSSL – don’t know version
I started with WAMP server, then I switched to XAMPP with a hope that it will simply work. It didn’t, however, I’ve found solution for XAMPP which should also work for WAMP.
First and foremost, uncommenting php_ldap.dll in php.ini caused problem with staring apache at all. There are some problems with openssl libs. I copied XAMPP/php/bin/libsasl.dlls to XAMPP/apache/bin/ and then in the other way XAMPP/apache/bin/libeay32.dll and ssleay32.dll to XAMPP/php/bin/. After this operation apache was able to start.
Then, I wanted to establish connection with LDAP over SSL and the server is using self signed certificate. Note, that using SSL the connection is not established when calling ldap_connect(), but later when calling ldap_bind(). I was getting following error:
Unable to bind to server: Can't contact LDAP server
You can also turn on debugging for ldap module with following code:
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
and then you’ll see following error in apache’s error.log:
TLS certificate verification: Error, self signed certificate in certificate chain
I’ve found that to allow self signed certificates you need to create ldap.conf with configuration option:
Ok, but where this file should be located? I have found information that it should be root directory on C:\ or on D:\. There were also information that apache or even windows restart is needed. None of these was working for me.
Finally, I’ve found that my location for ldap.conf is C:\openldap\sysconf\ and only apache restart was needed to make it work.