OpenSSL for IIS / Apache on Windows 2003

Enable LDAPS on Windows IIS / Apache

This guide is assuming that PHP and IIS / Apache has been installed and
setup.

will need to generate a stand alone CA (you will need permission to do this by
the enterprise admin) generate keys and change:
Properties
Select any CSP but strong certificate and the key length to 1024
Click next and add the name of the computer to the server info i.e. ActiveDIR
Select the output path to c:/
Click next to finish
Go to run
Type mmc
Open the snap-in Certificates and select computer account.
Local account for computer and click on:
Personal > Certificates
There will be a certificate in there under ActiveDIR
Right click on the folder Certificates > all tasks and request new certificate.
Run thought the wizard to create new certificate.
You can double click on the certificate (do both to see the difference)
The new one will say in general proves your identity to a remote computer
This is the certificate that we need.
Right click on the new certificate and export.
Export as Base 64.
Give it a file name (anything you want but without spaces, for this example
SSL)
And save to the c:
Open up c:/ you will have 2 certificates one called ActiveDIR.domain and the
other call other openssl.cer

You will need to install OpenSSL or jump on a unix box (OSX).

openssl x509 in drag the export1 file from the desktop out drag the export1 file from
the desktop and rename openssl.pem

So the path in our case will be:

openssl x509 in /private/root/Desktop/ldaps.cer out

/private/root/Desktop/openssl.pem

(assuming you are logged in as root)

(Note When copying the certificate around insure that it is safe as the Domain
Controller will assume that anything that comes from the certificate is trusted)

Delete the openssl.cer from the unix box.

On the Windows web server create the following folder structure in the root of C:

C:\OpenLDAP\sysconf\
With text pad (or word pad) create a file called ldap.conf

Add the following text

TLS_REQCERT never

#define location of CA certificate

TLS_CACERT C:\OpenLDAP\sysconf\openssl.pem
TLS_CACERTDIR C:\OpenLDAP\sysconf\

Save the file to your newly created path:

C:\OpenLDAP\sysconf\open.ssl.conf

Your new pem certificate will need to go into the same place.

(remember to delete any cases of the pem file if copying the file around)

open up the php.ini file

check that the two extentions ;

extension=php_ldap.dll
extension=php_openssl.dll

are switched on.

copy the libeay32.dll file (from the PHP installed location i.e. c:\php)

to C:\Windows\System32 or C:\WINNIT\System32 folder

Restart your web services.

Use

<?php
phpinfo()
?>

to check that OpenSSL is running.

Check that LDAP is also running.

Create a quick ldaps script to check your conections

<?php

$ad = ldaps://domain
//i.e. ldaps://dc1.server.com or ldaps://asl.org

$au = username@domain
//i.e. username of a domain admin (it would be worth creating a limited admin
//for this)
$pass = password //Password of the above username

$Connect = ldap_connect($ad)
or die(Could not connect);

ldap_set_option($Connect, LDAP_OPT_PROTOCOL_VERSION, 3)
or die (Could not set ldap protocol);

$Bind = ldap_bind($Connect, $au, $pass);

if ($Bind) echo You have a ldaps connection);

else echo No ldaps connection please check settings;

?>

If you do have problems please check that you can connect to the remote
server with LDAP.

Use Microsofts ldp.exe to check your connections

By Dominic Carpenter
www.apple-scripts.com