LDAP PHP libraries on Linux connecting to AD on Win2008r2

From: Dan Eveland 
------------------------------------------------------
Yeah, I know. Windows. Gross. However, I am trying to connect to a AD
server via LDAP from a Linux box. Everything works perfectly, except
sending updates back to the LDAP services (AD). I am getting indications
that an SSL cert is not correct, however I have been trying everything I
can think of.

Using it just for one-way authentication and updates (to Linux via PHP) is
working quite well, actually. Anyone have any experience connecting the
other way to an AD server. Specifically one running 2008R2?

I am not an expert on SSL certs. I have installed the cert, and even
installed it on IIS and it works on the same box. AD does not complain
about the cert, so that *seems* fine. The issue seems to be on the Linux
side. The PHP libraries for this are really bad as far as error messages
and hints go.

Looking for anyone on the list who has lived through this and could guide
me.

Thanks.

=============================================================== From: Ryan Bales ------------------------------------------------------ just a WAG: check permissions on the cert files? Some applications will refuse to communicate a cert/key if the permissions aren't tight enough. Ryan Bales http://twitter.com/#!/thinkt4nk https://github.com/thinkt4nk

=============================================================== From: Billy ------------------------------------------------------ Few of things off the top of my head: If it's client side certs, make sure linux (app) knows how to find it so it c= an send it when asked. Make sure the CA that signed the cert is "known" to linux (probably OpenSSL)= . You may have to Concatenate the pem version the win-cert to "cacerts". Thi= s will manifest itself as a "PKI path error" or something similar. Basically= it's saying: "I can't verify/trust this cert because I don't know who creat= ed it." Finally, ensure the hostname that Linux is connecting to (winbox) matches th= e Common Name (CN=3D) that's stored inside the certificate. This is a common= issue. Windows may have created the cert as: $stuff,CN=3DWINSERVER1 And Linux is connecting to: winserver1.internal.company.com Windows boxes don't complain because they may validate the common name using= netbios, but OpenSSL is using the hostname of the outbound ldap connection.= Anyways, those are my ideas. --b Sent from my iPhone efuse to communicate a cert/key if the permissions aren't tight enough. ver via LDAP from a Linux box. Everything works perfectly, except sending up= dates back to the LDAP services (AD). I am getting indications that an SSL c= ert is not correct, however I have been trying everything I can think of. s working quite well, actually. Anyone have any experience connecting the ot= her way to an AD server. Specifically one running 2008R2? alled it on IIS and it works on the same box. AD does not complain about the= cert, so that *seems* fine. The issue seems to be on the Linux side. The PH= P libraries for this are really bad as far as error messages and hints go. me.

=============================================================== From: Ed King ------------------------------------------------------ openssl s