Using LDAP with SSL in PHP on Windows: A Complete Guide

If you're trying to integrate LDAP in PHP on a Windows machine, getting a basic connection working is fairly straightforward. However, enabling secure LDAP (LDAPS) or LDAP over TLS can be a bit tricky.

In this article, I’ll walk you through how to get LDAPS working in PHP on Windows 10, using Laravel and the DirectoryTree/LdapRecord package.

Environment Setup

Let’s begin by setting up a standard LDAP connection. We’ll be using Laravel along with the DirectoryTree/LdapRecord package.

First, create a new Laravel application:

composer create laravel/laravel

Then install the LdapRecord Laravel integration:

composer require directorytree/ldaprecord-laravel

Next, publish the LdapRecord configuration file:

php artisan vendor:publish --provider="LdapRecord\Laravel\LdapServiceProvider"

This will create a new configuration file at config/ldap.php.

Now, open your .env file and add the following environment variables to define the default LDAP connection:

LDAP_CACHE=false
LDAP_LOGGING=true
LDAP_CONNECTION=default
LDAP_HOST=DC.mydomain.local
LDAP_PORT=389
LDAP_USERNAME="cn=Ldap Admin, ou=Service Accounts, dc=mydomain, dc=local"
LDAP_PASSWORD=UserPassword
LDAP_BASE_DN="dc=mydomain, dc=local"
LDAP_TIMEOUT=5
LDAP_SSL=false
LDAP_TLS=false
LDAP_SASL=false

Here's a breakdown of the important values you need to customize:

  • LDAP_HOST – Replace DC.mydomain.local with the hostname or IP address of your Domain Controller (DC).

  • LDAP_BASE_DN – This is the Distinguished Name (DN) that defines the root context for your LDAP queries. Usually based on your domain name. For example, for mydomain.local, use dc=mydomain,dc=local.

  • LDAP_USERNAME – The service account DN used to bind (authenticate) with the LDAP server. Ensure the account has permission to search the directory. The format is usually something like:
    "cn=YourUserName,ou=SomeOU,dc=yourdomain,dc=com".

  • LDAP_PASSWORD – The password for the LDAP service account.

This sets up an unsecured LDAP connection over port 389.

To test the connection, run:

php artisan ldap:test

Make sure the connection is successful before proceeding.


Export Root CA Certificate

Now that LDAP is working, let’s move on to enabling LDAPS. First, you’ll need the Root Certificate Authority (CA) from your certification authority server.

Here’s how to export it:

  1. In your CA Server, Open Server Manager > Tools > Certification Authority.

  1. Right-click your root CA, then select Properties.

  1. Click View Certificate > Details > Copy to File.

  1. Choose Base-64 encoded X.509 (.CER), click Next.

  1. Choose a destination folder, e.g., C:\Users\Downloads\root-ca.cer, then finish the export.

Copy the exported .cer file to your Windows machine and rename it to .pem. For example:

C:\openldap\sysconf\root-ca.pem

The exact location doesn’t matter, as we’ll point to it using an environment variable later.

Configuring Secure LDAP

Create a new file called ldap.conf in the same directory as the root CA certificate, e.g., C:\openldap\sysconf\ldap.conf.

Inside ldap.conf, add the following line:

TLS_CACERT C:\openldap\sysconf\root-ca.pem

The TLS_CACERT directive tells the LDAP client which certificate authority (CA) to trust when establishing a secure connection using LDAPS or STARTTLS. It points to the root certificate that was used to sign the LDAP server's SSL/TLS certificate. Without this, the client will not be able to verify the server’s identity, and the secure connection will fail.

This is essential for enabling trust between the client (your PHP application) and the LDAP server when using encrypted communication.

Now, set a system environment variable named LDAPCONF, pointing to the full path of your ldap.conf file.

Secure LDAP Test

With everything configured, it’s time to test LDAPS.

Update your .env file with the following:

LDAP_PORT=636
LDAP_SSL=true
LDAP_TLS=false

Now run the test command again:

php artisan ldap:test

If successful, your Laravel app is now securely connecting to LDAP using LDAPS over port 636.

If you prefer using LDAP with TLS (StartTLS) instead of LDAPS, configure your .env like this:

LDAP_PORT=389
LDAP_SSL=false
LDAP_TLS=true

Run the test again to confirm the TLS connection.

That’s it! You now have secure LDAP running in PHP on Windows. Thanks for reading. Cheers