Re: SSL bind to LDAP for password change



I don't know why this would fail. Is there an error reported when the connection attempt occurs? Do you have any idea if the SSL handshake, the LDAP connection or the bind operation is at issue?

You might want to start a new thread on the Active Directory newsgroup for this part. microsoft.public.windows.server.active_directory

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"apex52" <apex52@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:42BB1D37-0C11-4BF4-994C-3D381D8C0B67@xxxxxxxxxxxxxxxx
Unfortunately, PHP is the required way at this time. I was able to issue a
Domain Controller certificate and connect through SSL. The issue I am seeing
now is that I am unable to bind to ldap intermittently. The server is not
logging anything but successfull connections so there is no help there. Is
there an LDAP setting or a reply delay that might cause this. We are not in
production, so the 5000 connection rule cannot be a factor. Thanks.

"Joe Kaplan" wrote:

I'm not sure if there is a way to do it in php, but with normal LDAP and
Windows authentication in the LDAP bind (SPNEGO auth), you can also use
negotiate auth channel encryption to achieve the encryption requirement for
the LDAP password change. This is very easy to do in
System.DirectoryServices.Protocols in .NET or with any other code making
direct use of the Windows LDAP API.

If you are stuck on PHP and PHP doesn't offer this flexibility in its LDAP
stack, then you may need to find a solution to your enrollment problem. You
might want to post this thread with a different subject though as it might
not be read by the people who have more PKI expertise.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"apex52" <apex52@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:337F6FEE-56EB-4DDB-B68A-B3E893E2C5AB@xxxxxxxxxxxxxxxx
> Yes it is. One of our admins uses php to connect in and he requires the
> cert.



.