Fork me on GitHub

To ensure the confidentiality of the user credentials you should make use of an encrypted LDAP connection between the webserver running WordPress and Next Active Directory Integration and your domain controllers.

There are two ways you can enable encryption

Encryption method Port Description
LDAPS 636, 3629 (Global Catalog) It is used on port 636 and 3629 (Global Catalog port) and encrypts the whole communication between both endpoints.
STARTTLS 389 An unencrypted LDAP connection on port 389 can be upgraded to an encrypted connection. The client issues issues a STARTTLS upgrade command. After that the communication between both endpoints is encrypted.

All of these ports (389, 636 and 3269) are by default opened on a Windows Server 2012 R2 installation. From a configuration point of view there is not so much difference between using LDAPS or STARTTLS. Only the encryption type and port differs.

Requirements

For using an encrypted connection the domain controller must issue a valid certificate during the connection handshake. On a bare Active Directory domain controller installation there are no certificates provided.

  • Install the role Active Directory Certifcate Services
  • Open the Certificates management console, go to Personal > Certificates, Right click and select All Tasks > Request New Certificates

Retrieve domain controller certificate

With OpenSSL installed you can easily show certificate of the domain controller by using

openssl s_client -debug -connect $DOMAIN_CONTROLLER:636 -showcerts

Instead of port 389 the port 636 must be used, because s_client does not know anything about STARTTLS. If this fails with

CONNECTED(00000003)     
write to 0xa0276b0 [0xa031e48] (86 bytes => 86 (0x56))
# ...
write:errno=104

the domain controller does not issue a certificate. You will also see the error "No suitable default server credential exists on this system" inside the event log of the domain controller.

Please install a valid certificate (see Requirements above).

If the certificate is available s_client presents you an output like this:

CONNECTED(00000003)                                              
depth=0 /CN=WINDOWS-XXX.test.ad                              
verify error:num=20:unable to get local issuer certificate       
verify return:1                                                  
depth=0 /CN=WINDOWS-XXX.test.ad                              
verify error:num=27:certificate not trusted                      
verify return:1                                                  
depth=0 /CN=WINDOWS-XXX.test.ad                              
verify error:num=21:unable to verify the first certificate       
verify return:1                                                 
Certificate chain                                                
 0 s:/CN=WINDOWS-XXX.test.ad                                 
   i:/DC=ad/DC=test/CN=test-WINDOWS-XXX-CA                   
-----BEGIN CERTIFICATE-----                                      
MIIGBDCCBOygAwIBAgITEgAAAAKcOukOOzy9sAAAAAAAAjANBgkqhkiG9w0BAQUF 
# ....
+k7Ki2Nnm8w2IRr89niPSw0NAVBrejb8i7g6paNx/hrPFG9WWZU+qGagE6NI8DPv 
J3syVivrMK8=                                                     
-----END CERTIFICATE-----                                        
Server certificate                                               
subject=/CN=WINDOWS-XXX.test.ad                              
issuer=/DC=ad/DC=test/CN=test-WINDOWS-XXX-CA                 
No client certificate CA names sent                              
SSL handshake has read 1706 bytes and written 456 bytes          
New, TLSv1/SSLv3, Cipher is AES256-SHA                           

Copy all lines between BEGIN CERTIFICATE and END CERTIFICATE. On Windows put the content into the file c:/openldap/sysconf/dc.crt. On Linux you can save it into /etc/pki/ca-trust/source/anchors/dc.pem.

-----BEGIN CERTIFICATE-----                                      
MIIGBDCCBOygAwIBAgITEgAAAAKcOukOOzy9sAAAAAAAAjANBgkqhkiG9w0BAQUF 
# ....
+k7Ki2Nnm8w2IRr89niPSw0NAVBrejb8i7g6paNx/hrPFG9WWZU+qGagE6NI8DPv 
J3syVivrMK8=                                                     
-----END CERTIFICATE-----  

Make sure that there is no whitespace at the end of any line!

Configure ldap.conf

On a Windows webserver create the file ldap.conf inside the directory c:/openldap/sysconf. The file location is important. On a Linux system you have to use phpinfo() to determine the correct location of ldap.conf.

Put the following lines into ldap.conf

TLS_REQCERT never
TLS_CACERT c:\openldap\sysconf\dc.crt
	

The configuration option TLS_REQCERT forces OpenLDAP to not request the server certificate. This is required for all self-signed certificates.

LDAPS and client certificates

Active Directory does not require a client certificate:

Enabling LDAPS on the client is not necessary to protect credentials passed from the client to the server when LDAPS is already enabled on the server. 
This just allows the client to actually authenticate itself to the server - an extra layer of protection to ensure that the client connecting as COMPUTER_X is actually COMPUTER_X and not some other computer trying to authenticate with COMPUTER_X credentials. 
The client must be using a certificate from a CA that the LDAP server trusts. 

In your ldap.conf you can put the following lines to use your client certificate and private key:

TLS_CERT c:\openldap\client.crt
TLS_KEY c:\openldap\client.key

Configure Next Active Directory Integration

  • Go to Active Directory Integration > Environment
  • For LDAPS select "LDAPS" from Encryption and enter the Port 636.
  • For STARTTLS select "STARTTLS" from Encryption and enter Port 389.
  • Save settings

Test authentication

Go to Active Directory Integration > Test authentication and enter valid credentials. If everything is fine the authentication should succeed. There are two possible errors showing up which should only occur if there has been a prior configuration issue.

Warning: ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Server is unavailable

You are presented with this error if your domain controllers does not issue a certificate. See the Requirements above how to set up a basic installation.

Warning: ldap_start_tls(): Unable to start TLS: Connect error

This error is shown if the domain controllers issues a certificate but the client (Next Active Directory Integration) does not know how to handle it. See the Configure ldap.conf section above.