Reliable, effective, and simple. If you don’t mind a blip in ldap service for a minute or two in the wee hours of the night, it works like a charm.

Using Auth.php which everyone should have, authenticating with Active Directory is pretty simple. I’ve tried this on an OpenLDAP directory and AD.

So now I know this certificate is blessed by my client, I can try to use it to connect. But let’s say I try to use a self-signed certificate or another cert that’s not trusted… And using a self-signed certificate, you should see something like this… If it’s a trust issue, perhaps the certificate is valid, but it just can’t find the CA or intermediate certificate… But, if everythings working correctly, your client should connect just fine. And it will look something like this, with a big fat Verify return code: 0 (ok) at the end.

This doesn’t have to be complicated at all.  This was what I did on my ldap servers:
[user@ldap-primary /etc/openldap/cacerts ]$ sudo openssl req -newkey rsa:1024 -x509 -nodes -out ldap-primary.pem -keyout ldap-primary.pem -days 3650
[user@ldap-slave1 /etc/openldap/cacerts ]$ sudo openssl req -newkey rsa:1024 -x509 -nodes -out ldap-slave1.pem -keyout ldap-slave1.pem -days 3650
That’s it!  No messing …