The Thinking Man | AD LDS to the rescue!

AD LDS to the rescue!

I was trying to find an LDAP server where I could authenticate a user using an email address as Active Directory allows you to (using your UPN).

I tried many but they failed to do what I wanted to do easily.

I then tried a Google Search for "Active Directory Emulator". Voila!

Active Directory Lightweight Directory Services (AD LDS) came up formerly known as ADAM.

Microsoft says that "Microsoft Active Directory Lightweight Directory Services (AD LDS) is an independent mode of Active Directory that provides dedicated directory services for applications."

I run Windows 8.1 now and thought that I would need to fudge an install to get it to work. How wrong was I?

Windows 7

You will need to download the AD LDS install from the Microsoft site. Once downloaded, run it and click on Next Next Next... you know the drill.

Link: Active Directory Lightweight Directory Services for Windows 7

Windows 8.1

Do a windows search for "Add or Remove programs". Select "Turn Windows features on or off". You will see "Active Directory Lightweight Services" listed.

Once it installs, search for "Administrative Tools". Now run the "Active Directory Lightweight Directory Services Setup Wizard".

This article guides you through setting up an 'instance'.

Link: Technet - Create a New AD LDS Instance

Once done you will find a new Windows Service created - called <Instance Name> - what you typed.

You can then connect to and edit the directory using "ADSI Edit" - ADSI Edit can be found in "Administrative Tools".

Important Note: When you create new users using ADSI Edit the user accounts will be DISABLED by default. Edit the properties of the user object, find "msDS-UserAccountDisabled" and set it to "FALSE".

Create a Partition

Link: Create an Application Directory Partition

SSL

Create a self-signed certificate using Internet Information Server (local install)

Export the certificate

Start MMC --> Add Certificates

Expand the Service Account\Trusted Root certificates

import the Certificate

Restart the service

Here is some PHP code that can be used to test authenticating.

$ldap_server = "ldaps://127.0.0.1:636";
$ldap_user = "ldapproxy@blah.com";
$ldap_pass = "password";

define("LDAP_OPT_DIAGNOSTIC_MESSAGE", 0x0032);
putenv("TLS_REQCERT=never");
$handle = ldap_connect($ldap_server);
if($handle)
{
    echo "connected<br>";
}
else
{
    echo "not connected - happy?<br>";
}

ldap_set_option($handle, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($handle, LDAP_OPT_REFERRALS, 0);

var_dump(@ldap_bind($handle, $ldap_user, $ldap_pass));
ldap_get_option($handle, LDAP_OPT_DIAGNOSTIC_MESSAGE, $extended_error);

if (!empty($extended_error))
{
    var_dump($extended_error);
}