Installing LTB SSP (Self Service Password) in a Windows Environment
This document is intended as a quick “how to” and assumes that the reader has enough technical skills to perform many of the functions without any detailed instructions.
1) Setup a simple Web Server.
Install Windows7 and run all appropriate updates. The windows 7 machine will be used as a web server to host the LTB SSP scripts.
2) Use WAMP
I will be using WAMP (Windows, Apache, MySQL, and PHP) from:
I used version 2.2 , 32bit, w/PHP 5.3.13
Install WAMP with all the default settings. You may have to install the Microsoft Visual C++ Redistributable Package before you can install WAMP. This is documented on the WAMP web site.
3) Make sure the WAMP PHP install has LDAP support.
In my setup, this required me to copy a file into the system32 folder of the Windows7 workstation. I had to copy libsasl.dll from the default location to the system32 directory.
Alternatively, you could probably just make sure that the directory with libsasl.dll is in the system path.
After this file was copied, I restarted the Windows7 machine. I was then able to turn on LDAP support from within the WAMP – PHP console and verify PHP-LDAP support from the phpinfo() page.
4) Make sure your AD server has a certificate.
This is required for LDAPS connections. In an AD environment, you must use LDAPS (Secure LDAP) to change passwords.
First, check and see if you already have certificates installed.
a)On your LDAP (Active Directory) Domain Controller select Start>mmc.exe
b)Select File>Add/Remove Snap-in,
c)Highlight “Certificates”, press “Add” then select “Computer Account” from the pop up window, and select “Local Computer”, and “Finish”.
You should end up at a screen like this.
d)Expand the Certificates out to see “Personal” Certs.
e)If you already have Certificates here, look under the “Intended Purpose” column, if it says “Client Authentication”……you are all set.
f)IMPORTANT : Notice (and document) the FQDN that your cert is issues to. You will need this name. Any LDAPS connections made to this server MUST use this name as the “server name”.
If you do not have Certificates already installed
The following article gives instructions on how to create a self signed Certificate.
If the above directions are not clear enough, Google the term “windows server 2008 r2 generate self-signed certificate”
You must have a certificate for “Client Authentication” for a LDAPS connection to work.
No LDAPS connection = No LTB SSP.
5) Test LDAP conductivity
Test LDAP conductivity from the Windows7 web server to the Active Directory LDAP server.
Download ldp.exe from:
You can use this utility to verify both LDAP and LDAPS connections to the Active Directory LDAP server.
For LDAPS connection tests you MUST use the EXACT SAME NAME as in the “Issued to” column in section 4-f (above).
Make sure you can connect and bind using both LDAP and LDAPS.
6)Install the LTB Self Service Password files to the WAMP “www” directory.
Simply unzip, and copy the files over.
7) Create a ldap.conf file
Create a directory structure and file named ldap.conf at C:\OpenLDAP\sysconf\
Add a single line to the file
“TLS_REQCERT allow”
Save and exit.
(I’m unsure if this step is truly necessary, but, it’s how I did it, and SSP works for me…your mileage may vary)
8) Browse to the webservers SSP install dir
If everything is working you should get the default page.
9) Modify the config.inc.php
Follow the installation instructions at the LTB SSP web site.
The rest of the setup is well documented, and fairly simple.
$ldap_url = "ldaps://myserver.almaschools.net”;
$ldap_binddn = "CN=Administrador,CN=Users,DC=Almaschools,DC=net”;
$ldap_bindpw = “mypassword”;
$ldap_base = "OU=Almaschools,DC=Almaschools,DC=net ";
$ldap_login_attribute = "uid";
$ldap_fullname_attribute = "cn";
$ldap_filter ="(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
# Active Directory mode
# true: use unicodePwd as password field
# false: LDAPv3 standard behavior
$ad_mode = true;
NOTICE that I use my FQDN as found in the Certificate setup in my ldaps connection string. For me, this was the key to getting LDAPS to work correctly.
The most difficult part of getting the LTB SSP application running was the setup and verification of LDAPS. Once that was achieved, everything else fell into place.