To configure your LDAP connections, provide an array with key-value pairs to set various parameters.

Here is a list of all parameters.

$config = [
    // Mandatory Configuration Options
    'hosts'            => [''],
    'base_dn'          => 'dc=local,dc=com',
    'username'         => 'cn=admin,dc=local,dc=com',
    'password'         => 'password',

    // Optional Configuration Options
    'port'             => 389,
    'follow_referrals' => false,
    'use_ssl'          => false,
    'use_tls'          => false,
    'version'          => 3,
    'timeout'          => 5,

    // Custom LDAP Options
    'options' => [
        // See:

$connection = new Connection($config);


The hosts option is an array of IP addresses or host names located on your network that serve an LDAP directory.

You insert as many servers or as little as you'd like depending on your forest (with the minimum of one of course).

Do not append your port to your IP addresses or host names. Use the port configuration option instead.

Base Distinguished Name

The base distinguished name is the base distinguished name you'd like to perform operations on.

An example base DN would be DC=local,DC=com.

If one is not defined, you will not retrieve any search results.

Your base DN is case insensitive. You do not need to worry about incorrect casing.

Username & Password

To connect to your LDAP server, a username and password is required to be able to query and run operations on your server(s).


  • The username option must be a users Distinguished Name. If you are connecting to an ActiveDirectory server, you may use a users userPrincipalName instead.
  • To run administration level operations, such as resetting passwords, this account must have the permissions to do so on your directory.


The port option is used for authenticating and binding to your LDAP server.

The default ports are already used for non SSL and SSL connections (389 and 636).

Only insert a port if your LDAP server uses a unique port.


These boolean options enable an SSL or TLS connection to your LDAP server.

Only one can be set to true. You must chose either or.

These options are definitely recommended if you have the ability to connect to your server securely.

You must enable SSL or TLS to reset passwords in ActiveDirectory.

TLS is recommended over SSL, as SSL is now labelled as a deprecated mechanism for securely running LDAP operations.

When using TLS you may have to configure an ldap.conf file and add the following inside:


The ldap.conf file is located in the following default locations:

  • Windows: C:\OpenLDAP\sysconf\ldap.conf (The directories will not exist, create them and add the file)
  • Linux: /etc/ldap/ldap.conf

However, using TLS_REQCERT never can be a bit of a security risk as it will ignore invalid certificates.

It's recommended to copy your domain CA cert to:

  • Windows: C:\OpenLDAP\sysconf
  • Linux: /etc/ssl/certs

Then, reference it in your ldap.conf with the full file path using (replace my-custom-path with the location of the file):

TLS_CACERT my-custom-path/ca.pem


The timeout option allows you to configure the amount of seconds to wait until your application receives a response from your LDAP server.

The default is 5 seconds.


The LDAP version to use for your connection.

Must be an integer and can either be 2 or 3.

Follow Referrals

The follow referrals option is a boolean to tell ActiveDirectory to follow a referral to another server on your network if the server queried knows the information your asking for exists, but does not yet contain a copy of it locally.

This option is defaulted to false.

Disable this option if you're experiencing search / connectivity issues.

For more information, visit:


Arbitrary options can be set for the connection to fine-tune TLS and connection behavior.


These are set above with the version, timeout and follow_referrals keys respectively.

Valid options are listed in the PHP documentation for ldap_set_option.

← Previous Topic


Next Topic →