Well, what a fun journey I have been on with this one.
The problem you are having is that your machine does not accept the server's certificate as valid. The simple work around to this is to disable the check, which is done in the ldap.conf file, or with an environment variable.
You can edit the file at /etc/openldap/ldap.conf (c:openldapsysconfldap.conf on Windows) or create one if it doesn't already exist and put this line in it:
TLS_REQCERT never
...or you can create an environment variable named LDAPTLS_REQCERT with the value never.
Once I had done either of those things, the following script worked for me:
<?php
// Settings
$host = 'server.domain.local';
$port = 389;
$user = 'administrator';
$pass = 'password';
// Connect, set options and bind
$ds = ldap_connect($host, $port);
if (!ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)) exit('Could not disable referrals');
if (!ldap_set_option($ds, LDAP_OPT_REFERRALS, 0)) exit('Could not disable referrals');
if (!ldap_start_tls($ds)) exit('Could not start TLS');
if (!ldap_bind($ds, $user, $pass)) exit('Bind operation failed');
// A quick list operation to make sure it worked
if (!$result = ldap_list($ds, 'dc=domain,dc=local', 'objectClass=*')) exit('List operation failed');
print_r(ldap_get_entries($ds, $result));
Annoyingly, neither putenv('LDAPTLS_REQCERT=never'); nor $_ENV['LDAPTLS_REQCERT'] = 'never'; will work - you have to either create the config file or statically set the variable.
If you want to validate the certificates, you will need to do some further reading on how to configure OpenLDAP properly.
Sources for this:
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
