The goal is to connect a HTML Page with php to an Active directory.
The Active Directory is only accessable from the System Admin.
So i would have to make a Bind with the Credentials of the Sysadmin and then make a query inside the active directory with the Credentials of the users.
Is that right?
So here is the Code with the i tried to bind with the User Credentials. But it alwasys gives the Echo from Else back "Invalid Credential".
<?php
$ldap_dn = "CN=".$_POST["username"].",OU=EUTM,OU=Users,OU=HQ,OU=ULTIMATE,DC=ultimate,DC=local";
$ldap_password = $_POST["password"];
$ldap_con = ldap_connect("ldaps://192.168.124.40:636");
ldap_set_option($ldap_con, LDAP_OPT_PROTOCOL_VERSION, 3);
if(#ldap_bind($ldap_con,$ldap_dn,$ldap_password))
{
$_SESSION['username'] = $_POST["username"];
header("Location: Startseite.php");
}
else
{
echo "Invalid Credential";
}
?>
EDIT
New Code
<?php
$ldap_dn = "CN=sysadmin";
$ldap_password = "123456";
$ldap_con = ldap_connect("ldaps://192.168.124.40:636");
ldap_set_option($ldap_con, LDAP_OPT_PROTOCOL_VERSION, 3);
if(#ldap_bind($ldap_con,$ldap_dn,$ldap_password))
{
echo "King"
}
else
{
echo "Invalid Credential";
}
?>
Related
I have a functioning code that creats an Ldap connection to an online test server.
<?php
$ldap_dn = "uid=".$_POST["username"].",dc=example,dc=com";
$ldap_password = $_POST["password"];
$ldap_con = ldap_connect("ldap.forumsys.com");
ldap_set_option($ldap_con, LDAP_OPT_PROTOCOL_VERSION, 3);
if(#ldap_bind($ldap_con,$ldap_dn,$ldap_password))
{
$_SESSION['username'] = $_POST["username"];
header("Location: Startseite.php");
}
else
{
echo "Invalid Credential";
}
?>
Now i want to change the code to connect to a local Windows server and retrieve data from the active directory.
This connection should be an Ldaps.
Here is the code i tried.
<?php
$ldap_dn = "uid=".$_POST["username"].",dc=ULTIMATE,dc=local";
$ldap_password = $_POST["password"];
$ldap_con = ldap_connect("ldaps://192.168.***.**:636,OU=ULTIMATE,DC=ultimate,DC=local");
ldap_set_option($ldap_con, LDAP_OPT_PROTOCOL_VERSION, 3);
if(#ldap_bind($ldap_con,$ldap_dn,$ldap_password))
{
$_SESSION['username'] = $_POST["username"];
header("Location: Startseite.php");
}
else
{
echo "Invalid Credential";
}
?>
And i get the following error
Warning: ldap_connect(): Could not create session handle: Bad parameter to an ldap routine in C:\xampp\htdocs\Kulinarik\ldap.php on line 10
Why is it a bad parameter ?
EDIT
So the Active directory is Passwort protected and the users who want to start the query have no rights.
So i would have to make a Bind with the Credentials of the Sysadmin and then make a query inside the active directory with the Credentials of the users.
Is that right?
Try something like:
$ldap_con = ldap_connect("ldaps://192.168.***.**:636");
Without ,OU=ULTIMATE,DC=ultimate,DC=local part.
I am trying to verify the authentication of a user through a simple PHP code but I always get the same error "Invalid credentials ".
$ldap_dn = "uid=".$_POST["username"].",DC=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx";
$ldap_password = $_POST["password"];
$ldap_con = ldap_connect("xxx", 389);
ldap_set_option($ldap_con, LDAP_OPT_PROTOCOL_VERSION,3);
//check connection
if ($ldap_con === FALSE) {
die("<p> Couldn't connect to LDAP service </p>");
} else {
echo "<p> connessione avvenuta con successo </p>";
}
// check authentication
if(#ldap_bind($ldap_con, $ldap_dn, $ldap_password)){
echo "Autenticato";
}else{
echo "Autenticazione Fallita <br>";
echo ldap_error($ldap_con);
}
PHP code runs on XAMP on a PC W7pro already logged into the company domain.
I have obtained the AD address from the same machine on which I perform the tests; for retrive DN I've used the program "Softerra LDAP browser", but actually I'm not sure for this parameter.
When a user logs on to the domain, the username uses three letters of the surname followed by two of the name, e.g. Name = Alfred / Surname = Pecora username = pecal.
Does $ldap_dn in your code match the DN in AD properly?
If you are administrator for the AD, you can confirm it by executing dsquery command on DOS prompt on the AD.
e.g.,
dsquery user -name pecal
Or you can use the format <name>#<domain> instead of DN format:
$ldap_dn = $_POST["username"]."#example.com";
I ran a new test:
$adServer = "xxx";
$ldap = ldap_connect($adServer,389);
$username = $_POST['username'];
$password = $_POST['password'];
$ldapRdnLogin = "CN=MyName MySurname,OU=CED,OU=Users,DC=intranet,DC=xxx,DC=xxx,DC=xx,DC=it";
$ldapRdn = "OU=Users,DC=intranet,DC=xxx,DC=xxx,DC=xx,DC=it";
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
$bind = #ldap_bind($ldap, $ldapRdnLogin, $password);
if ($bind) {
$filter="(sAMAccountName=$username)";
$result = ldap_search($ldap,$ldapRdn,$filter);
ldap_sort($ldap,$result,"sn");
$info = ldap_get_entries($ldap, $result);
for ($i=0; $i<$info["count"]; $i++)
{
if($info['count'] > 1)
break;
echo "<p>You are accessing <strong> ". $info[$i]["sn"][0] .", " . $info[$i]["givenname"][0] ."</strong><br /> (" . $info[$i]["samaccountname"][0] .")</p>\n";
echo '<pre>';
var_dump($info);
echo '</pre>';
$userDn = $info[$i]["distinguishedname"][0];
}
#ldap_close($ldap);
} else {
$msg = ldap_error($ldap);
echo $msg;
}
In the above example the binding "MyName MySurname" \ DN works and I can perform the search.
I think that the problem is to find the right DN to bind with sAMAccountName
I want to use my system login password to php login page. So that i used the LDAP concept in my project. I have mentioned below my coding, that is everything fine. But When i run this code, the result shows "Invalid user". I don't know why this was showing wrongly.
$ldaphost = 'abc.co.in';
$ldapport = '389';
$username = '4444';
$password = '4444pass';
$ldap = ldap_connect($ldaphost, $ldapport)
or die("Could not connect to $ldaphost");
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
$user = "uid=$username,dc=abc,dc=co,dc=in";
$bind = #ldap_bind($ldap, $user, $password);
if ($bind) {
echo "<br />Valid user";
} else {
$msg = "<br />Invalid user";
echo $msg;
}
Below the result:
What is fault in my code or i need to anything add?
Please find and solve this request. That will more helpful to me.
Thank you advance...
This is how my ldap thing works. change your ldap host to be either "ldap://abd.asd.co:389' or "ldaps://asd.basd.co:636".
function verify_user() {
$user = $_REQUEST['user'];
$passwd = $_REQUEST['pass'];
// Bind to LDAP to check is user is valid
$server = "ldaps://ldap.server.com:636";
$dn = "uid=$user, ou=People, ou=something, dc=other, dc=whatever";
// Create a fake password if needed to keep people from anonymously
// binding to LDAP
if($passwd == '') { $passwd = "p"; }
$ldap = ldap_connect($server) or die("Can't connect to LDAP server!");
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_start_tls($ldap);
if($ldap) {
$bnd = #ldap_bind($ldap, $dn, stripslashes($passwd));
if(!$bnd) {
sleep(5);
echo "<br>Error: Bad Username or Password!<br>";
exit;
}
}
header("Location: {$_REQUEST['url']}"); /* Redirect browser */
exit;
}
I want to change a LDAP directory user's password using PHP.
After I bind to LDAP, I look for the desired user's dn with the samaccount name and retrieve the dn:
$filter="(samaccountname=desiredname.desiredname)";
$result = ldap_search($lh, $personnel_base, $filter) or die(ldap_error($lh));
//$data = ldap_get_entries($lh, $result);
$entry = ldap_first_entry($lh, $result);
$atribute = ldap_get_attributes($lh, $entry);
Then I use ldap_mode_replace to change the password:
$newpass = "Cevadetest123#!";
ldap_mod_replace($lh, $dn, array('userpassword' => "{MD5}".base64_encode(pack("H*",md5($newpass) ) ) ) ) or die(ldap_error($lh));
echo "Password changed!";
Though I get Password changed! output, the password remains unchanged.
Any suggestions?
EDIT: I just noticed that the attribute userpassword does change, but to login via LDAP I have to use the OLD password! What soccerry is this?
I found the answer. First of all, the field I had to change was unicodePwd, which cannot be read - it can only be modified. In order to write to this field you must firstly have a secure connection to LDAP. The hostname therefore is: ldaps://hostname.something.local
The next important step is to encrypt the password before writing the field:
$newpassword="HelloWorld123";
$newpassword = "\"".$newpassword."\"";
$newPass = mb_convert_encoding($newpassword, 'UTF_16LE')
You can find the complete code here.
I'll just paste it below in case something happens with the link:
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
$ldapconn = ldap_connect('ldaps://127.0.0.1', 636);
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
$ldapuser="ldapuser";
$ldappwd="*****";
// search for user
ldap_bind($ldapconn, "CN=$ldapuser,CN=Users,DC=my,DC=company,DC=example", $ldappwd);
$res_id = ldap_search( $ldapconn, "CN=Users,DC=my,DC=company,DC=example", "sAMAccountName=$username");
if ($res_id) {
$entry_id = ldap_first_entry($ldapconn, $res_id);
if($entry_id){
$user_dn = ldap_get_dn($ldapconn, $entry_id);
if ($user_dn) {
$ldapbind = ldap_bind($ldapconn, $user_dn, $oldpassword);
// check if the old password allows a successfull login
if($ldapbind) {
if(strcmp($newpassword, $newpassword2)==0){
// create the unicode password
$newpassword = "\"" . $newpassword . "\"";
$newPass = mb_convert_encoding($newpassword, "UTF-16LE");
//rebind as admin to change the password
ldap_bind($ldapconn, "CN=$ldapuser,CN=Users,DC=my,DC=company,DC=example", $ldappwd);
$pwdarr = array('unicodePwd' => $newPass);
if(ldap_mod_replace ($ldapconn, $user_dn, $pwdarr)) {
print "<p class='success'>Change password succeded.</p>\n";
} else {
print "<p class='error'>Change password failed.</p>\n";
}
}else{
print "<p class='error'>New password must be entered the same way twice.</p>\n";
}
}else{
print "<p class='error'>Wrong user name or password.</p>\n";
}
} else {
print "<p class='error'>Couldn't load user data.</p>\n";
}
} else {
print "<p class='error'>Couldn't find user data.</p>\n";
}
} else {
print "<p class='error'>Username was not found.</p>\n";
}
if(ldap_error($ldapconn)!="Success"){
print "<p class='error'>LDAP Error:<br />\n";
var_dump(ldap_error($ldapconn));
print "</p>\n";
}
#ldap_close($ldapconn);
I'm trying to implement some code from these pages but unsuccessfully.
I need to do ldap authentication from php and have this code:
<?php
$ldap['user'] = "tester";
$ldap['pass'] = "test";
$ldap['host'] = '147.32.99.8';
$ldap['port'] = 636;
$ldap['conn'] = ldap_connect( $ldap['host'], $ldap['port'] )
or die("Could not conenct to {$ldap['host']}" );
$ldap['bind'] = ldap_bind($ldap['conn'], $ldap['user'], $ldap['pass']);
if( !$ldap['bind'] )
{
echo ldap_error( $ldap['conn'] );
exit;
}
echo "<p>";
echo ($ldap['bind'])? "Valid Login" : "Login Failed";
echo "</p><br />";
ldap_close( $ldap['conn'] );
?>
But it doesn't work. I'm almost sure that in user name is missing domain. But where can I find domain? I have only IP address.
From Softera ldap browser I have following informations:
URL: ldaps://147.32.99.8:636/cn=tester,ou=staff,ou=uceeb,o=cvut
Maybe there is another mistake not only missing domain but I'm really LDAP beginner.
Thank you for any reply that will help me.
This code sometimes works:
function authUserAD($username, $password, $ldap_server="147.32.99.8") {
$auth_user = $username;
if($connect = ldap_connect($ldap_server)){
ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($connect, LDAP_OPT_REFERRALS, 0);
if(ldap_bind($connect, $auth_user, $password)) {
ldap_close($connect);
return(true);
}
}
ldap_close($connect);
return(false);
}
if(authUserAD("cn=tester,ou=staff,ou=uceeb,o=cvut", "test")) echo "<p>Login/password OK.</p>";
else echo "<p>Connection error.</p>";
But in LDAP administration I have to change the value of Require TLS for simple links with password to NO and after that again back to YES. After this two operations it works. But how to do it without this strange operation.