What I got.
I got a simple HTML login form, where username and password are passed to an ldap.php. I am able to successfully login, as soon as I use cn= instead of sAMAccountName=as a parameter. For Example, the user Mickey Mouse and mmouse as login does not work. Instead I need to login with Mouse \, Mickey. Which is pretty uncomfortable.
Do I need to authenticate, with an privilege account first and perform another bind with the wanted user afterwards?
Whats the problem?
If I replace cn= with sAMAccountName= I run into an ldap_bind error.
<?php
// LDAP Bind parameters
$ldap_dn = "sAMAccountName=".$_POST["username"].",OU=User of myCompany,OU=myCompany,DC=myDomain,DC=com";
$ldap_password = $_POST["password"];
$ldap_connection = ldap_connect("myCompany.com");
// Set LDAP protocol version
ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3);
// Set LDAP returns to 0
ldap_set_option($ldap_connection, LDAP_OPT_REFERRALS, 0);
if (ldap_bind($ldap_connection, $ldap_dn, $ldap_password))
echo "Anmeldung erfolgreich";
else
echo "Anmeldung fehlgeschlagen";
?>
Related
Im working on adding authentication to one of my dashboards.
My setup is a little unique I believe. We use a service account to obtain the DN of a user, this query works as expected. We then bind a second time using that new dn instead of the service account. This also works, so technically at this point, the user is properly authenticated.
I'm trying to perform a second ldap_search after succesful bind as the dn I pull from the first query. This is unfortunately giving me the results of the previous ldap_search. This is what I'm not understanding.
if($bind = #ldap_bind($ldap, $ldap_dn, $adminpass)) {
// valid
echo "bound to ldap<BR>\n";
$filter = "(&(objectclass=user)(samaccountname=$user))";
$attr = array("dn, password, samaccountname");
$dn = "DC=CORP,DC=COMPANY,DC=com";
$result = ldap_search($ldap, $dn, $filter, $attr) or exit("Unable to search LDAP server");
$entries = ldap_get_entries($ldap, $result);
// Now build second query to bind and authenticate as user.
$ldap_dn_bind = $entries["0"]["dn"];
echo $ldap_dn_bind;
if($ubind = #ldap_bind($ldap, $ldap_dn_bind, $password)) {
echo "bound as $user - $ldap_dn_bind<BR>\n\n"; // Works
$u_attr = array("description, physicaldeliveryofficename, postaladdress, st, postalcode, title, telephonenumber, mobile, samaccountname, givenname, sn, company, displayname, employeetype, mail, manager, employeeID, KMADescription, terminationdate");
$u_result = ldap_search($ldap, $dn, $filter, $u_attr) or exit("Unable to search LDAP server");
echo "ldap search<BR>\n";
$u_entries = ldap_get_entries($ldap, $u_result);
echo "print u_entries";
print_r($u_entries);
echo "done";
} else {
die("failed to authenticate user");
}
This line:
$u_result = ldap_search($ldap, $dn, $filter, $u_attr) or exit("Unable to search LDAP server");
seems to work as desired and no error about performing the ldap search.
$u_entries however contains the same information as $entries and this is where I'm having a problem. I'm trying to obtain details about the user and insert them into a local db if they're not already present.
I had the same problem before, check if your LDAP server lets external connections in.
Check your $dn variable if you're using emails only enter the stuff after the # sign
Also be sure that your admin credentials
also this link helped me understand it a bit more:
https://github.com/Adldap2/Adldap2-Laravel/issues/224
Note i worked with Laravel
My attributes array was incorrect and by definition ldap_search will ALWAYS return the DN. Problem resolved.
This is my setting:
$base_dn = 'OU=Users,OU=MYCOMPANY_COM,DC=MYCOMPANY,DC=LOCAL';
$ldap_postfix = '#MYCOMPANY.LOCAL';
ldap_set_option($this->conn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($this->conn, LDAP_OPT_REFERRALS, 0);
$search_filter = '(&(objectCategory=*)(objectClass=*)(SAMAccountName=' . $username . '*))';
Mu ldap is on Microsoft ActiveDirectory.
It works well and I get all parameters of requested username from ldap except info about department.
What am I dooing wrong?
After some investigation I found the problem.
It was due at AD was department empty. After this attribute was filled ldap return it.
Simple and stupid.
Quite new to PHP and LDAP here, looking for some assistance with a personal project (trying to teach myself!).
I would like to password protect certain pages on our website using a simple login box.
My login.php page contains a simple login form with username and password inputs. I have managed to get the login process working using the code below. I am able to use my Active Directory username/pass to login via this form and proceed to the desired page, no issues.
However I'm not sure if I am doing it the 'correct' way.
My code;
ldap.php
session_start();
function authenticate($user, $password) {
if(empty($user) || empty($password)) return false;
$ldaphost = "ad.example.com";
$ldap_dn = "DC=ad,DC=example,DC=com";
$ldap_user_group = "Staff";
$ldap_usr_dom = '#ad.example.com';
$ldap = ldap_connect($ldaphost);
if($bind = ldap_bind($ldap, $user.$ldap_usr_dom, $password) or die ("Error: ".ldap_error($ldap))) {
$filter = "(sAMAccountName=".$user.")";
$attr = array("");
$result = ldap_search($ldap, $ldap_dn, $filter) or exit("Unable to search LDAP server") or die ("Error searching: ".ldap_error($ldap));
$entries = ldap_get_entries($ldap, $result);
ldap_unbind($ldap);
}
foreach($entries[0]['memberof'] as $grps) {
if(empty($grps) || empty($ldap_user_group)) return false;
if(strpos($grps, $ldap_user_group)) {
$access = 1;
} else {
}
}
if($access != 0) {
$_SESSION['user'] = $user;
$_SESSION['access'] = $access;
return true;
} else {
return false;
}
}
I've been told (by someone else) that this particular LDAP authentication process should work in two steps, as follows;
A search is made for the entered user name. I would recommend you use a search user DN and password for this – a user that has search permissions. It binds with these credentials before making the search. If the search succeeds it retrieves the DN of the found user and the search attribute which will later be used to look up the member record.
A second bind is then made with the retrieved user DN and the entered password. If this bind succeeds then the user is authenticated.
My questions are;
Is the above statement correct?
Are two 'binds' necessary?
Can't I just bind the LDAP connection with the credentials the user entered?
Any advice is appreciated, I'm struggling to get my head round the authentication process really :s
Short Answers:
yes
yes
no
Long answer:
Currently you can only bind with the users username and email-address. And that only works with AD as backend. So when you want to do an AD-Authenticator that's OK. But you specificslly asked for an LDAP-Authenticator. And an LDAP bind only works witha DN as the "username". As most of your users will not know that it's easier for them to remember an email-address or a username for a login. So you will need to find the DN to the users login-data. So you will need to do a search in the LDAP and for that you have to bind. So to bind as the user you need to bind... To get around that circular dependency you need to bind first as someone that has read access to the Directory and use that session to find the DN of the user. When found you use that DN and the user-provided password to do a second bind to verify the users credentials.
I did a talk about that just two days ago at zendcon. You can find the slides with some examples at https://heiglandreas.github.io/slidedeck/Directory_Authentication_with_LDAP/20161019%20-%20zendcon/index_online.html
I searched every days for my problem, I tried many solutions and I didn't find... :(
I want to create an user using ldap_add with PHP. Working fine without enable account and without password. You find the code below.
Can you help me, please?
Config :
PHP 5.6
Windows Server 2012 R2 with AD
I can enable an account when I use $info["useraccountcontrol"]=544; but the account isn't with a password... User must loggon without password and type his new password at the first connection. *
I tried to add a password with $info['userPassword'] and chand useraccountontrol at 512 and I get this error :
ldap_add(): Add: Server is unwilling to perform
Here is my code :
<?php
$name = htmlspecialchars($_POST["name_build"]);
$lastname = htmlspecialchars($_POST["lastname_build"]);
$department = utf8_encode(htmlspecialchars($_POST["department_build"]));
$title = utf8_encode(htmlspecialchars($_POST["title_build"]));
$dn="CN=$name OU=Users, o=Domocom, c=net";
$ds = ldap_connect("192.168.1.1",389);
if ($ds) {
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); // IMPORTANT
ldap_bind($ds, "administrateur#domocom.net", "password");
// Prépareles données
$cn = $info["cn"] = "$lastname $name";
$info["sn"]="$name";
$info["givenname"]="$lastname";
$info["displayname"]="$lastname $name";
$info["name"]="$lastname $name";
$info["userprincipalname"]= "$lastname.$name#domocom.net";
$info["samaccountname"]= "$lastname.$name";
$info["title"]="$title";
$info["department"]="$department";
$info["mail"]="$lastname.$name#domocom.fr";
$info["postalcode"]="69009";
$info["objectClass"][0]="user";
//$info['userPassword'] = "password";
//$info["useraccountcontrol"]=544;
$r = ldap_add($ds,"CN=$cn,OU=Users,OU=Direction,OU=Domocom-SP,DC=domocom,DC=net", $info);
ldap_close($ds);
} else {
echo "unable to connect to ldap server";
}
?>
Thanks a lot.
PS : it's fake society for my school. :p
If it's an AD you might need to use a secure LDAP-Connection.
For that you'll need to call ldap_connect('ldaps://192.168.1.1:<port of the AD>');. Calling ldap_connect with two parameters is deprecated and should be avoided. Use it with an LDAP-URI!
You can also omit the if…else around the ldap_connect as it will return true in almost all cases. And a true return-value does not mean that a connection to the server actually as established. A connection is first established on the first ldap_-command that needs a connection which is typically ldap_bind.
And then you might want to have a look at Change AD password using PHP, Issue updating AD password using PHP and Change AD Password using PHP/COM/ADSI/LDAP
I have a php script which works but I need to change it to use an AD account (samaccountname) instead of CN in this sample;
<?php
$base_dn="CN=Peter Parker,OU=Subcontainer,OU=Subcontainer,OU=Container,
DC=domain,DC=com";
$ldapconn = ldap_connect("host.domain.com") or die("Could not connect to LDAP server.");
if ($ldapconn)
{
$ldapbind = ldap_bind($ldapconn, $ldapusername, $ldappassword);
if ($ldapbind)
{
echo "LDAP bind successful ...";
}
else
{
echo "LDAP bind failed ...";
}
}
$newinfo['ipphone']="555";
ldap_modify($ldapconn,$base_dn,$newinfo);
?>
The intention is to modify the ipphone object for users in AD, but I can't use CN because this input is not unique enough for the task. If the CN in the account's base DN is the descriptive name of the user, am I out of luck?
You have to give ldap_modify the distinguished name (DN) of the account you want to change. There is no way around that.
If you start out only knowing the sAMAccountName, then you can search the domain for the account first, then grab the distinguishedName attribute from the results.
To search, use ldap_search using the filter "(sAMAccountName=username)"