I'm trying to add the user to my LDAP server. But I'm getting the below error.
PHP Warning: ldap_add(): Add: Referral
Code:
$ds = ldap_connect("HOST","PORT");
if ($ds) {
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
$bind = ldap_bind($ds, "adminusername", "Passwrd");
echo $bind;
// prepare data
$base_dn = 'CN=Manus Test,OU=UserAccounts,DC=rk.com,DC=rk';
$info["givenName"]="manu";
$info["sn"]="Manu";
$info["uid"]="manus";
$info["homeDirectory"]="/home/";
$info["mail"]="manus#gmail.com";
$info["displayName"]= "Jdkd sjs";
$info["cn"] ="Manus Test";
//$info["userPassword"]=>user_hash;
$info["objectclass"][0] = "top";
$info["objectclass"][1] = "person";
$info["objectclass"][2] = "inetOrgPerson";
$info["objectclass"][3] = "organizationalPerson";
// add data to directory
$r = ldap_add($ds, $base_dn, $info);
echo "Bind result is " . $r . "<br />";
Please let me know any suggestions.
Referrals can be returned if you are talking to a slave LDAP server (essentially a read-only copy of the directory). If you know you are talking to a server hosting a writable copy of the replica, referrals are also returned when the DN base is not something hosted by that server.
Looking at the code above, "DC=rk.com,DC=rk" is unusual. I generally see the "domain" components broken out so rk.com becomes "dc=rk,dc=com". Use an ldap browser to verify the pattern for fully qualified DNs in your directory.
Related
Firstly, Id like to state that my PHP/LDAP skillset is minimal so am looking for a sudo genius to help me solve this issue.
Having recently merged with another company, the business wants us to allow our users to authenticate against a PHP web application in another Active Directory domain that we have a forest trust with.
Below is the code I've been given for the LDAP connection and the previous person who was a PHP genius has now left the company and this has been lumped onto me to work out. The code is however not working. The users in domain where the PHP application is store are able to access correctly.
<?php
$browser_shortname = explode('\\', $_SERVER['AUTH_USER']);
// Generate the global LDAP connection to the specificed primary server.
$ldap_connection = ldap_connect($ldap_protocol.$ldap_primaryhost) or die( header('Location: /error/?e=LD01'));
ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, $ldap_protocolversion);
ldap_set_option($ldap_connection, LDAP_OPT_REFERRALS, $ldap_referrals);
if ($ldap_tls == 1) {
ldap_start_tls($ldap_connection);
}
if ($ldap_debug == 1) {
ldap_set_option($ldap_connection, LDAP_OPT_DEBUG_LEVEL, 7);
}
$ldap_binding = ldap_bind($ldap_connection, $ldap_domain.'\\'.$ldap_username, $ldap_password);
if (!$ldap_binding) {
include ('/core/styles/'.$theme_selected.'/templates/101.tpl');
die();
}
$ldapus_filter = "(sAMAccountName=$browser_shortname[1])";
$ldapus_result = ldap_search($ldap_connection, $ldap_dn, $ldapus_filter);
$ldapus_details = ldap_get_entries($ldap_connection, $ldapus_result);
if ($browser_shortname[0] == "MY-DOMAIN") {
$ldap_khaconnection = ldap_connect($ldap_protocol.$ldap_khahost) or die( header('Location: /error/?e=LD01'));
ldap_set_option($ldap_khaconnection, LDAP_OPT_PROTOCOL_VERSION, $ldap_protocolversion);
ldap_set_option($ldap_khaconnection, LDAP_OPT_REFERRALS, $ldap_referrals);
$ldapus_filter = "(sAMAccountName=$browser_shortname[1])";
$ldapus_result = ldap_search($ldap_khaconnection, $ldap_khadn, $ldapus_filter);
$ldapus_details = ldap_get_entries($ldap_khaconnection, $ldapus_result);
echo "This confirms the user is coming from KHA.";
echo $browser_shortname[1];
}
$ldap_userfullname = $ldapus_details[0]["displayname"][0];
$ldap_userfirstname = $ldapus_details[0]["givenname"][0];
$ldap_usertitle = $ldapus_details[0]["title"][0];
$ldap_accountname = $ldapus_details[0]["samaccountname"][0];
?>
I am using an Online LDAP Test Server here: http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/ to test some basic LDAP code.
I need to authenticate a user and retrieve some user information.
If I understand the information about the test server correctly I should be able to bind with users that belong to respective groups. With the code 'AS IS' below I can bind to un-commented $dn, but if I use any other $dn to authenticate, the bind fails.
What am I not understanding?
For example, tesla should belong to 'ou=scientists,dc=example,dc=com' but I am unable to authenticate tesla on that DN and subsequently I can't search for related information.
$dn = 'dc=example,dc=com';
// $dn = 'ou=mathematicians,dc=example,dc=com';
// $dn = 'ou=scientists,dc=example,dc=com';
$username = 'tesla';
$password = 'password';
$filter = "(uid=" . $username . ")";
$ldapDN = 'uid=' . $username . ',' . $dn;
$ldapCONN = ldap_connect("ldap.forumsys.com") or die("Could not connect to LDAP server.");
if ($ldapCONN)
{
ldap_set_option($ldapCONN, LDAP_OPT_PROTOCOL_VERSION, 3);
$ldapBIND = #ldap_bind($ldapCONN, $ldapDN, $password);
if ( $ldapBIND )
{
$result = ldap_search($ldapCONN, $dn, $filter) or die ("Error: ".ldap_error($ldapCONN));
$data = ldap_get_entries($ldapCONN, $result);
echo '<pre>';
print_r($data);
echo '</pre>';
}
else
{
echo "LDAP bind failed...";
}
}
When using LDAP, it is important to visualize how the database is organized.
Basically, all users are in the main folder. Use this folder to authenticate your user with, otherwise it will not work.
In this case the main folder where all users are in, is dc=example,dc=com. However, most LDAP servers use a main folder like cn=users,dc=example,dc=com.
Why are they using folders at all then? Well, that is to make it easier to categorize and search with a filter. For example, if you want to only show the names of scientists, you add the group Scientists to your search filter like $filter = "(ou=Scientists)". A filter for both groups would look like this: $filter = "(&(ou=Scientists)(ou=Mathematicians)". Now the server will take a look into this folder/these folders, and display just these members.
Hope this helps, for gaining further insight in how the server is organized, I can recommend installing Apache Directory Studio. It is free to download from their site, helped me a lot!
I am attempting to list group members for groups in a certain OU in Active Directory using PHP and LDAP. For the most part this works but if a user is from another domain, it won't pick up on them. Below is the most basic attempt I have tried. I have tried other code examples as well. With debugging turned on to 7, I see it binding to say the Asia domain and I can see the DN of the user in the error_log but it doesn't return in php.
<?php
//LDAP server address
$LDAP_Server = "ldap://americas.ad.company.com";
//AD User to use
$LDAP_User = "username#americas.ad.company.com";
//AD User Password
$LDAP_Password = "Password";
//FQDN path where search will be performed. OU - organizational unit / DC - domain component
$LDAP_DN = "OU=SITE,OU=US,DC=americas,DC=ad,DC=company,DC=com";
$LDAP_Search_String = "(&(objectCategory=person)(objectClass=user)(memberof=CN=SITE-UG-Group-M,OU=FileServer,OU=Groups,OU=SITE,OU=US,DC=americas,DC=ad,DC=company,DC=com))";
// connecting to LDAP server
$LDAP_Connection = ldap_connect($LDAP_Server);
$LDAP_Bind = ldap_bind($LDAP_Connection, $LDAP_User , $LDAP_Password);
ldap_set_option($LDAP_Connection, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($LDAP_Connection, LDAP_OPT_REFERRALS, 0);
// performing search
$LDAP_Search = ldap_search($LDAP_Connection, $LDAP_DN, $LDAP_Search_String);
// Sort the results based on description
ldap_sort($LDAP_Connection, $LDAP_Search, 'samaccountname');
$LDAP_Data = ldap_get_entries($LDAP_Connection, $LDAP_Search);
echo "Found " . $LDAP_Data["count"] . " members<br><br>";
for ($i=0; $i<$LDAP_Data["count"]; $i++) {
echo $LDAP_Data[$i]["dn"] . "<br>" . $LDAP_Data[$i]["cn"][0] . "<br>";
}
?>
I am trying to do an ldap authorization and then a secondary check for membership in a group. System is an Ubuntu machine running php 5.3.10 authenticating against a Server2008 R2 Active Directory. I can't seem to get ldap_search() to work. I have pulled the DN from jExplore so I am pretty sure the DN is correct. ldap_bind works (in another function) with the credentials so I am sure the server and the username/password are valid. The error:
PHP Warning: ldap_search(): Search: Operations error in /var/www/zzz.php on line 28
The code:
$ldap = ldap_connect('ldap://xxx.xxx');
$admins = $auth['admin'];
// User not logged in, user level '0'
if (!isset($user))
{
return 0;
}
// DN
$group_dn = 'CN=IT Employees,OU=groups,OU=users,OU=xxx,DC=xxx,DC=xxx';
// Filter
$filter = '(sAMAccountName=' . $user . ')';
// Attributes
$attr = array("memberof","givenname");
echo $group_dn.' '.$filter.' '.$attr.'<br />';
// Check if the user is a member of the Admin Group
$SubGroups = ldap_search($ldap, $group_dn, $filter, $attr); //Search the admin group for user.
$debug = ldap_get_entries($ldap, $SubGroups);
echo $debug['count'];
if ($debug['count']>>0)
{
// Yep, you are set admin. (User level 2)
echo "Admin Set<br />";
return 2;
}
else
{
// Failure. Thou art a normal user. (User level 1)
echo "Admin Denied<br />";
return 1;
}
}
$ldap = ldap_connect('ldap://xxx.xxx');
needed to change to
$ldap = ldap_connect('ldap://xxx.xxx');
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_start_tls($ldap);
$bind= ldap_bind($ldap, 'user','pass');
I think this filter should work:
(&(objectClass=user)(sAMAccountName=yourUserName)
(memberof=CN=YourGroup,OU=Users,DC=YourDomain,DC=com))
Well I am sure this could be tuned to work for you.
-jim
I'm trying to authenticate to Active Directory using PHP (5.3.2)/Apache (2.0.59)/Windows (2003).
However, I'm getting the following error:
ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Connect error in E:\my_page.php on line 15
Here is my current script:
putenv('LDAPTLS_REQCERT=never');
$resource = ldap_connect("xxx")
or die("Failed to connect to LDAP server.");
echo "Connected to LDAP server.<br />";
//these options may not be necessary in all environments
ldap_set_option($resource, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($resource, LDAP_OPT_REFERRALS, 0);
$result = ldap_start_tls($resource) or die("Failed to start TLS.<br />");
echo "Started TLS.<br />";
$result = ldap_sasl_bind($resource, NULL, '', 'GSSAPI', 'xxx', '', '')
or die("Failed to GSSAPI bind.<br />");
echo "GSSAPI bound.";
I've looked at this question for help, however, I keep seeing references to ldap.conf.
Is this for OpenLDAP as in, the LDAP server your connecting to? If it is, I could ignore it due to using an existing enteprise Active Directory ?
Or is this for the PHP libraries connecting to an LDAP server (ie. ldap_connect())?
Edit #1
Screenshot of Wireshark...
I see in there, unknown CA... how would I go solving this (looking online ATM).
Edit #2
Update, I'm now getting a different error. I created ldap.conf on c:\ and c:\openldap\sysconf
Content of ldap.conf:
#
# LDAP Defaults
#
TLS_REQCERT never
Now, it's stuck at the ldap_sasl_bind method which is normal - it's not installed.
Edit #3
Final product:
function isAuthenticated($user, $pass){
//init
$ldap_server = "";
$ldap_user = "";
$ldap_pass = "";
$ldap_dn = "";
$ldap_filter_fields = array("dn","cn","samaccountname");
//establish connection
$ldap_conn = ldap_connect($ldap_server)
or die("Failed to connect to LDAP server.");
//these options may not be necessary in all environments
ldap_set_option($resource, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($resource, LDAP_OPT_REFERRALS, 0);
//Magic happens here, encrypted tunnel starts!
$result = ldap_start_tls($ldap_conn) or die("Failed to start TLS.<br />");
$out = 0;
//connect using our known user
if($bind = ldap_bind($ldap_conn, $ldap_user, $ldap_pass)){
//search for the user
$ldap_search_results = ldap_search($ldap_conn, $ldap_dn, "samaccountname=".$user, $ldap_filter_fields) or die ("Failed to search LDAP");
//get entry
$ldap_record = ldap_get_entries($ldap_conn, $ldap_search_results);
debug($ldap_record);
if($ldap_record["count"] > 0){
//try to authenticate user here
if($bind2 = #ldap_bind($ldap_conn, $ldap_record[0]["dn"], $pass))
$out = 1;
else
//wrong password
$out = 0;
}
else
//user wasn't found
$out = 3;
}
else
//something happened when connecting with our ldap_user
$out = 2;
return $out;
}
You're on the right track with your unknown CA. I have had a similar issue with PHP on CentOS connecting to AD. I had to export the CA certificate from the AD server and configure it to be trusted on the CentOS system, which involved copying the certificate to /etc/openldap/cacerts and running OpenSSL's c_rehash. Unfortunately, I'm not sure how to tell you to get that same setup working under Windows.
Yes you are required to change the ldap.conf file and change the value of TLS_REQCERT to demand if you are trying to connect with the AD for which the trust has not been established on your host machine running Apache. If you have certificate from a trusted CA i.e. already installed on the machine OS keystore then it may run with the TLS_REQCERT set to never otherwise you will have to explicitly give the certificates and change the variable TLS_REQCERT.