I have successfully authenticated against ldap in php, but I'm not able to retrieve information during search. This Ad authentication works fine in .net application but in php I have not received any information during search.
$search_filter = "(sAMAccountName=*xyz*)" ;
$attributes = array("memberof","givenname");
$ldap = ldap_connect($server);
if($ldap)
echo "successful";
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); // generally needed with AD.
//ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 2.4);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
$ldapbind = ldap_bind($ldap,$username,$password);
if ($ldapbind) {
echo "<br> LDAP Connect successful...";
} else {
echo "<br>LDAP Connect failed...";
}
$search = ldap_search($ldap, $base_dn, $search_filter);
$data = ldap_get_entries($ldap, $search);
Related
This is my LDAP code to authenticate a user. I have to show users full name once the user had logged in. How do I get the full name of the user from AD?
<?php
FUNCTION ldapCheckLogin ($username, $upasswd) {
$ldaphost = '10.20.30.40';
$ldapport = 389;
$ds = ldap_connect($ldaphost, $ldapport)
or die("Could not connect to our login server!");
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
if ($ds)
{
//$username = 'na\'; //OK - Congratulations! na\spups is authenticated.
$upname = 'iap\\' . $username;
$ldapbind = #ldap_bind($ds, $upname, $upasswd);
if ($ldapbind) {
//print "Congratulations! $username is authenticated.<BR><BR>";
ldap_unbind( $ds );
return true;
} else { //print "$username - Access Denied!<BR><BR>";
return false;
}
} else {
return false;
}
}
?>
You need to retrieve the user's entry using ldap_search with the user's samAccountName e.g. (samaccountname=$username) or userPrincipalName e.g. (userprincipalname=$username . "#" . $domain.com ) as the filter attribute.
samaccountname is only unique in the domain whereas userPrincipalName is unique across the entire forest.
When you perform the ldap_search you need to include the cn or displayName in the attributes to return.
If the search is successful then you need to process the resulting entry and extract the cn and/or the displayName.
I am trying to connect to LDAP server but I am always getting 'Error trying to bind: invalid credentials' when I supplied the right credentials. How do I troubleshoot this issue? How do I know if connection is successful? I am stuck here please let me know if there are any suggestions.
<?php
$domain = 'school123.edu';
$username = 'test';
$password = 'password';
$ldapconfig['host'] = 'server123';
$ldapconfig['port'] = 389;
$ldapconn=ldap_connect($ldapconfig['host'], $ldapconfig['port']);
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $username, $password) or die ("Error trying to bind: ".ldap_error($ldapconn));
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...<br /><br />";
} else {
echo "LDAP bind failed...";
}
$dn='dc=school123,dc=edu';
$result = ldap_search($ldapbind,$dn,'(&(objectClass=*)(sAMAccountName=' . $username. '))');
$entries = ldap_get_entries($ldapconn, $result);
echo $entries["count"]." entries returned\n";
// all done? clean up
ldap_close($ldapconn);
?>
I am trying to query Active directory for a given user group membership.
When I search a specific user's OU, the search works ok.
When I try to search the entire directory, the result is empty.
Since I have many user OU's, and specific user OU may vary.
The system is CentOS 6.4 with PHP+Apache.
Here is the code:
$ldap_dn = "dc=ccc,dc=bbb,dc=aaa,dc=com";
// Active Directory user for querying
$query_user = "ldap_bind#ccc.bbb.aaa.com";
$password = "xxxx";
// Connect to AD
$ldap = ldap_connect($ldap_host, 389) or die("Could not connect to LDAP");
ldap_bind($ldap,$query_user,$password) or die("Could not bind to LDAP");
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
// Search AD
$results = ldap_search($ldap,$ldap_dn,"(sAMAccountName=$user)",array("memberof","primarygroupid"));
$entries = ldap_get_entries($ldap, $results);
if($entries['count'] == 0) {
echo "No results\n";
return false;
}
Have anyone ever seen similar results? am I missing something or any configuration to support such search?
The correct code iss...
$ldap_dn = "dc=ccc,dc=bbb,dc=aaa,dc=com";
// Active Directory user for querying
$query_user = "ldap_bind#ccc.bbb.aaa.com";
$password = "xxxx";
// Connect to AD
$ldap = ldap_connect($ldap_host, 389) or die("Could not connect to LDAP");
->>> bfore ldap_bind<<<- ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
->>> bfore ldap_bind<<<- ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
ldap_bind($ldap,$query_user,$password) or die("Could not bind to LDAP");
// Search AD
$results = ldap_search($ldap,$ldap_dn,"(sAMAccountName=$user)",array("memberof","primarygroupid"));
$entries = ldap_get_entries($ldap, $results);
if($entries['count'] == 0) {
echo "No results\n";
return false;
}
I am working on a login form that uses LDAP to authenticate users. However I do not know how to pass the username as a POST variable along with the DN credentials. This is working allowing me to send a password from a login form:
<?php
// using ldap bind
$ldaprdn = 'uid=my.name,cn=XXX,dc=XXX,dc=XXX,dc=XXX'; // ldap rdn or dn
$ldappass = $_POST['userPassword']; // user password
// connect to ldap server
$ldapconn = ldap_connect("server.domain.com")
or die("Could not connect to LDAP server.");
// Set some ldap options for talking to
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
if ($ldapconn) {
// binding to ldap server
$ldapbind = #ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...\n";
} else {
echo "LDAP bind failed...\n";
}
}
?>
However this does not when trying to append the value contained within the POST variable to the CN and DN values.
<?php
// using ldap bind
$ldaprdn = "uid = . $_POST['userLogin'] . 'cn=XXX,dc=XXX,dc=XXX,dc=XXX'"; // ldap rdn or dn
$ldappass = $_POST['userPassword']; // user password
// connect to ldap server
$ldapconn = ldap_connect("server.domain.com")
or die("Could not connect to LDAP server.");
// Set some ldap options for talking to
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
if ($ldapconn) {
// binding to ldap server
$ldapbind = #ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...\n";
} else {
echo "LDAP bind failed...\n";
}
}
?>
Can this be achieved this way? I believe I can only pass three variables using the LDAP_bind function,
Many Thanks
You are incorrectly using quotes here and have missed a comma:
$ldaprdn = "uid = . $_POST['userLogin'] . 'cn=XXX,dc=XXX,dc=XXX,dc=XXX'";
should be
$ldaprdn = 'uid =' . $_POST['userLogin'] . ',cn=XXX,dc=XXX,dc=XXX,dc=XXX';
or
$ldaprdn = "uid =$_POST['userLogin'],cn=XXX,dc=XXX,dc=XXX,dc=XXX";
Remember that using single quotes around variables will not resolve the variable to its value (and thus concatenation is required), but using double quotes will.
And on top of that: never work with user-inputted-data directly in your scripts - validate the input or at the very least use htmlentities() or strip_tags()...
My aim is to change passwords in Active Directory through a web interface using PHP & IIS.
I have been following the instructions on http://www.ashleyknowles.net/2011/07/iis-php-and-ldaps-with-active-directory/
Prior to following these instructions I could not get a bind to the AD for an LDAPS connection, however after following these instructions it seems to successfully connect, yet gives an error of "Server is unwilling to perform" when I attempt to change the "unicodePwd" value.
Please note that the code below will successfully change any other value of a user in the AD.
<?php
$ldaprdn = 'CN=Admin User,OU=*******,OU=Staff,OU=********,DC=********,DC=*******,DC=******,DC=*****';
$ldappass = "*******"; // associated password
$ldapconn = ldap_connect("ldaps://***.***.***.***:636" ) or die("Could not connect to LDAP server.");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...";
$username = '******';
$dn = "CN=Bob Smith,OU=******,OU=******,OU=******,DC=******,DC=******,DC=******,DC=******";
$newPassword = 'blah';
$newEntry = array('unicodePwd' => encodePwd($newPassword));
print_r($newEntry);
if(ldap_mod_replace($ldapconn, $dn, $newEntry)) {
print "<p>succeded</p>";
} else {
print "<p>failed</p>";
}
print_r(ldap_error($ldapconn));
} else {
echo "LDAP bind failed...";
print_r(ldap_error($ldapconn));
}
}
// Credit: http://www.cs.bham.ac.uk/~smp/resources/ad-passwds/
function encodePwd($pw) {
$newpw = '';
$pw = "\"" . $pw . "\"";
$len = strlen($pw);
for ($i = 0; $i < $len; $i++)
$newpw .= "{$pw{$i}}\000";
$newpw = base64_encode($newpw);
return $newpw;
}
?>
SOLVED!!
It turns out that by following the Ashley Knowles tutorial, I was successfully establishing a SSL connection over LDAP, however the error was occurring because of the password encoding.
The credit for the successful password encoding goes to hd42 on this forum post, which enabled me to modify my code accordingly.
Therefore, once you have correctly installed the certificates etc in the harddrive on the IIS server, this code will successfully modify a user password in Active Directory using PHP through an IIS web server (assuming that the $ldaprdn user has sufficient admin rights):
<?php
$ldaprdn = 'CN=Admin User,OU=*******,OU=Staff,OU=********,DC=********,DC=*******,DC=******,DC=*****';
$ldappass = "*******"; // associated password
$ldapconn = ldap_connect("ldaps://***.***.***.***:636" ) or die("Could not connect to LDAP server.");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...";
$dn = "CN=Bob Smith,OU=******,OU=******,OU=******,DC=******,DC=******,DC=******,DC=******";
$newPassword = 'blah';
$newPassword = "\"" . $newPassword . "\"";
$newPass = mb_convert_encoding($newPassword, "UTF-16LE");
$newEntry = array('unicodePwd' => $newPass);
print_r($newEntry);
if(ldap_mod_replace($ldapconn, $dn, $newEntry)) {
print "<p>succeded</p>";
} else {
print "<p>failed</p>";
}
print_r(ldap_error($ldapconn));
} else {
echo "LDAP bind failed...";
print_r(ldap_error($ldapconn));
}
}