I am trying to get user information from LDAP function. I need a single sign in for my PHP application on Active Directory. I am using following function:
$ldapserver = 'abc.com';
$ldapuser = 'ali#abc.com';
$ldappass = 'xyz';
$attributes_ad = array
("displayName","description","cn","givenName","sn","mail","co","mobile","company","
displayName");
// define base
$base ="";
// connect
$ldapconn = ldap_connect($ldapserver) or die("Could not connect to LDAP server.");
if($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldapuser, $ldappass) or die ("Error trying to
bind: ".ldap_error($ldapconn));
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...<br /><br />";
$result = ldap_search($ldapconn, $base, "mail=$email*", $attributes_ad) or die ("Error in search
query");
$info = ldap_get_entries($ldapconn, $result);
//Now, to display the results we want:
for ($i=0; $i<$info["count"]; $i++)
{
// to show the attribute displayName (note the case!)
echo $info[$i]["displayname"][0];
}
}
}
Above code requires username and password both but I need a solution that can get the username and password whenever someone will login with AD credentials I need to use them to authenticate my login for my PHP application (actually it is an intranet application). Please help me with that I need to fetch all available user info from active directory.
Related
I am working on a php web application where I have to authenticate users with company's active directory. That part is clear, the problem is I need to maintain the session for later use. Like I need to check if some userID exists in AD or not. Admin will sign in once and then in later stages he needs to verify if xyz users exist or not. I am using following for login:
<?php
// using ldap bind
$ldaprdn = 'uname'; // ldap rdn or dn
$ldappass = 'password'; // associated password
// connect to ldap server
$ldapconn = ldap_connect("ldap.example.com")
or die("Could not connect to LDAP server.");
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...";
} else {
echo "LDAP bind failed...";
}
}
?>
Any idea how can we maintain session so that Admin doesn't have to login on each user lookup?
Thanks
I am trying to figure out how to reset a LDAP user password when connected as another user (admin user) in PHP for a password reset feature.
$this->con = ldap_connect($this->server);
ldap_set_option($this->con, LDAP_OPT_PROTOCOL_VERSION, 3);
$user_search = ldap_search($this->con, $this->dn,"(|(uid=$user)(mail=$user))");
$this->user_get = ldap_get_entries($this->con, $user_search);
$user_entry = ldap_first_entry($this->con, $user_search);
$this->user_dn = ldap_get_dn($this->con, $user_entry);
$this->user_id = $this->user_get[0]["uid"][0];
$entry = array();
$entry["userPassword"] = "$encoded_newPassword";
ldap_modify($this->con, $this->user_dn, $entry)
(aggregated from class methods) This works for resetting a user's password using the old password, but how would you go about doing a password change with another user (admin in this case)?
I think there is something about the LDAP authentication/binding that I am not understanding. Perhaps someone can point me in the right direction.
can I do a ldap_bind before the ldap_modify that will allow me to use user_dn and update the user as the admin user?
Not clear on how this all works.
OpenLDAP is the implementation being used.
You can call ldap_bind with the dn/password of your admin user to establish the connection as this (admin) user.
Sample from the PHP manual
// using ldap bind
$ldaprdn = 'uname'; // ldap rdn or dn
$ldappass = 'password'; // associated password
// connect to ldap server
$ldapconn = ldap_connect("ldap.example.com")
or die("Could not connect to LDAP server.");
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...";
} else {
echo "LDAP bind failed...";
}
}
so i had used php to connect to AD using LDAP and i had successfully retrieved the data using LDAP-PHP connection...
my ad is like...
my code is...
<?php
// config
$ldapserver = 'ad.univ3.edu';
$ldapuser = 'some';
$ldappass = 'some';
$ldaptree1 = "OU=TEST,OU=STUDENT,DC=ad,DC=univ3,DC=edu";
// connect
$ldapconn = ldap_connect($ldapserver) or die("Could not connect to LDAP server.");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
if($ldapconn){
echo "Connected to ".$ldapserver.'<br /><br />';
}
if($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldapuser, $ldappass) or die ("Error trying to bind: ".ldap_error($ldapconn));
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...<br /><br />";
$result = ldap_search($ldapconn, $ldaptree1, "cn=*") or die ("Error in search query: ".ldap_error($ldapconn));
$data = ldap_get_entries($ldapconn, $result);
//SHOW ALL DATA
echo '<pre>';
print_r($data);
echo '</pre>';
$count = ldap_count_entries($ldapconn, $result);
// print number of entries found
echo "Number of entries found: " . $count;
} else {
echo "LDAP bind failed...";
}
}
// all done? clean up
ldap_close($ldapconn);
?>
i got details in print_r($data); but i get it in array...
i need like.. find all OU inside domain dynamically and get count in each OU(like users, computers, etc...) via specifying only domain..
i don't want to hardcode stuff like..
$ldaptree1 = "OU=TEST,OU=STUDENT,DC=ad,DC=univ3,DC=edu";
any ideas?? i can't get reference to do this as the information about LDAP is Generic...
Thanks in advance...
I'm trying to list my Active Directory users using PHP ldap_list() function. I get the following errors when I execute the php code.
LDAP bind successful... Warning: ldap_list(): Search: Bad search filter in /var/www/html/ldapn.php on line 29
Below is my PHP Code:
<?php
// using ldap bind
$ldaprdn = 'draven#myserver.com'; // ldap rdn or dn
$ldappass = 'draven678'; // associated password
// connect to ldap server
$ldapconn = ldap_connect("dc.myserver.com")
or die("Could not connect to LDAP server.");
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...";
} else {
echo "LDAP bind failed...";
}
$basedn = "dc=myserver, dc=com";
$justthese = array("OU_Test");
$sr = ldap_list($ldapconn, $basedn, "OU_Test=*", $justthese);
}
?>
note : OU_Test is an Organizational unit. My requirement is to list all users in that Organizational Unit.
What's wrong with my code? How will I be able to resolve this error?
To list all users in the Organizational Unit 'OU_TEST' with ldap_list() :
Use the appropriate $basedn. It should be the distinguished name of 'OU_TEST' since you want to list users that are INSIDE OU_TEST. You can get it with ldap_search().
Use the appropriate filter : to list only users, filter by users.
// 1. Get OU_TEST's dn. Search down the tree using a top/root dn as $basedn :
$basedn = "dc=myserver, dc=com";
// Filters usually looks like ([attributeName]=[attributeValue])
$filter = '(ou=OU_TEST)';
$sr = ldap_search($ds, $basedn, $filter);
... say we put the resulting dn in $OU_TEST_dn variable...
// 2. List users. If users are missing, use 'objectClass=organizationalPerson'
$filter = '(objectClass=Users)';
// Use the correct basedn
$basedn = $OU_TEST_dn;
// This should work
$sr = ldap_list($ldapconn, $basedn, $filter);
the filter here should be in braces:
here is how:
$sr = ldap_list($ldapconn, $basedn, "(OU_Test=*)", $justthese);
This should work just fine.
If it doesn't work
follow the example here
<?php
$ldapconfig['host'] = '10.10.10.10';
$ldapconfig['port'] = NULL;
$ldapconfig['basedn'] = 'dc=company,dc=com';
$ds=ldap_connect($ldapconfig['host'], $ldapconfig['port']);
$dn="uid=".$username.",ou=OU_TEST,".$ldapconfig['basedn'];
if ($bind=ldap_bind($ds, $dn, $password)) {
echo("Login correct");
} else {
echo("Unable to bind to server.</br>");
echo("msg:'".ldap_error($ds)."'</br>"); //check if the message isn't: Can't contact LDAP server :)
//if it say something about a cn or user then you are trying with the wrong $dn pattern i found this by looking at OpenLDAP source code :)
//we can figure out the right pattern by searching the user tree
//remember to turn on the anonymous search on the ldap server
if ($bind=ldap_bind($ds)) {
$filter = "(OU_TEST=*)";
if (!($search=#ldap_search($ds, $ldapconfig['basedn'], $filter))) {
echo("Unable to search ldap server<br>");
echo("msg:'".ldap_error($ds)."'</br>"); //check the message again
} else {
$number_returned = ldap_count_entries($ds,$search);
$info = ldap_get_entries($ds, $search);
echo "The number of entries returned is ". $number_returned."<p>";
for ($i=0; $i<$info["count"]; $i++) {
var_dump($info[$i]); //look for your user account in this pile of junk and apply the whole pattern where you build $dn to match exactly the ldap tree entry
}
}
} else {
echo("Unable to bind anonymously<br>");
echo("msg:".ldap_error($ds)."<br>");
}
}
?>
Let me know if it does not work. We will try and figure it out!
I am having a little trouble with my PHP LDAP login. My first bind is successful, but my second bind is not even if the credentials are correct. I tried using the credentials I use to the second bind in the first one to make sure it worked, and sure enough it can bind it at the first one. Why am I not being able to bind the second time?
<?php
// Define $myusername and $mypassword
$username=$_POST['username'];
$password=$_POST['password'];
// using ldap bind
$ldaprdn = 'uid=MYUID,ou=special,ou=people,o=myo.com,dc=mydc,dc=com'; // ldap rdn or dn
$ldappass = 'PASSWORD'; // associated password
// connect to ldap server
$ldapconn = ldap_connect("ldaps://MYLDAPSERVER", ###)
or die("Could not connect to LDAP server.");
if ($ldapconn)
{
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind)
{
$result = ldap_search($ldapconn, "ou=people,o=myo.com,dc=mydc,dc=com", "uid=$username");
$info = ldap_get_entries($ldapconn, $result);
$userdn = $info[0]["dn"];
$count = $info["count"];
ldap_unbind($ldapconn);
if ($count == 1)
{
$ldapbinduser = ldap_bind($ldapconn, $userdn, $password);
if ($ldapbinduser)
{
echo "Sucess you made it all the way<br />";
}
else
{
echo "Invalid Login Details, please try again(1001)";
}
}
else
{
echo "Invalid Login Details, please try again(1002)";
}
}
else
{
echo "LDAP bind failed(1000)";
}
}
Although its name might implicate something different, ldap_unbind() actually kills the connection handle so that the connection is not usable any more after an unbind. Remove the ldap_unbind() call from your code and everything should work as expected.