Our users in Active Directory are in various 'root' Organizational Units, how can I search for them?
What I currently have working is:
$search = "CN=John Doe"
$user = "username"
$psw = "password"
$server = "ldap://servername.eng.company.co.uk";
$dn = "OU=North,DC=eng,DC=company,DC=co,DC=uk"; //this is where we have others, like OU=South,DC=eng,DC=company,DC=co,DC=uk but I need the users to search them all as they don't know what OU they are in
$ds=ldap_connect($server);
$r=ldap_bind($ds, $user , $psw);
$sr=ldap_search($ds, $dn, $search);
$data = ldap_get_entries($ds, $sr);
if I remove the OU part completely then it brings nothing back.
I have tried making it an array and doing the ldap_search in a foreach loop but that brings nothing back either.
Please can someone point me in the right direction? many thanks
As ldap_search by default does a subtree-search you should be able to use
$dn = "dc=company,dc=co,dc=uk";
Related
Im working on adding authentication to one of my dashboards.
My setup is a little unique I believe. We use a service account to obtain the DN of a user, this query works as expected. We then bind a second time using that new dn instead of the service account. This also works, so technically at this point, the user is properly authenticated.
I'm trying to perform a second ldap_search after succesful bind as the dn I pull from the first query. This is unfortunately giving me the results of the previous ldap_search. This is what I'm not understanding.
if($bind = #ldap_bind($ldap, $ldap_dn, $adminpass)) {
// valid
echo "bound to ldap<BR>\n";
$filter = "(&(objectclass=user)(samaccountname=$user))";
$attr = array("dn, password, samaccountname");
$dn = "DC=CORP,DC=COMPANY,DC=com";
$result = ldap_search($ldap, $dn, $filter, $attr) or exit("Unable to search LDAP server");
$entries = ldap_get_entries($ldap, $result);
// Now build second query to bind and authenticate as user.
$ldap_dn_bind = $entries["0"]["dn"];
echo $ldap_dn_bind;
if($ubind = #ldap_bind($ldap, $ldap_dn_bind, $password)) {
echo "bound as $user - $ldap_dn_bind<BR>\n\n"; // Works
$u_attr = array("description, physicaldeliveryofficename, postaladdress, st, postalcode, title, telephonenumber, mobile, samaccountname, givenname, sn, company, displayname, employeetype, mail, manager, employeeID, KMADescription, terminationdate");
$u_result = ldap_search($ldap, $dn, $filter, $u_attr) or exit("Unable to search LDAP server");
echo "ldap search<BR>\n";
$u_entries = ldap_get_entries($ldap, $u_result);
echo "print u_entries";
print_r($u_entries);
echo "done";
} else {
die("failed to authenticate user");
}
This line:
$u_result = ldap_search($ldap, $dn, $filter, $u_attr) or exit("Unable to search LDAP server");
seems to work as desired and no error about performing the ldap search.
$u_entries however contains the same information as $entries and this is where I'm having a problem. I'm trying to obtain details about the user and insert them into a local db if they're not already present.
I had the same problem before, check if your LDAP server lets external connections in.
Check your $dn variable if you're using emails only enter the stuff after the # sign
Also be sure that your admin credentials
also this link helped me understand it a bit more:
https://github.com/Adldap2/Adldap2-Laravel/issues/224
Note i worked with Laravel
My attributes array was incorrect and by definition ldap_search will ALWAYS return the DN. Problem resolved.
Quite new to PHP and LDAP here, looking for some assistance with a personal project (trying to teach myself!).
I would like to password protect certain pages on our website using a simple login box.
My login.php page contains a simple login form with username and password inputs. I have managed to get the login process working using the code below. I am able to use my Active Directory username/pass to login via this form and proceed to the desired page, no issues.
However I'm not sure if I am doing it the 'correct' way.
My code;
ldap.php
session_start();
function authenticate($user, $password) {
if(empty($user) || empty($password)) return false;
$ldaphost = "ad.example.com";
$ldap_dn = "DC=ad,DC=example,DC=com";
$ldap_user_group = "Staff";
$ldap_usr_dom = '#ad.example.com';
$ldap = ldap_connect($ldaphost);
if($bind = ldap_bind($ldap, $user.$ldap_usr_dom, $password) or die ("Error: ".ldap_error($ldap))) {
$filter = "(sAMAccountName=".$user.")";
$attr = array("");
$result = ldap_search($ldap, $ldap_dn, $filter) or exit("Unable to search LDAP server") or die ("Error searching: ".ldap_error($ldap));
$entries = ldap_get_entries($ldap, $result);
ldap_unbind($ldap);
}
foreach($entries[0]['memberof'] as $grps) {
if(empty($grps) || empty($ldap_user_group)) return false;
if(strpos($grps, $ldap_user_group)) {
$access = 1;
} else {
}
}
if($access != 0) {
$_SESSION['user'] = $user;
$_SESSION['access'] = $access;
return true;
} else {
return false;
}
}
I've been told (by someone else) that this particular LDAP authentication process should work in two steps, as follows;
A search is made for the entered user name. I would recommend you use a search user DN and password for this – a user that has search permissions. It binds with these credentials before making the search. If the search succeeds it retrieves the DN of the found user and the search attribute which will later be used to look up the member record.
A second bind is then made with the retrieved user DN and the entered password. If this bind succeeds then the user is authenticated.
My questions are;
Is the above statement correct?
Are two 'binds' necessary?
Can't I just bind the LDAP connection with the credentials the user entered?
Any advice is appreciated, I'm struggling to get my head round the authentication process really :s
Short Answers:
yes
yes
no
Long answer:
Currently you can only bind with the users username and email-address. And that only works with AD as backend. So when you want to do an AD-Authenticator that's OK. But you specificslly asked for an LDAP-Authenticator. And an LDAP bind only works witha DN as the "username". As most of your users will not know that it's easier for them to remember an email-address or a username for a login. So you will need to find the DN to the users login-data. So you will need to do a search in the LDAP and for that you have to bind. So to bind as the user you need to bind... To get around that circular dependency you need to bind first as someone that has read access to the Directory and use that session to find the DN of the user. When found you use that DN and the user-provided password to do a second bind to verify the users credentials.
I did a talk about that just two days ago at zendcon. You can find the slides with some examples at https://heiglandreas.github.io/slidedeck/Directory_Authentication_with_LDAP/20161019%20-%20zendcon/index_online.html
My problem is that when i try to retrieve the value of the attribute 'userPassword' it won't work i'm working under PHP , the problem is that the attribute exist when i open Phpldapadmin i can see it , but when i try to retrieve it using this lines of code it won't work
$sr = ldap_search($ds,"ou=people,dc=powerm,dc=com","uid=".$login);
$data = ldap_get_entries($ds,$sr);
$password = $data[0]["userpassword"][0];
$displayName = $data[0]["displayname"][0];
$num_tel =$data[0]["mobile"][0];
$mail =$data[0]["mail"][0]
the others attributes work fine expect the userpassword
can any one help ?
thanks.
Try specifying the attributes you want returned explicitly.
$dn = 'ou=people,dc=powerm,dc=com';
$filter = 'uid=' . $login;
$attrs = ['displayname', 'userpassword', 'mobile', 'mail'];
$sr = ldap_search($ds, $dn, $filter, $attrs);
The directory may be configured not to return this security-sensitive attribute unless you explicitly ask for it.
It may also be that the attribute requires special privileges to access it - are you using the same credentials to connect to the database in your code as you did in phpLDAPAdmin?
The server may also be configured not to return the password unless it's over an encrypted connection - initiated using an ldaps:// URL passed to ldap_connect(), or using ldap_start_tls().
I'm new(ish) to LDAP, I have managed to list everything fine and I can unlock accounts, however my current task is to do a "name change" for when a user gets married or if we set them up incorrectly etc, what I have so far is failing, please can anyone advise?
thanks
if current $distinguishedname & dn is: CN=Lambo Innit,OU=Services,OU=UserDepartments,OU=North,DC=eng,DC=company,DC=co,DC=uk
and I want to change the distinguishedname and the dn, I'm having problems.$ds is working as I can do other ldap things with this (mod_replace etc)
$newdn = CN=New Name;
$newOU = OU=Services,OU=UserDepartments,OU=North,DC=eng,DC=company,DC=co,DC=uk;
ldap_rename($ds,$distinguishedName,$newdn,$newOU,true);
EDITED to make it easier to read
Thanks for your post, you helped me figure out how to move a user from the OU=Contractors group to the OU=Employees Group
//variables
$ds1 = ldap_connect( <<your ldap connection>> );
$cn = 'firstname lastname';
$dn = 'CN='.$cn.',OU=Contractors,DC=AD,DC=MYCOMPANYNAME,DC=COM';
$newcn = 'CN='.$cn; //I use same value, since I don't want to change it
$newOU = 'OU=employees,DC=AD,DC=MYCOMPANYNAME,DC=COM';
//update Active Directory
ldap_rename($ds1, $dn, $newcn, $newOU, true);
So I'm not getting the correct results returned for the user profile. Say I got to
http://localhost/scott
And when I'd look at the name for example I'd see Tony as a name. Even though the URL doesn't look like
http://localhost/tony
Heres how I query
//Get link username
$actual_link = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
$final = parse_url($actual_link, PHP_URL_PATH);
$username = str_replace('/','',$final);
Here's how I get the user info
//Get user info
$stmt2 = $con->prepare("SELECT * FROM users WHERE username=:username");
$stmt2->bindValue(':username', $username, PDO::PARAM_STR);
$stmt2->execute();
$return = $stmt2->fetch(PDO::FETCH_ASSOC);
And here's how I get the results. $return['name']; is an example. I might get the profile picture and other info. I think this has something to do with my sessions, but I don't see any noticeable issues on the other files. Any ideas? No errors either.