I have a question for you.
My goal is to bind a ldap server with php.
When I try with a terminal ( bash ) I use:
ldapsearch -H ldaps://[server]:[port] -D [dn] -W
It works well.
When I try with a php script
$server = array("ldaps://[server]", "[port]");
$userdn = "[dn]";
$userpw = "[pw]";
$ds = ldap_connect($server[0], $server[1]) or die("ldap server offline");
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
ldap_bind($ds, $userdn, $userpw);
Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server
I don't understand my mistake. I've search all night long on google.
Q/A
_ I use mamp ( apache )
_ Ldap server pings good, and works with bash.
_ I use a firewall, but it doesnt work without too.
_ all [var] are ok, because in bash it works.
adding TLS_REQCERT allow to ldap.conf and it works! thanks to #rooster
Related
I'm trying to connect to Google's LDAP server with a cert, the basic code is
ldap_set_option(null, LDAP_OPT_DEBUG_LEVEL, 7);
$ldap = ldap_connect('ldaps://ldap.google.com', 636);
putenv('LDAPTLS_REQCERT=demand');
putenv("LDAPTLS_CACERT=/etc/ssl/certs/ca-certificates.crt");
putenv("LDAPTLS_CERT=" . path('Google_2024_01_22_49615.crt'));
putenv("LDAPTLS_KEY=" . path('Google_2024_01_22_49615.key'));
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
ldap_start_tls($ldap);
ldap_sasl_bind($ldap, null, '', 'EXTERNAL');
$resuts = ldap_search($ldap, 'dc=foo,dc=com', 'uid=*');
print_r(ldap_get_entries($ldap, $searchResults));
It fails on ldap_start_tls with Unable to start TLS: Can't contact LDAP serer, looking into this further I can see the real error is TLS: peer cert untrusted or revoked (0x42) which is caused by hostname (ldap.google.com) does not match common name in certificate (invalid2.invalid). Google returns this cert to indicate that SNI isn't supported (https://support.google.com/a/answer/9190869)
But my PHP version is 7.1.33 compiled in Dec 2020 on Ubuntu 20.04, with OpenLDAP 20449 (SASL Support enabled) and OpenSSL 1.1.1i. So why would I not have SNI supported? Elsewhere I see people using LDAPTLS_REQCERT=never to bypass this problem, but as Google requires a TLS cert & SASL I need to use LDAPTLS_REQCERT=demand or PHP won't let me use the SASL EXTERNAL auth mechanism (https://gist.github.com/heiglandreas/8a299a6f47a13ba463c3f2da41c679f7) and I won't be able to authenticate
It's worth noting on the same machine the following command works perfectly, authenticates with SASL EXTERNAL and lists users LDAPTLS_CERT=Google_2024_01_22_49615.crt LDAPTLS_KEY=Google_2024_01_22_49615.key ldapsearch -X -W -D uid=MyUUID,ou=Users,dc=foo,dc=com -H ldaps://ldap.google.com:636 -b dc=foo,dc=com
I have also tried using the PHP options LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_CACERTDIR, LDAP_OPT_X_TLS_CACERTFILE, LDAP_OPT_X_TLS_KEYFILE and LDAP_OPT_X_TLS_CERTFILE but they don't make a difference
My problem here was using ldap_start_tls and ldap_sasl_bind (or ldap_bind) at the same time when you only need one to open the connection, as-well as using ldap_set_option with the resource like ldap_set_option($ldap, LDAP_OPT_X_TLS_KEYFILE, $keyFilePath); when it should be used on null like ldap_set_option(null, LDAP_OPT_X_TLS_KEYFILE, $keyFilePath); since it's overriding a /etc/ldap/ldap.conf variable.
Following https://www.php.net/manual/en/function.ldap-get-option.php#124601 was useful to figuring this out
I am trying to connect the active directory or LDAP of window with an application (GLPI) made in PHP.
Connection parameters:
Connecting with the server:
$ds = ldap_connect($host, $port) // return true
#ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
#ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
#ldap_set_option($ds, LDAP_OPT_DEREF, $deref_options);
Relate connection to server and user and password
ldap_bind ($ds, $ login, $ password)
returns me:
"Can not contact LDAP server"
I want to know what can happen with that error message, since in the first method it returns true to me, which means that if it connects to the server.
RootDN This is fine and has all the permissions the user I am using.
The default server is fine and I did ping andtelnet.
Note: I already downloaded LDAPExplorer and established connection without problem.
Does the missing : $ds = ldap_connect ... like how it is in your code?
It should be something like :
$ds = ldap_connect($host, $port);
#ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
#ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
#ldap_set_option($ds, LDAP_OPT_DEREF, $deref_options);
ldap_bind ($ds, $login, $password)
ldap_connect does not connect to the server as is clearly stated in the docs. It merely creates a resource and checks whether the given values are plausible. The actual connection is established with the first command that requires a connection to the server. In this case the ldap_bind.
BTW: The "first method" does not return true but a resource-handle. Only when you pass something absolutely not parseable it will return false. But never true
I'd recommend using an LDAP-URI instead of the $host, $port variation as the PHP-library has to do that otherwise internaly. And it's the only way to f.e. establish an LDAPS-connection.
Ok, the solution to my problem is to upgrade from GLPI version 9.3.0 to 9.3.3.
Suggestions:
For users, what could happen to this, verify the messages that GLPI has informs about pending installation packages. So I opted for the update and the connection worked without problem.
For users who can not update version, verify that apache packages are pending to install or update, also in the installation process in the setup, be very careful installing the entire list that seems pending.
To fix some errors by installing version 9.3.3:
chown -R apache: apache glpi / files
chmod -R 755 glpi / files
chown -R apache: apache config
chmod -R 755 glpi / config
also:
setsebool -P httpd_can_network_connect_db 1
Thank you.
I got this problem and have no idea to solve, can anyone give some suggestion? :)
The command line I use:
ldapsearch -LLL -h xxx -p xxx -x -D user01 -w aost.234 -b "DC=contoso,DC=com" "objectClass=*"
I can get result with command, but if I use the following php codes, I always got error with ldap_search function:
<?php
echo microtime(true).": start connect ldap server\r\n";
$ldapconn = ldap_connect('xxxx', xxx) or die("Could not connect to $ldaphost");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
// ldap_set_option($ldapconn, LDAP_OPT_DEBUG_LEVEL, 7);
// ldap_set_option($ldapconn, LDAP_OPT_NETWORK_TIMEOUT, 5);
echo microtime(true).": ldap server connected, start bind ldap session\r\n";
$ldapbind = ldap_bind($ldapconn, 'user01', 'aost.234');
echo microtime(true).": ldap session binded, start search\r\n";
$result = ldap_search($ldapconn, "DC=contoso,DC=com", "objectClass=*");
if(!$result){
die(microtime(true).": ldap search returns false\r\n");
}
echo microtime(true).": ldap search result found\r\n";
$info = ldap_get_entries($ldapconn, $result);
print_r($info);
?>
I tried to execute this php and get this:
[root#localhost ~]# php ldap_test.php
1512703670.3936: start connect ldap server
1512703670.3943: ldap server connected, start bind ldap session
1512703670.4689: ldap session binded, start search
PHP Warning: ldap_search(): Search: Can't contact LDAP server in /media/sf_www/ldap_test.php on line 18
1512704185.0035: ldap search returns false
I have a laravel 5 app. With the code below, I am able to successfully authenticate with active directory when on localhost and having the company network cabled plugged to my computer.
public static function connect_ldap($username, $password)
{
$ldapServer = DirectorySetting::where('config_key', 'LdapServerAddress')->value('config_value');
$conn = ldap_connect($ldapServer, 389);
if(!$conn) return false;
ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3);
$bindServerLDAP = #ldap_bind($conn, $username, $password);
if(!$bindServerLDAP) return false;
return $conn;
}
How ever, our test and production server is on Microsoft Azure. When I try to authenticate. I get the error below:
Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /var/www/html/test_ldap.php on line 70
Error Binding to LDAP: No additional information is available
Observation
ldap_connect is successful
I can successfully ping the ldap server address
ldap_bind is unsuccessful. Enabling verbose here doesn't help either. It just tells me that No additional information is available
The system teams says they have created a link between the on premise and azure active dir
My server is CentOS 7, I have enabled the variables httpd_can_network_connect and httpd_can_connect_ldap like below:
sudo setsebool -P httpd_can_network_connect on
sudo setsebool -P httpd_can_connect_ldap on
I have equally added in /etc/openldap/ldap.conf, the variable below:
TLS_REQCERT never
Even with this, it doesn't work.
What could be wrong?
Okay I am stumped.
I am trying to write some PHP code to create a user in active directory with a password.
The PHP will run an Ubuntu server if it makes any difference talking to a Server 2008r2 Windows Domain Controller.
I can create the user no problems using PHP but I can not set the password. I have tried what feels like every possible code on the internet but it just will not work.
I believe that I have to create the user and then modify the password after. As a result I have the following code.
$domadlogin = 'domainadminusername';
$domadpw = 'a2b3c4d5e';
$domctrl = 'ldaps://DCIPADDRESS';
$ldapServer = $domctrl;
$ldapBase = 'OU=Users,DC=example,DC=co,DC=uk';
$ds = ldap_connect($ldapServer);
if (!$ds) {die('Cannot Connect to LDAP server');}
$ldapBind = ldap_bind($ds,$domadlogin,$domadpw);
if (!$ldapBind) {die('Cannot Bind to LDAP server');}
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
$dn_user='CN=Test User,OU=New Users,OU=Users,DC=example,DC=co,DC=uk';;
$newPassword = "1.Password!";
$newPassword = "\"" . $newPassword . "\"";
$len = strlen($newPassword);
for ($i = 0; $i < $len; $i++)
{
$newPassw .= "{$newPassword{$i}}\000";
}
$newPassword = base64_encode($newPassw);
$userdata['unicodePwd'] = $newPassword;
$result = ldap_modify($ds, $dn_user, $userdata);
if ($result) echo "User modified!" ;
else echo "There was a problem!";
ldap_unbind($ds);
I know that LDAPS is working as this works
ldapsearch -x -d 2 -LLL -H ldaps://DCIPADDRESS -b 'OU=Users,DC=example,DC=co,DC=uk' -D 'domainadminusername' -W '(sAMAccountName=username)'
Can anyone tell me what I am doing wrong.
Thanks
I'am not a PHP writer here some guidelines from one of a closed question I answered :
Using PHP, you can change or create a user with the good password an AD user password using LDAP with a simple bind on an SSL connexion.
For this you need to install a certificate on you AD server. The simple way (not the more attractive) is to install Microsoft Certificate Server on your domain (Enterprise installation see Configuring Microsoft Active Directory for SSL Access) and then to reboot your domain controler. You can also generate a certificate with OpenSSL and install it on the computer (see How to enable LDAP over SSL with a third-party certification authority).
Here is a sample of an LDIF File that allow to create a user with his password on an SSL connexion, you will find the way I generate the base 64 string for the password :
# Imported with :
# ldifde -i -t 636 -f .\Annuaire3.ldf
# Password generated by ("" must be encoded inside):
# stringconverter.exe \"test.2011\" /unicode /encode
# Connexion then tested with :
# runas /user:jdupont cmd.exe (password is test.2011)
dn: cn=Jean Dupont,OU=MonOU,DC=societe0,DC=fr
changetype: add
objectClass: user
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Jean Dupont
givenName: Jean
sn: Dupont
mail: jean.Dupont#societe.fr
telephoneNumber: 9999
userAccountControl: 544
sAMaccountName: jdupont
userPrincipalName: jdupont#societe.fr
unicodePwd:: IgB0AGUAcwB0AC4AMgAwADEAMQAiAA==