I am trying to connect to LDAP server but I am always getting 'Error trying to bind: invalid credentials' when I supplied the right credentials. How do I troubleshoot this issue? How do I know if connection is successful? I am stuck here please let me know if there are any suggestions.
<?php
$domain = 'school123.edu';
$username = 'test';
$password = 'password';
$ldapconfig['host'] = 'server123';
$ldapconfig['port'] = 389;
$ldapconn=ldap_connect($ldapconfig['host'], $ldapconfig['port']);
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $username, $password) or die ("Error trying to bind: ".ldap_error($ldapconn));
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...<br /><br />";
} else {
echo "LDAP bind failed...";
}
$dn='dc=school123,dc=edu';
$result = ldap_search($ldapbind,$dn,'(&(objectClass=*)(sAMAccountName=' . $username. '))');
$entries = ldap_get_entries($ldapconn, $result);
echo $entries["count"]." entries returned\n";
// all done? clean up
ldap_close($ldapconn);
?>
Related
I have PHP 7.0 on CentOS 7. And I've installed php-ldap module as well.
# yum install -y php php-ldap
...
# php -m
...
ldap
...
Now the following PHP codes works:
<?php
$ldapconn = ldap_connect("dc.example.com", 389) or die("Could not connect to LDAP server.");
if ($ldapconn) {
$ldaprdn = 'username';
$ldappass = 'password';
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
if ($ldapbind) {
echo "LDAP bind successful...";
} else {
echo "LDAP bind failed...";
}
}
$Result = ldap_search($ldapconn, "DC=example,DC=com", "(sAMAccountName=johndoe)");
$data = ldap_get_entries($ldapconn, $Result);
print_r($data);
?>
That works! I can connect, bind, and then even search for username johndoe and view his entire AD profile successfully.
Problem
But then I tried with SSL via port 636:
<?php
putenv('LDAPTLS_REQCERT=require');
putenv('LDAPTLS_CACERT=/var/www/html/servercert.der'); #I know, but this is just temporary location
$ldapconn = ldap_connect("dc.example.com", 636) or die("Could not connect to LDAP server.");
ldap_set_option($ldapconn, LDAP_OPT_DEBUG_LEVEL, 7);
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
if ($ldapconn) {
$ldaprdn = 'username';
$ldappass = 'password';
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
if ($ldapbind) {
echo "LDAP bind successful...";
} else {
echo "LDAP bind failed...";
}
}
$Result = ldap_search($ldapconn, "DC=example,DC=com", "(sAMAccountName=johndoe)");
$data = ldap_get_entries($ldapconn, $Result);
print_r($data);
?>
I got this error:
Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /var/www/html/index.php on line 14
LDAP bind failed...
Warning: ldap_search(): Search: Can't contact LDAP server in......
What am I missing please?
Note:
We have port 636 opened on Windows AD Server and it is reachable from this PHP web server.
Server certificate is valid.
I figured out the ldap_connect should be as below:
ldap_connect("ldaps://dc.example.com:636")
And then all of sudden it worked!
Note: If it is on Apache, it is worth restarting it after changing to above code.
so i had used php to connect to AD using LDAP and i had successfully retrieved the data using LDAP-PHP connection...
my ad is like...
my code is...
<?php
// config
$ldapserver = 'ad.univ3.edu';
$ldapuser = 'some';
$ldappass = 'some';
$ldaptree1 = "OU=TEST,OU=STUDENT,DC=ad,DC=univ3,DC=edu";
// connect
$ldapconn = ldap_connect($ldapserver) or die("Could not connect to LDAP server.");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
if($ldapconn){
echo "Connected to ".$ldapserver.'<br /><br />';
}
if($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldapuser, $ldappass) or die ("Error trying to bind: ".ldap_error($ldapconn));
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...<br /><br />";
$result = ldap_search($ldapconn, $ldaptree1, "cn=*") or die ("Error in search query: ".ldap_error($ldapconn));
$data = ldap_get_entries($ldapconn, $result);
//SHOW ALL DATA
echo '<pre>';
print_r($data);
echo '</pre>';
$count = ldap_count_entries($ldapconn, $result);
// print number of entries found
echo "Number of entries found: " . $count;
} else {
echo "LDAP bind failed...";
}
}
// all done? clean up
ldap_close($ldapconn);
?>
i got details in print_r($data); but i get it in array...
i need like.. find all OU inside domain dynamically and get count in each OU(like users, computers, etc...) via specifying only domain..
i don't want to hardcode stuff like..
$ldaptree1 = "OU=TEST,OU=STUDENT,DC=ad,DC=univ3,DC=edu";
any ideas?? i can't get reference to do this as the information about LDAP is Generic...
Thanks in advance...
Problem is that I can connect LDAP through PHP but I cannot bind to it.
In Apache Directory Studio I can connect and bind without any problem but in PHP result is always "FAIL".
How to bind to LDAP with PHP?
<?php
$ldaphost = "ldaps://server.net";
$ldapport = 636;
$ldapconn = ldap_connect($ldaphost, $ldapport);
if($ldapconn){
echo 'Connected';
$ldapbind = ldap_bind($ldapconn);
if($ldapbind){
echo "OK";
} else {
echo "FAIL";
}
}
Try to set the protocol version
<?php
// Anonymous connection
$ldaphost = "ldaps://server.net";
$ldapport = 636;
$ldapconn = ldap_connect($ldaphost, $ldapport)
or die("Cannot connect to LDAP server.");
if ($ldapconn) {
echo 'Connected';
// set protocol version
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
// anonymous identification
$ldapbind = ldap_bind($ldapconn);
if ($ldapbind) {
echo 'OK';
} else {
echo 'FAIL';
}
}
?>
My aim is to change passwords in Active Directory through a web interface using PHP & IIS.
I have been following the instructions on http://www.ashleyknowles.net/2011/07/iis-php-and-ldaps-with-active-directory/
Prior to following these instructions I could not get a bind to the AD for an LDAPS connection, however after following these instructions it seems to successfully connect, yet gives an error of "Server is unwilling to perform" when I attempt to change the "unicodePwd" value.
Please note that the code below will successfully change any other value of a user in the AD.
<?php
$ldaprdn = 'CN=Admin User,OU=*******,OU=Staff,OU=********,DC=********,DC=*******,DC=******,DC=*****';
$ldappass = "*******"; // associated password
$ldapconn = ldap_connect("ldaps://***.***.***.***:636" ) or die("Could not connect to LDAP server.");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...";
$username = '******';
$dn = "CN=Bob Smith,OU=******,OU=******,OU=******,DC=******,DC=******,DC=******,DC=******";
$newPassword = 'blah';
$newEntry = array('unicodePwd' => encodePwd($newPassword));
print_r($newEntry);
if(ldap_mod_replace($ldapconn, $dn, $newEntry)) {
print "<p>succeded</p>";
} else {
print "<p>failed</p>";
}
print_r(ldap_error($ldapconn));
} else {
echo "LDAP bind failed...";
print_r(ldap_error($ldapconn));
}
}
// Credit: http://www.cs.bham.ac.uk/~smp/resources/ad-passwds/
function encodePwd($pw) {
$newpw = '';
$pw = "\"" . $pw . "\"";
$len = strlen($pw);
for ($i = 0; $i < $len; $i++)
$newpw .= "{$pw{$i}}\000";
$newpw = base64_encode($newpw);
return $newpw;
}
?>
SOLVED!!
It turns out that by following the Ashley Knowles tutorial, I was successfully establishing a SSL connection over LDAP, however the error was occurring because of the password encoding.
The credit for the successful password encoding goes to hd42 on this forum post, which enabled me to modify my code accordingly.
Therefore, once you have correctly installed the certificates etc in the harddrive on the IIS server, this code will successfully modify a user password in Active Directory using PHP through an IIS web server (assuming that the $ldaprdn user has sufficient admin rights):
<?php
$ldaprdn = 'CN=Admin User,OU=*******,OU=Staff,OU=********,DC=********,DC=*******,DC=******,DC=*****';
$ldappass = "*******"; // associated password
$ldapconn = ldap_connect("ldaps://***.***.***.***:636" ) or die("Could not connect to LDAP server.");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...";
$dn = "CN=Bob Smith,OU=******,OU=******,OU=******,DC=******,DC=******,DC=******,DC=******";
$newPassword = 'blah';
$newPassword = "\"" . $newPassword . "\"";
$newPass = mb_convert_encoding($newPassword, "UTF-16LE");
$newEntry = array('unicodePwd' => $newPass);
print_r($newEntry);
if(ldap_mod_replace($ldapconn, $dn, $newEntry)) {
print "<p>succeded</p>";
} else {
print "<p>failed</p>";
}
print_r(ldap_error($ldapconn));
} else {
echo "LDAP bind failed...";
print_r(ldap_error($ldapconn));
}
}
I am having a little trouble with my PHP LDAP login. My first bind is successful, but my second bind is not even if the credentials are correct. I tried using the credentials I use to the second bind in the first one to make sure it worked, and sure enough it can bind it at the first one. Why am I not being able to bind the second time?
<?php
// Define $myusername and $mypassword
$username=$_POST['username'];
$password=$_POST['password'];
// using ldap bind
$ldaprdn = 'uid=MYUID,ou=special,ou=people,o=myo.com,dc=mydc,dc=com'; // ldap rdn or dn
$ldappass = 'PASSWORD'; // associated password
// connect to ldap server
$ldapconn = ldap_connect("ldaps://MYLDAPSERVER", ###)
or die("Could not connect to LDAP server.");
if ($ldapconn)
{
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind)
{
$result = ldap_search($ldapconn, "ou=people,o=myo.com,dc=mydc,dc=com", "uid=$username");
$info = ldap_get_entries($ldapconn, $result);
$userdn = $info[0]["dn"];
$count = $info["count"];
ldap_unbind($ldapconn);
if ($count == 1)
{
$ldapbinduser = ldap_bind($ldapconn, $userdn, $password);
if ($ldapbinduser)
{
echo "Sucess you made it all the way<br />";
}
else
{
echo "Invalid Login Details, please try again(1001)";
}
}
else
{
echo "Invalid Login Details, please try again(1002)";
}
}
else
{
echo "LDAP bind failed(1000)";
}
}
Although its name might implicate something different, ldap_unbind() actually kills the connection handle so that the connection is not usable any more after an unbind. Remove the ldap_unbind() call from your code and everything should work as expected.