I'm using Centos 7, and I'm having "Can't contact LDAP server" error when using php ldap_bind() function. I've tried ldapsearch and it connected successfully. I'm not sure how to solve the issue. Any help is welcome.
$ldaphost = "HOST";
$ldapport = PORT;
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
$ldapconn = ldap_connect($ldaphost, $ldapport);
if ($ldapconn) {
$ldapbind = ldap_bind($ldapconn);
if (!$ldapbind) {
echo ldap_error($ldapconn);
}
else {
echo "it finally workd";
}
}
ldap_close($ldapconn);
And my command line ldapsearch is
ldapsearch -h HOST -p PORT
Related
I've been stuck at this step for days.
I'm successfully connecting to my LDAP server from a client-server using LDP.exe over port 636, so I'm
connecting securely. I've configured a self-signed certificate from CA on the LDAP server and also have it placed on the client-server, which allows me to do the step above.
However, when I run my PHP script, it's unable to bind, even though ldp.exe can do it without problems. The error logs on the LDAP server shows this when I run my script:
Internal event: An LDAP over Secure Sockets Layer (SSL) connection
could not be established with a client. Client network address:
################## Protocol: TCP Additional Data Error value: 2148074277 The certificate chain was issued by an authority that is
not trusted.
Here is my code:
<?php
echo "Hello <br>";
var_dump(openssl_get_cert_locations());
// using ldap bind
$ldaprdn = "****"; // ldap rdn or dn
$ldappass = "****"; // associated password
$ldaphost = "ldaps://****************";
// connect to ldap server
$ldapconn = ldap_connect($ldaphost)
or die("Could not connect to LDAP server.");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
echo "$ldapconn </br>";
echo ldap_error($ldapconn);
echo "</br>";
if ($ldapconn) {
//$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
var_dump(#ldap_bind($ldapconn, $ldaprdn, $ldappass));
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...";
} else {
echo "LDAP bind failed...";
}
echo ldap_error($ldapbind);
}
?>
I have PHP 7.0 on CentOS 7. And I've installed php-ldap module as well.
# yum install -y php php-ldap
...
# php -m
...
ldap
...
Now the following PHP codes works:
<?php
$ldapconn = ldap_connect("dc.example.com", 389) or die("Could not connect to LDAP server.");
if ($ldapconn) {
$ldaprdn = 'username';
$ldappass = 'password';
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
if ($ldapbind) {
echo "LDAP bind successful...";
} else {
echo "LDAP bind failed...";
}
}
$Result = ldap_search($ldapconn, "DC=example,DC=com", "(sAMAccountName=johndoe)");
$data = ldap_get_entries($ldapconn, $Result);
print_r($data);
?>
That works! I can connect, bind, and then even search for username johndoe and view his entire AD profile successfully.
Problem
But then I tried with SSL via port 636:
<?php
putenv('LDAPTLS_REQCERT=require');
putenv('LDAPTLS_CACERT=/var/www/html/servercert.der'); #I know, but this is just temporary location
$ldapconn = ldap_connect("dc.example.com", 636) or die("Could not connect to LDAP server.");
ldap_set_option($ldapconn, LDAP_OPT_DEBUG_LEVEL, 7);
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
if ($ldapconn) {
$ldaprdn = 'username';
$ldappass = 'password';
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
if ($ldapbind) {
echo "LDAP bind successful...";
} else {
echo "LDAP bind failed...";
}
}
$Result = ldap_search($ldapconn, "DC=example,DC=com", "(sAMAccountName=johndoe)");
$data = ldap_get_entries($ldapconn, $Result);
print_r($data);
?>
I got this error:
Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /var/www/html/index.php on line 14
LDAP bind failed...
Warning: ldap_search(): Search: Can't contact LDAP server in......
What am I missing please?
Note:
We have port 636 opened on Windows AD Server and it is reachable from this PHP web server.
Server certificate is valid.
I figured out the ldap_connect should be as below:
ldap_connect("ldaps://dc.example.com:636")
And then all of sudden it worked!
Note: If it is on Apache, it is worth restarting it after changing to above code.
I am trying to do LDAP authenticate with certificate in AWS Beanstalk and EC2 (PHP 8.0 running on 64bit Amazon Linux 2/3.3.4).
.pem certificate is in /etc/openldap/certs
My PHP Code as follows :
$ldaprdn = 'username#dc1.dc2';
$ldappass = 'password';
$ldapconn = ldap_connect("ldaps://ldaps.hostname.com:636")
or die("Could not connect to LDAP server.");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
if ($ldapconn) {
$ldapbind = #ldap_bind($ldapconn, $ldaprdn, $ldappass);
if ($ldapbind) {
echo "LDAP bind successful...\n";
} else {
echo "LDAP bind failed...\n";
}
}
echo "ldap_error: " . ldap_error($ldapconn);
ldap_get_option($ldapconn, LDAP_OPT_DIAGNOSTIC_MESSAGE, $err);
echo "ldap_get_option: $err";
I get the following warning:
Warning: ldap_start_tls(): Unable to start TLS: Operations error in /var/app/current/auth1.php on line 26 ldap_error: Operations errorldap_get_option: 00000000: LdapErr: DSID-0C09128B, comment: TLS or SSL already in effect, data 0, v3839 Warning: ldap_search(): Search: Operations error in /var/app/current/auth1.php on line 48 Error - Operations error
I am trying to search for a user in LDAP while doing anonymous binding. First of all is this possible?
Here is a working code.
$ldaphost = "dc.mydomain.com"; // your ldap server
$ldapport = 389; // your ldap server's port number
$ldapuser = "username#mydomain.com";
$ldappass = "somepass";
$basedn = 'dc=mydomain,dc=com';
$searchfor = 'seconduser';
//Connecting to LDAP
$ldapconn = ldap_connect($ldaphost, $ldapport) or die("Could not connect to" . $ldaphost);
if ($ldapconn)
{
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
// binding to ldap server
$ldapbind = ldap_bind($ldapconn,$ldapuser, $ldappass);
$filter = '(&(samaccounttype=805306368)(samaccountname=' . $searchfor . '))';
$result = ldap_search($ldapconn, $basedn, $filter, array('samaccountname'));
$info = ldap_get_entries($ldapconn, $result);
echo '<pre>';
print_r($info);
}
The only thing with the above code is that I would have to provide an user for binding. I would like to do anonymous instead. To do that I changed the following line of code from
$ldapbind = ldap_bind($ldapconn,$ldapuser, $ldappass);
to
$ldapbind = ldap_bind($ldapconn);
But this is giving me the following error in the ldap_search()
ldap_search(): Search: Operations error
How can I search for a user in LDAP with anonymous binding?
Your Active Directory administrators should have told you, that anonymous access is disabled by default. Most likely they are not willing to change it. For an application, ask for a service account (stable password).
I want to use the following php script to retrieve AD Users (Windows 2008R2) who have the "proxyAddresses" attribute set:
<?php
$ldaprdn = 'ldapbind#test.net';
$ldappass = 'testpass';
$ldapconn = ldap_connect("ldap://10.1.20.254:389")
or die("Could not connect to LDAP server.");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
if ($ldapconn) {
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
if ($ldapbind) {
echo "LDAP bind successful...\n";
$result = ldap_search($ldapconn, "CN=Users,DN=test,DN=net", "(proxyAddresses=*)")
or die ("Error in serach query: " . ldap_error($ldapconn));
$data = ldap_get_entries($ldapconn, $result);
print_r($data);
} else {
echo "LDAP bind failed...";
}
}
?>
It binds successful, but then i get warning and error message:
PHP Warning: ldap_search() Operations error in ..... on line .. (the ldap_search line)
and
Error in search query: Operations error
When i execute an ldapsearch on the console:
ldapsearch -h 10.1.20.254 -p 389 -D 'ldapbind#test.net' -w 'testpass' -b 'CN=Users,DC=test,DC=net' '(proxyAddresses=*)' cn proxyAddresses mail
i get the desired results.
It's running on "CentOS release 6.4 (Final).
Thanks in advance