Problem is that I can connect LDAP through PHP but I cannot bind to it.
In Apache Directory Studio I can connect and bind without any problem but in PHP result is always "FAIL".
How to bind to LDAP with PHP?
<?php
$ldaphost = "ldaps://server.net";
$ldapport = 636;
$ldapconn = ldap_connect($ldaphost, $ldapport);
if($ldapconn){
echo 'Connected';
$ldapbind = ldap_bind($ldapconn);
if($ldapbind){
echo "OK";
} else {
echo "FAIL";
}
}
Try to set the protocol version
<?php
// Anonymous connection
$ldaphost = "ldaps://server.net";
$ldapport = 636;
$ldapconn = ldap_connect($ldaphost, $ldapport)
or die("Cannot connect to LDAP server.");
if ($ldapconn) {
echo 'Connected';
// set protocol version
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
// anonymous identification
$ldapbind = ldap_bind($ldapconn);
if ($ldapbind) {
echo 'OK';
} else {
echo 'FAIL';
}
}
?>
Related
I have PHP 7.0 on CentOS 7. And I've installed php-ldap module as well.
# yum install -y php php-ldap
...
# php -m
...
ldap
...
Now the following PHP codes works:
<?php
$ldapconn = ldap_connect("dc.example.com", 389) or die("Could not connect to LDAP server.");
if ($ldapconn) {
$ldaprdn = 'username';
$ldappass = 'password';
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
if ($ldapbind) {
echo "LDAP bind successful...";
} else {
echo "LDAP bind failed...";
}
}
$Result = ldap_search($ldapconn, "DC=example,DC=com", "(sAMAccountName=johndoe)");
$data = ldap_get_entries($ldapconn, $Result);
print_r($data);
?>
That works! I can connect, bind, and then even search for username johndoe and view his entire AD profile successfully.
Problem
But then I tried with SSL via port 636:
<?php
putenv('LDAPTLS_REQCERT=require');
putenv('LDAPTLS_CACERT=/var/www/html/servercert.der'); #I know, but this is just temporary location
$ldapconn = ldap_connect("dc.example.com", 636) or die("Could not connect to LDAP server.");
ldap_set_option($ldapconn, LDAP_OPT_DEBUG_LEVEL, 7);
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
if ($ldapconn) {
$ldaprdn = 'username';
$ldappass = 'password';
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
if ($ldapbind) {
echo "LDAP bind successful...";
} else {
echo "LDAP bind failed...";
}
}
$Result = ldap_search($ldapconn, "DC=example,DC=com", "(sAMAccountName=johndoe)");
$data = ldap_get_entries($ldapconn, $Result);
print_r($data);
?>
I got this error:
Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /var/www/html/index.php on line 14
LDAP bind failed...
Warning: ldap_search(): Search: Can't contact LDAP server in......
What am I missing please?
Note:
We have port 636 opened on Windows AD Server and it is reachable from this PHP web server.
Server certificate is valid.
I figured out the ldap_connect should be as below:
ldap_connect("ldaps://dc.example.com:636")
And then all of sudden it worked!
Note: If it is on Apache, it is worth restarting it after changing to above code.
I'm connecting ldap server in my local system to server. It is successfully connected but the thing is while connecting from other server ex: B server to A server i got error like this invalid credential.
$username='ZZZ.YYY';
$domain='test';
$host='ldap://AAA.test.org';
$password='XXXX';
$port=389;
$ldapconn = ldap_connect($host, $port)
or die("Could not conenct to {$host}");
if ($ldapconn) {
$bind=ldap_bind($ldapconn, $username .'#' .$domain, $password);
if ($bind) {
echo("Login correct");
} else {
echo("Login incorrect");
}
}
ldap_close( $ldapconn );
This code working fine for me . But the same code i pasted in another server just changed the host name for that server and domain name. here i got this error .can you please help me?
$username='ZZZ.YYY';
$domain='test1';
$host='ldap://BBB.test1.org';
$password='XXXX';
$port=389;
$ldapconn = ldap_connect($host, $port)
or die("Could not conenct to {$host}");
if ($ldapconn) {
$bind=ldap_bind($ldapconn, $username .'#' .$domain, $password);
if ($bind) {
echo("Login correct");
} else {
echo("Login incorrect");
}
}
ldap_close( $ldapconn );
I am trying to connect to LDAP server but I am always getting 'Error trying to bind: invalid credentials' when I supplied the right credentials. How do I troubleshoot this issue? How do I know if connection is successful? I am stuck here please let me know if there are any suggestions.
<?php
$domain = 'school123.edu';
$username = 'test';
$password = 'password';
$ldapconfig['host'] = 'server123';
$ldapconfig['port'] = 389;
$ldapconn=ldap_connect($ldapconfig['host'], $ldapconfig['port']);
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $username, $password) or die ("Error trying to bind: ".ldap_error($ldapconn));
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...<br /><br />";
} else {
echo "LDAP bind failed...";
}
$dn='dc=school123,dc=edu';
$result = ldap_search($ldapbind,$dn,'(&(objectClass=*)(sAMAccountName=' . $username. '))');
$entries = ldap_get_entries($ldapconn, $result);
echo $entries["count"]." entries returned\n";
// all done? clean up
ldap_close($ldapconn);
?>
I am trying to search an active directory using ldap. I want to be able to return the users email address. How can this be done? So far I have the following, but nothing seems to happen.
I just want to return mail based on the attributes given in $filter. The ldap bind seems to work fine.
Thanks :)
<!DOCTYPE HTML>
<html>
<head>
<title>Cisco Guest Register</title>
</head>
<body>
<?php
$ldaprdn = "CN=antwest,OU=Employees,OU=Cisco Users,DC=cisco,DC=com";
$ldappass = 'Chandler1';
// connect to ldap server
$ldapconn = ldap_connect("ldap://ds.cisco.com:389")
or die("Could not connect to LDAP server.");
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if (!$ldapbind) {
echo "Connection to LDAP Failed";
}
echo "Connected to LDAP";
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION,3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS,0);
$filter="(|(cn=antwest*)(ou=cisco*))";
$justthese = array("mail");
$sr=ldap_search($ldapconn, $ldaprdn, $filter, $justthese);
$info = ldap_get_entries($ldapconn, $sr);
echo $info["count"]." entries returned\n";
}
?>
</body>
</html>
It's important to set ldap_set_option before call ldap_bind:
$ldapconn = ldap_connect("ldap://ds.cisco.com:389");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION,3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS,0);
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
To print just the email, and if your search is succeded, then use this line:
echo $info[0]["mail"][0];
My aim is to change passwords in Active Directory through a web interface using PHP & IIS.
I have been following the instructions on http://www.ashleyknowles.net/2011/07/iis-php-and-ldaps-with-active-directory/
Prior to following these instructions I could not get a bind to the AD for an LDAPS connection, however after following these instructions it seems to successfully connect, yet gives an error of "Server is unwilling to perform" when I attempt to change the "unicodePwd" value.
Please note that the code below will successfully change any other value of a user in the AD.
<?php
$ldaprdn = 'CN=Admin User,OU=*******,OU=Staff,OU=********,DC=********,DC=*******,DC=******,DC=*****';
$ldappass = "*******"; // associated password
$ldapconn = ldap_connect("ldaps://***.***.***.***:636" ) or die("Could not connect to LDAP server.");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...";
$username = '******';
$dn = "CN=Bob Smith,OU=******,OU=******,OU=******,DC=******,DC=******,DC=******,DC=******";
$newPassword = 'blah';
$newEntry = array('unicodePwd' => encodePwd($newPassword));
print_r($newEntry);
if(ldap_mod_replace($ldapconn, $dn, $newEntry)) {
print "<p>succeded</p>";
} else {
print "<p>failed</p>";
}
print_r(ldap_error($ldapconn));
} else {
echo "LDAP bind failed...";
print_r(ldap_error($ldapconn));
}
}
// Credit: http://www.cs.bham.ac.uk/~smp/resources/ad-passwds/
function encodePwd($pw) {
$newpw = '';
$pw = "\"" . $pw . "\"";
$len = strlen($pw);
for ($i = 0; $i < $len; $i++)
$newpw .= "{$pw{$i}}\000";
$newpw = base64_encode($newpw);
return $newpw;
}
?>
SOLVED!!
It turns out that by following the Ashley Knowles tutorial, I was successfully establishing a SSL connection over LDAP, however the error was occurring because of the password encoding.
The credit for the successful password encoding goes to hd42 on this forum post, which enabled me to modify my code accordingly.
Therefore, once you have correctly installed the certificates etc in the harddrive on the IIS server, this code will successfully modify a user password in Active Directory using PHP through an IIS web server (assuming that the $ldaprdn user has sufficient admin rights):
<?php
$ldaprdn = 'CN=Admin User,OU=*******,OU=Staff,OU=********,DC=********,DC=*******,DC=******,DC=*****';
$ldappass = "*******"; // associated password
$ldapconn = ldap_connect("ldaps://***.***.***.***:636" ) or die("Could not connect to LDAP server.");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...";
$dn = "CN=Bob Smith,OU=******,OU=******,OU=******,DC=******,DC=******,DC=******,DC=******";
$newPassword = 'blah';
$newPassword = "\"" . $newPassword . "\"";
$newPass = mb_convert_encoding($newPassword, "UTF-16LE");
$newEntry = array('unicodePwd' => $newPass);
print_r($newEntry);
if(ldap_mod_replace($ldapconn, $dn, $newEntry)) {
print "<p>succeded</p>";
} else {
print "<p>failed</p>";
}
print_r(ldap_error($ldapconn));
} else {
echo "LDAP bind failed...";
print_r(ldap_error($ldapconn));
}
}