I am trying to query Active directory for a given user group membership.
When I search a specific user's OU, the search works ok.
When I try to search the entire directory, the result is empty.
Since I have many user OU's, and specific user OU may vary.
The system is CentOS 6.4 with PHP+Apache.
Here is the code:
$ldap_dn = "dc=ccc,dc=bbb,dc=aaa,dc=com";
// Active Directory user for querying
$query_user = "ldap_bind#ccc.bbb.aaa.com";
$password = "xxxx";
// Connect to AD
$ldap = ldap_connect($ldap_host, 389) or die("Could not connect to LDAP");
ldap_bind($ldap,$query_user,$password) or die("Could not bind to LDAP");
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
// Search AD
$results = ldap_search($ldap,$ldap_dn,"(sAMAccountName=$user)",array("memberof","primarygroupid"));
$entries = ldap_get_entries($ldap, $results);
if($entries['count'] == 0) {
echo "No results\n";
return false;
}
Have anyone ever seen similar results? am I missing something or any configuration to support such search?
The correct code iss...
$ldap_dn = "dc=ccc,dc=bbb,dc=aaa,dc=com";
// Active Directory user for querying
$query_user = "ldap_bind#ccc.bbb.aaa.com";
$password = "xxxx";
// Connect to AD
$ldap = ldap_connect($ldap_host, 389) or die("Could not connect to LDAP");
->>> bfore ldap_bind<<<- ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
->>> bfore ldap_bind<<<- ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
ldap_bind($ldap,$query_user,$password) or die("Could not bind to LDAP");
// Search AD
$results = ldap_search($ldap,$ldap_dn,"(sAMAccountName=$user)",array("memberof","primarygroupid"));
$entries = ldap_get_entries($ldap, $results);
if($entries['count'] == 0) {
echo "No results\n";
return false;
}
Related
I want to use my system login password to php login page. So that i used the LDAP concept in my project. I have mentioned below my coding, that is everything fine. But When i run this code, the result shows "Invalid user". I don't know why this was showing wrongly.
$ldaphost = 'abc.co.in';
$ldapport = '389';
$username = '4444';
$password = '4444pass';
$ldap = ldap_connect($ldaphost, $ldapport)
or die("Could not connect to $ldaphost");
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
$user = "uid=$username,dc=abc,dc=co,dc=in";
$bind = #ldap_bind($ldap, $user, $password);
if ($bind) {
echo "<br />Valid user";
} else {
$msg = "<br />Invalid user";
echo $msg;
}
Below the result:
What is fault in my code or i need to anything add?
Please find and solve this request. That will more helpful to me.
Thank you advance...
This is how my ldap thing works. change your ldap host to be either "ldap://abd.asd.co:389' or "ldaps://asd.basd.co:636".
function verify_user() {
$user = $_REQUEST['user'];
$passwd = $_REQUEST['pass'];
// Bind to LDAP to check is user is valid
$server = "ldaps://ldap.server.com:636";
$dn = "uid=$user, ou=People, ou=something, dc=other, dc=whatever";
// Create a fake password if needed to keep people from anonymously
// binding to LDAP
if($passwd == '') { $passwd = "p"; }
$ldap = ldap_connect($server) or die("Can't connect to LDAP server!");
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_start_tls($ldap);
if($ldap) {
$bnd = #ldap_bind($ldap, $dn, stripslashes($passwd));
if(!$bnd) {
sleep(5);
echo "<br>Error: Bad Username or Password!<br>";
exit;
}
}
header("Location: {$_REQUEST['url']}"); /* Redirect browser */
exit;
}
I am integrating my login form with Microsoft active directory. I authenticate
users via LDAP php library.
When user try to log in, they enter username & password.
Connecting to server go successfully, authentication via "LDAP_bind" also
give me true or false according to the values correctness.
Now i am not able to retrieve the user Real name to display it on the screen.
ALL Information I have are the ldap uri with the port number, and username & password entered via the webform.
here is my current code,
$ldap = ldap_connect("ldap://abc.xyz:123");
if ($bind = ldap_bind($ldap, $_REQUEST['username'].'#abc.xyz',$_REQUEST['password']))
{ echo "Welcome". $_REQUEST['username'];}
the $_REQUEST['username'] is not human readable, so i need to read this user attributes or at least display name only.
ldap_search and ldap_read functions did not help, I tried this code:
$ldap_base_dn = 'DC=abc,DC=xyz';
$search_filter = "(objectclass=*)";
$result = ldap_search($ldap_connection, $ldap_base_dn, $search_filter);
with no luck, is there any other information i must have in order to make the ldap_search or ldap_read work successfully. in other words can this be done by having the username and password and the ldap uri only?
You should be able to do the search like this:
$upn = $_REQUEST['username'].'#abc.xyz';
$attributes = ['displayname'];
$filter = "(&(objectClass=user)(objectCategory=person)(userPrincipalName=".ldap_escape($upn, null, LDAP_ESCAPE_FILTER)."))";
$baseDn = "DC=abc,DC=xyz";
$results = ldap_search($ldap, $baseDn, $filter, $attributes);
$info = ldap_get_entries($ldap, $results);
// This is what you're looking for...
var_dump($info[0]['displayname'][0]);
Also, make sure to do the bind with these options:
$ldap = ldap_connect("ldap://abc.xyz:123");
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
if ($bind = ldap_bind($ldap, $_REQUEST['username'].'#abc.xyz',$_REQUEST['password']))
When returning the DisplayName value, I recommend that you use a search filter which looks for the samaccountname (username) using something as simple as (samaccountname=$u) with $u being the username from your LDAP connect. If your Active Directory/Open Directory has a lot of objects, I would most certainly recommend targeting OU's as this query can fall on it's bottom pretty quickly.
I've made some further changes to your code so it now runs inside a function which takes 3x params and returns false if the connection or authentication fails.
Check LDAP - Return DisplayName if success login or FALSE(BOOL) if fail login or connection.
function chkLDAP($u, $pass, $domain) {
$dom = "$domain\\"; //Domain Prefix for UNAME which ouputs "domain\"
$user = $dom . $u;
$hostname = 'ldap://abc.com';
$baseDN = 'OU=users, DC=abc, DC=com'; //Narrow down if you have alot of objects as search could take along time
$search = "(samaccountname=$u)"; //Compare with Username
$ldap = ldap_connect($hostname);
if ($ldap) {
$ldapbind = ldap_bind($ldap, $user, $pass);
if ($ldapbind) {
$ldapSearch = ldap_search($ldap, $baseDN, $search);
$entry = ldap_first_entry($ldap, $ldapSearch);
$info = ldap_get_values($ldap, $entry, "displayname");
return $info[0];
}
return false; //Failed Auth
}
return false; //Connection Failed
}
Just test the function for false to make sure you have a displayname before using it.
Run Function:
$displayName = chkLDAP($_REQUEST['username'], $_REQUEST['password'], 'abc.com'); //Run Function - Returns False if Failed or Displayname if True
if ($displayName !== false) {
echo $displayName;
} else {
echo "Username or Password Incorrect!";
}
See:
http://php.net/manual/en/function.ldap-get-values.php
This worked for me for people who need to validate if a user exists in a specific OU.
(by the help of #kitson88 response)
function validateLogin($username,$password)
{
$ldap_dn = "$username#alhait.com";
$ldap_password =$password;
$ldap_con = ldap_connect("server");
ldap_set_option($ldap_con, LDAP_OPT_PROTOCOL_VERSION, 3);
if(#ldap_bind($ldap_con,$ldap_dn,$ldap_password))
{
$baseDN = 'OU=trainers,DC=alhait,DC=com';
$search = "(samaccountname=$username)";
$ldapSearch = ldap_search($ldap_con, $baseDN, $search);
$entry = ldap_first_entry($ldap_con, $ldapSearch);
$info = ldap_get_values($ldap_con, $entry, "displayname");
// var_dump($info[0]);
if($info[0]!=null)
{
return true;
}
}else{
return false;
}
//echo "Invalid Credential";
return false;
}
I have successfully authenticated against ldap in php, but I'm not able to retrieve information during search. This Ad authentication works fine in .net application but in php I have not received any information during search.
$search_filter = "(sAMAccountName=*xyz*)" ;
$attributes = array("memberof","givenname");
$ldap = ldap_connect($server);
if($ldap)
echo "successful";
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); // generally needed with AD.
//ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 2.4);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
$ldapbind = ldap_bind($ldap,$username,$password);
if ($ldapbind) {
echo "<br> LDAP Connect successful...";
} else {
echo "<br>LDAP Connect failed...";
}
$search = ldap_search($ldap, $base_dn, $search_filter);
$data = ldap_get_entries($ldap, $search);
This is my LDAP code to authenticate a user. I have to show users full name once the user had logged in. How do I get the full name of the user from AD?
<?php
FUNCTION ldapCheckLogin ($username, $upasswd) {
$ldaphost = '10.20.30.40';
$ldapport = 389;
$ds = ldap_connect($ldaphost, $ldapport)
or die("Could not connect to our login server!");
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
if ($ds)
{
//$username = 'na\'; //OK - Congratulations! na\spups is authenticated.
$upname = 'iap\\' . $username;
$ldapbind = #ldap_bind($ds, $upname, $upasswd);
if ($ldapbind) {
//print "Congratulations! $username is authenticated.<BR><BR>";
ldap_unbind( $ds );
return true;
} else { //print "$username - Access Denied!<BR><BR>";
return false;
}
} else {
return false;
}
}
?>
You need to retrieve the user's entry using ldap_search with the user's samAccountName e.g. (samaccountname=$username) or userPrincipalName e.g. (userprincipalname=$username . "#" . $domain.com ) as the filter attribute.
samaccountname is only unique in the domain whereas userPrincipalName is unique across the entire forest.
When you perform the ldap_search you need to include the cn or displayName in the attributes to return.
If the search is successful then you need to process the resulting entry and extract the cn and/or the displayName.
I need to list all groups within a certain group using PHP. This is what I have so far:
<?php
$ldap_dn = "ou=People,dc=something,dc=something,dc=something,dc=au";
$ldap_svr = "ldap.server.somewhere";
$ldap_domain = "domain.somewhere";
$conn=ldap_connect($ldap_svr) or die("Cannot connect to LDAP server!");
ldap_set_option ($conn, LDAP_OPT_REFERRALS, 0);
ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_bind($conn,"user#domain.somewhere","password");
$filter ="(ou=*)";
$justthese = array("ou");
$result=ldap_list($conn, $ldap_dn, $filter, $justthese) or die("No search data found.");
$info = ldap_get_entries($conn, $result);
for ($i=0; $i < $info["count"]; $i++) {
echo $info[$i]["ou"][0] . '<br />';
}
?>
This returns a list of groups, one of whch is 'Students', but I want to list all groups within 'Students'. How can I do this?
EDIT
Thanks to Fluffeh the Microsoft LDAP plugin allows me to search active directorys so I can tailor my PHP script accordingly, e.g. $ldap_dn = "ou=Units,ou=Groups,dc=somewhere,dc=somewher,dc=somewhere,dc=au";
So my mostly working code is:
<?php
$ldap_dn = "ou=Units,ou=Groups,dc=somewhere,dc=somewher,dc=somewhere,dc=au";
$ldap_svr = "ldap.server.somewhere";
$ldap_domain = "domain.somewhere";
$conn=ldap_connect($ldap_svr) or die("Cannot connect to LDAP server!");
ldap_set_option ($conn, LDAP_OPT_REFERRALS, 0);
ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_bind($conn,"user#domain.somewhere","password");
$filter ="(cn=*)";
$justthese = array('cn');
$result=ldap_list($conn, $ldap_dn, $filter, $justthese) or die("No search data found.");
$info = ldap_get_entries($conn, $result);
for ($i=0; $i < $info["count"]; $i++) {
echo $info[$i]["cn"][0] . '<br />';
}
?>
You need to actually pass the search to it. Currently you are using:
$filter ="(ou=*)";
This will need to change to contain 'Students'. While I am no LDAP expert, I would guess at the following:
$filter ="(cn=Students)";
Most of the LDAP stuff I have done has been sheer trial and error rather than knowing what I am doing, but this might put you on the right path.
There is also a Microsoft plugin - Active Directory Explorer you can use to at least browse the LDAP so that you know what to search for and under what branch.