I am working on a login form that uses LDAP to authenticate users. However I do not know how to pass the username as a POST variable along with the DN credentials. This is working allowing me to send a password from a login form:
<?php
// using ldap bind
$ldaprdn = 'uid=my.name,cn=XXX,dc=XXX,dc=XXX,dc=XXX'; // ldap rdn or dn
$ldappass = $_POST['userPassword']; // user password
// connect to ldap server
$ldapconn = ldap_connect("server.domain.com")
or die("Could not connect to LDAP server.");
// Set some ldap options for talking to
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
if ($ldapconn) {
// binding to ldap server
$ldapbind = #ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...\n";
} else {
echo "LDAP bind failed...\n";
}
}
?>
However this does not when trying to append the value contained within the POST variable to the CN and DN values.
<?php
// using ldap bind
$ldaprdn = "uid = . $_POST['userLogin'] . 'cn=XXX,dc=XXX,dc=XXX,dc=XXX'"; // ldap rdn or dn
$ldappass = $_POST['userPassword']; // user password
// connect to ldap server
$ldapconn = ldap_connect("server.domain.com")
or die("Could not connect to LDAP server.");
// Set some ldap options for talking to
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
if ($ldapconn) {
// binding to ldap server
$ldapbind = #ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...\n";
} else {
echo "LDAP bind failed...\n";
}
}
?>
Can this be achieved this way? I believe I can only pass three variables using the LDAP_bind function,
Many Thanks
You are incorrectly using quotes here and have missed a comma:
$ldaprdn = "uid = . $_POST['userLogin'] . 'cn=XXX,dc=XXX,dc=XXX,dc=XXX'";
should be
$ldaprdn = 'uid =' . $_POST['userLogin'] . ',cn=XXX,dc=XXX,dc=XXX,dc=XXX';
or
$ldaprdn = "uid =$_POST['userLogin'],cn=XXX,dc=XXX,dc=XXX,dc=XXX";
Remember that using single quotes around variables will not resolve the variable to its value (and thus concatenation is required), but using double quotes will.
And on top of that: never work with user-inputted-data directly in your scripts - validate the input or at the very least use htmlentities() or strip_tags()...
Related
I was trying to check authentication with Active Directory in php. I tried the below code but I am getting an error. I followed the link https://www.php.net/manual/en/function.ldap-bind.php .
Code:
<?php
// using ldap bind
$ldaprdn = 'Administrator'; // ldap rdn or dn
$ldappass = '****'; // associated password
// connect to ldap server
$ldapconn = ldap_connect("ldap://dc1.example.com")
or die("Could not connect to LDAP server.");
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...";
} else {
echo "LDAP bind failed...";
}
}
?>
Error :
PHP Warning: ldap_bind(): Unable to bind to server: Invalid
credentials in /root/ldap1.php on line 14 LDAP bind failed...
I am working on a php web application where I have to authenticate users with company's active directory. That part is clear, the problem is I need to maintain the session for later use. Like I need to check if some userID exists in AD or not. Admin will sign in once and then in later stages he needs to verify if xyz users exist or not. I am using following for login:
<?php
// using ldap bind
$ldaprdn = 'uname'; // ldap rdn or dn
$ldappass = 'password'; // associated password
// connect to ldap server
$ldapconn = ldap_connect("ldap.example.com")
or die("Could not connect to LDAP server.");
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...";
} else {
echo "LDAP bind failed...";
}
}
?>
Any idea how can we maintain session so that Admin doesn't have to login on each user lookup?
Thanks
I'm having issues performing an authenticated bind against the server. The issues doesn't appear to be in code however maybe a server issue.
Just so you know;
LDAP is enabled in Apache/PHP
I'm connecting as user#domain.com
The domain controller has LDAP running and an entry in the firewall (Windows Server 2008 R2)
I can perform an anonymous bind
I can bind anonymously using this script;
$ldapconn = ldap_connect("machinename.domain.com")
or die("Could not connect to LDAP server.");
if ($ldapconn) {
// binding anonymously
$ldapbind = ldap_bind($ldapconn);
if ($ldapbind) {
echo "LDAP bind anonymous successful...";
} else {
echo "LDAP bind anonymous failed...";
}
}
However when I try to do an authenticated bind using this script, it fails.
// Authenticated Bind
$ldaprdn = 'username#domain.com'; // ldap rdn or dn
$ldappass = 'password'; // associated password
// connect to ldap server
$ldapconn = ldap_connect("machinename.domain.com")
or die("Could not connect to LDAP server.");
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...";
} else {
echo "LDAP bind failed...";
}
}
Where am I going wrong?
May your LDAP requires a DN as login. For retrive the DN make a search of the user uid first.
$search = ldap_search($ldapconn, $baseDn, $filter, $attributes);
if ($search) {
$entries = ldap_get_entries($ldapconn, 'uid=' . $ldaprdn);// Here $ldaprdn is the email
if (is_array($entries)) {
$ldaprdn = $entries[0]['dn']; // Get the DN of the user
}
}
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// ....
NOTE: You should escape $ldaprdn for avoid LDAP injection attacks.
Okay, after much investigation I have turned on error info using ldap_errno() and ldap_error() and found it bringing back the error 'Strong(er) authentication required' have discovered two possible solutions;
Adjust Group Policy Settings
Negotiate Signing (Network security: LDAP client signing requirements)
No signing requirements (Domain Controller: LDAP server signing requirements)
Result: Managed to bind successfully and when I enter the username or password incorrectly and it throws an 'Invalid credentials' as expected.
Enable LDAP over SSL (LDAPS)
http://www.christowles.com/2010/11/enable-ldap-over-ssl-ldaps-on-windows.html
http://support.microsoft.com/kb/321051
My aim is to change passwords in Active Directory through a web interface using PHP & IIS.
I have been following the instructions on http://www.ashleyknowles.net/2011/07/iis-php-and-ldaps-with-active-directory/
Prior to following these instructions I could not get a bind to the AD for an LDAPS connection, however after following these instructions it seems to successfully connect, yet gives an error of "Server is unwilling to perform" when I attempt to change the "unicodePwd" value.
Please note that the code below will successfully change any other value of a user in the AD.
<?php
$ldaprdn = 'CN=Admin User,OU=*******,OU=Staff,OU=********,DC=********,DC=*******,DC=******,DC=*****';
$ldappass = "*******"; // associated password
$ldapconn = ldap_connect("ldaps://***.***.***.***:636" ) or die("Could not connect to LDAP server.");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...";
$username = '******';
$dn = "CN=Bob Smith,OU=******,OU=******,OU=******,DC=******,DC=******,DC=******,DC=******";
$newPassword = 'blah';
$newEntry = array('unicodePwd' => encodePwd($newPassword));
print_r($newEntry);
if(ldap_mod_replace($ldapconn, $dn, $newEntry)) {
print "<p>succeded</p>";
} else {
print "<p>failed</p>";
}
print_r(ldap_error($ldapconn));
} else {
echo "LDAP bind failed...";
print_r(ldap_error($ldapconn));
}
}
// Credit: http://www.cs.bham.ac.uk/~smp/resources/ad-passwds/
function encodePwd($pw) {
$newpw = '';
$pw = "\"" . $pw . "\"";
$len = strlen($pw);
for ($i = 0; $i < $len; $i++)
$newpw .= "{$pw{$i}}\000";
$newpw = base64_encode($newpw);
return $newpw;
}
?>
SOLVED!!
It turns out that by following the Ashley Knowles tutorial, I was successfully establishing a SSL connection over LDAP, however the error was occurring because of the password encoding.
The credit for the successful password encoding goes to hd42 on this forum post, which enabled me to modify my code accordingly.
Therefore, once you have correctly installed the certificates etc in the harddrive on the IIS server, this code will successfully modify a user password in Active Directory using PHP through an IIS web server (assuming that the $ldaprdn user has sufficient admin rights):
<?php
$ldaprdn = 'CN=Admin User,OU=*******,OU=Staff,OU=********,DC=********,DC=*******,DC=******,DC=*****';
$ldappass = "*******"; // associated password
$ldapconn = ldap_connect("ldaps://***.***.***.***:636" ) or die("Could not connect to LDAP server.");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...";
$dn = "CN=Bob Smith,OU=******,OU=******,OU=******,DC=******,DC=******,DC=******,DC=******";
$newPassword = 'blah';
$newPassword = "\"" . $newPassword . "\"";
$newPass = mb_convert_encoding($newPassword, "UTF-16LE");
$newEntry = array('unicodePwd' => $newPass);
print_r($newEntry);
if(ldap_mod_replace($ldapconn, $dn, $newEntry)) {
print "<p>succeded</p>";
} else {
print "<p>failed</p>";
}
print_r(ldap_error($ldapconn));
} else {
echo "LDAP bind failed...";
print_r(ldap_error($ldapconn));
}
}
I am having a little trouble with my PHP LDAP login. My first bind is successful, but my second bind is not even if the credentials are correct. I tried using the credentials I use to the second bind in the first one to make sure it worked, and sure enough it can bind it at the first one. Why am I not being able to bind the second time?
<?php
// Define $myusername and $mypassword
$username=$_POST['username'];
$password=$_POST['password'];
// using ldap bind
$ldaprdn = 'uid=MYUID,ou=special,ou=people,o=myo.com,dc=mydc,dc=com'; // ldap rdn or dn
$ldappass = 'PASSWORD'; // associated password
// connect to ldap server
$ldapconn = ldap_connect("ldaps://MYLDAPSERVER", ###)
or die("Could not connect to LDAP server.");
if ($ldapconn)
{
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind)
{
$result = ldap_search($ldapconn, "ou=people,o=myo.com,dc=mydc,dc=com", "uid=$username");
$info = ldap_get_entries($ldapconn, $result);
$userdn = $info[0]["dn"];
$count = $info["count"];
ldap_unbind($ldapconn);
if ($count == 1)
{
$ldapbinduser = ldap_bind($ldapconn, $userdn, $password);
if ($ldapbinduser)
{
echo "Sucess you made it all the way<br />";
}
else
{
echo "Invalid Login Details, please try again(1001)";
}
}
else
{
echo "Invalid Login Details, please try again(1002)";
}
}
else
{
echo "LDAP bind failed(1000)";
}
}
Although its name might implicate something different, ldap_unbind() actually kills the connection handle so that the connection is not usable any more after an unbind. Remove the ldap_unbind() call from your code and everything should work as expected.