I am trying to search an active directory using ldap. I want to be able to return the users email address. How can this be done? So far I have the following, but nothing seems to happen.
I just want to return mail based on the attributes given in $filter. The ldap bind seems to work fine.
Thanks :)
<!DOCTYPE HTML>
<html>
<head>
<title>Cisco Guest Register</title>
</head>
<body>
<?php
$ldaprdn = "CN=antwest,OU=Employees,OU=Cisco Users,DC=cisco,DC=com";
$ldappass = 'Chandler1';
// connect to ldap server
$ldapconn = ldap_connect("ldap://ds.cisco.com:389")
or die("Could not connect to LDAP server.");
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if (!$ldapbind) {
echo "Connection to LDAP Failed";
}
echo "Connected to LDAP";
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION,3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS,0);
$filter="(|(cn=antwest*)(ou=cisco*))";
$justthese = array("mail");
$sr=ldap_search($ldapconn, $ldaprdn, $filter, $justthese);
$info = ldap_get_entries($ldapconn, $sr);
echo $info["count"]." entries returned\n";
}
?>
</body>
</html>
It's important to set ldap_set_option before call ldap_bind:
$ldapconn = ldap_connect("ldap://ds.cisco.com:389");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION,3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS,0);
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
To print just the email, and if your search is succeded, then use this line:
echo $info[0]["mail"][0];
Related
I have PHP 7.0 on CentOS 7. And I've installed php-ldap module as well.
# yum install -y php php-ldap
...
# php -m
...
ldap
...
Now the following PHP codes works:
<?php
$ldapconn = ldap_connect("dc.example.com", 389) or die("Could not connect to LDAP server.");
if ($ldapconn) {
$ldaprdn = 'username';
$ldappass = 'password';
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
if ($ldapbind) {
echo "LDAP bind successful...";
} else {
echo "LDAP bind failed...";
}
}
$Result = ldap_search($ldapconn, "DC=example,DC=com", "(sAMAccountName=johndoe)");
$data = ldap_get_entries($ldapconn, $Result);
print_r($data);
?>
That works! I can connect, bind, and then even search for username johndoe and view his entire AD profile successfully.
Problem
But then I tried with SSL via port 636:
<?php
putenv('LDAPTLS_REQCERT=require');
putenv('LDAPTLS_CACERT=/var/www/html/servercert.der'); #I know, but this is just temporary location
$ldapconn = ldap_connect("dc.example.com", 636) or die("Could not connect to LDAP server.");
ldap_set_option($ldapconn, LDAP_OPT_DEBUG_LEVEL, 7);
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
if ($ldapconn) {
$ldaprdn = 'username';
$ldappass = 'password';
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
if ($ldapbind) {
echo "LDAP bind successful...";
} else {
echo "LDAP bind failed...";
}
}
$Result = ldap_search($ldapconn, "DC=example,DC=com", "(sAMAccountName=johndoe)");
$data = ldap_get_entries($ldapconn, $Result);
print_r($data);
?>
I got this error:
Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /var/www/html/index.php on line 14
LDAP bind failed...
Warning: ldap_search(): Search: Can't contact LDAP server in......
What am I missing please?
Note:
We have port 636 opened on Windows AD Server and it is reachable from this PHP web server.
Server certificate is valid.
I figured out the ldap_connect should be as below:
ldap_connect("ldaps://dc.example.com:636")
And then all of sudden it worked!
Note: If it is on Apache, it is worth restarting it after changing to above code.
I was trying to check authentication with Active Directory in php. I tried the below code but I am getting an error. I followed the link https://www.php.net/manual/en/function.ldap-bind.php .
Code:
<?php
// using ldap bind
$ldaprdn = 'Administrator'; // ldap rdn or dn
$ldappass = '****'; // associated password
// connect to ldap server
$ldapconn = ldap_connect("ldap://dc1.example.com")
or die("Could not connect to LDAP server.");
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...";
} else {
echo "LDAP bind failed...";
}
}
?>
Error :
PHP Warning: ldap_bind(): Unable to bind to server: Invalid
credentials in /root/ldap1.php on line 14 LDAP bind failed...
I am trying to search for a user in LDAP while doing anonymous binding. First of all is this possible?
Here is a working code.
$ldaphost = "dc.mydomain.com"; // your ldap server
$ldapport = 389; // your ldap server's port number
$ldapuser = "username#mydomain.com";
$ldappass = "somepass";
$basedn = 'dc=mydomain,dc=com';
$searchfor = 'seconduser';
//Connecting to LDAP
$ldapconn = ldap_connect($ldaphost, $ldapport) or die("Could not connect to" . $ldaphost);
if ($ldapconn)
{
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
// binding to ldap server
$ldapbind = ldap_bind($ldapconn,$ldapuser, $ldappass);
$filter = '(&(samaccounttype=805306368)(samaccountname=' . $searchfor . '))';
$result = ldap_search($ldapconn, $basedn, $filter, array('samaccountname'));
$info = ldap_get_entries($ldapconn, $result);
echo '<pre>';
print_r($info);
}
The only thing with the above code is that I would have to provide an user for binding. I would like to do anonymous instead. To do that I changed the following line of code from
$ldapbind = ldap_bind($ldapconn,$ldapuser, $ldappass);
to
$ldapbind = ldap_bind($ldapconn);
But this is giving me the following error in the ldap_search()
ldap_search(): Search: Operations error
How can I search for a user in LDAP with anonymous binding?
Your Active Directory administrators should have told you, that anonymous access is disabled by default. Most likely they are not willing to change it. For an application, ask for a service account (stable password).
I am working on a login form that uses LDAP to authenticate users. However I do not know how to pass the username as a POST variable along with the DN credentials. This is working allowing me to send a password from a login form:
<?php
// using ldap bind
$ldaprdn = 'uid=my.name,cn=XXX,dc=XXX,dc=XXX,dc=XXX'; // ldap rdn or dn
$ldappass = $_POST['userPassword']; // user password
// connect to ldap server
$ldapconn = ldap_connect("server.domain.com")
or die("Could not connect to LDAP server.");
// Set some ldap options for talking to
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
if ($ldapconn) {
// binding to ldap server
$ldapbind = #ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...\n";
} else {
echo "LDAP bind failed...\n";
}
}
?>
However this does not when trying to append the value contained within the POST variable to the CN and DN values.
<?php
// using ldap bind
$ldaprdn = "uid = . $_POST['userLogin'] . 'cn=XXX,dc=XXX,dc=XXX,dc=XXX'"; // ldap rdn or dn
$ldappass = $_POST['userPassword']; // user password
// connect to ldap server
$ldapconn = ldap_connect("server.domain.com")
or die("Could not connect to LDAP server.");
// Set some ldap options for talking to
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
if ($ldapconn) {
// binding to ldap server
$ldapbind = #ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...\n";
} else {
echo "LDAP bind failed...\n";
}
}
?>
Can this be achieved this way? I believe I can only pass three variables using the LDAP_bind function,
Many Thanks
You are incorrectly using quotes here and have missed a comma:
$ldaprdn = "uid = . $_POST['userLogin'] . 'cn=XXX,dc=XXX,dc=XXX,dc=XXX'";
should be
$ldaprdn = 'uid =' . $_POST['userLogin'] . ',cn=XXX,dc=XXX,dc=XXX,dc=XXX';
or
$ldaprdn = "uid =$_POST['userLogin'],cn=XXX,dc=XXX,dc=XXX,dc=XXX";
Remember that using single quotes around variables will not resolve the variable to its value (and thus concatenation is required), but using double quotes will.
And on top of that: never work with user-inputted-data directly in your scripts - validate the input or at the very least use htmlentities() or strip_tags()...
I am attempting to connect to active directory via LDAP in php. But i get the following warnings:
Warning: ldap_search(): supplied argument is not a valid ldap link resource in C:\Program Files (x86)\EasyPHP-12.1\www\GuestRegister\login.php on line 39
Warning: ldap_get_entries() expects parameter 1 to be resource, string given in C:\Program Files (x86)\EasyPHP-12.1\www\GuestRegister\login.php on line 41
entries returned
Can anyone help? :)
My code look like:
<?php
$ds = "10.33.85.172";
$ldaprdn = "CN=HackTeam,CN=Users,DC=cisco,DC=internal";
$ldappass = 'HackMe007';
// connect to ldap server
$ldapconn = ldap_connect("10.33.85.172")
or die("Could not connect to LDAP server.");
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "Connected to LDAP";
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION,3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS,0);
$filter="(|(sn=guest-Juan*)(givenname=Juan*))";
$justthese = array("ou", "sn", "givenname", "mail");
$sr=ldap_search($ds, $ldaprdn, $filter, $justthese);
$info = ldap_get_entries($ds, $sr);
echo $info["count"]." entries returned\n";
} else {
echo "Connection to LDAP Failed";
}
}
?>
change:
$sr=ldap_search($ds, $ldaprdn, $filter, $justthese);
to
$sr=ldap_search($ldapconn, $ldaprdn, $filter, $justthese);
You should pass the connection resource as the first parameter to ldap_search, what you are passing is $ds which is just a string with the ldap server's ip.