I have a PHP script on an apache server, and every time I try to run it, it tells me:
unable to bind to the AD
It connects fine though. I took it off the apache server, and ran it locally from my machine, and it was able to bind just fine. I'm assuming that there is something wrong with my configuration of apache.
I'm using the adLDAP API, and this is the following script I'm trying to run. It's basically a test to see whether I'm able to bind successfully or not and check to see if the credentials entered are in the Active Directory.
$username = $_POST["username"];
$password = $_POST["password"];
$formage = $_POST["formage"];
if ($_POST["oldform"]) { //prevent null bind
if ($username != NULL && $password != NULL){
//include the class and create a connection
include (dirname(__FILE__) . "/../src/adLDAP.php");
try {
$adldap = new adLDAP();
}
catch (adLDAPException $e) {
echo $e;
exit();
}
//authenticate the user
if ($adldap->authenticate($username, $password)){
//establish your session and redirect
session_start();
$_SESSION["username"] = $username;
$_SESSION["userinfo"] = $adldap->user()->info($username);
$redir = "Location: https://" . $_SERVER['HTTP_HOST'] .
dirname($_SERVER['PHP_SELF']) . "/menu.php";
header($redir);
exit;
}
}
$failed = 1;
}
Why am I getting this error: unable to bind to the AD?
I figured out the issue.
Apparently SELinux was blocking the port I needed to connect to, so I just essentially told SELinux that it's ok to connect to that port. Now everything works like a charm. Here is how I allowed Apache access to the port:
grep httpd /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp
Related
I have put together a basic web-app, the actual web-app itself works fine. However I wanted to add user authentication using our existing ldap server. The ldap script seems to work intermittently though, when logging in the first few attempts will fail with the 'access denied' message then it will authenticate. I ran the script stand alone without the app and the same behavior applies.
I cant seem to tie the problem down anywhere, I can only assume it is occuring on the ldap side and not the php side. I have included the script below, any help would be great.
While writing this, it failed to auth 3 times and passed twice...
<?php
$user = $_POST['login-name'];
$password = $_POST['login-pass'];
$ldap_user = 'uid='.$user.',ou=people,dc=ourdomain,dc=com,dc=au';
$ldap_pwd = $password;
$ldaphost = 'ldap://ldapserver.domain.com';
$ldapport = 389;
$ds = ldap_connect($ldaphost, $ldapport)
or die("Could not connect to $ldaphost");
if ($ds)
{
$username = $ldap_user;
$upasswd = $password;
$ldapbind = ldap_bind($ds, $username, $upasswd);
if ($ldapbind)
{
//print "Congratulations! $username is authenticated.";
header('Location: message.html');
}
else
{print "Access Denied!";}
}
?>
You probably should set the LDAP-protocol version to 3 using
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
before calling ldap_bind().
I've found this at http://php.net/manual/de/function.ldap-bind.php#72795
I have a cron.php file on my server which makes connection with the database and do some function. When I execute this file using browser, it runs perfectly. But when it executes from cron, it gives following error while making database connection:
ERROR: SQLSTATE[28000] [1045] Access denied for user 'USER_NAME'#'localhost' (using password: YES)<br />
I searched a lot but no clue what to do. Any ideas?
EDIT: Basically, this is my cron.php:
<?php
require_once('phpInclude/db_connection.php');
error_reporting(1);
$sql_qry = "select email, apn_id, reg_id, token from users where verify = 'n' and DATEDIFF(NOW(),created_on) = 3";
$res=$con->query($sql_qry);
?>
My db_connection.php:
<?php
require_once('config.php');
try {
$dsn = 'mysql:host='.$DB_HOST.';dbname='.$DB_DATABASE;
$con = new PDO($dsn, $DB_USER, $DB_PASSWORD);
$con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
catch(PDOException $e) {
echo 'ERROR: ' . $e->getMessage();
}
$DB_HOST = LOCALHOST;
$DB_DATABASE = DB_NAME;
$DB_USER = USER_NAME;
$DB_PASSWORD = USER_PASS;
?>
My config.php:
define('LOCALHOST','localhost');
define('USER_NAME','xxxxxxxxxxx');
define('USER_PASS','xxxxxxxxxx');
define('DB_NAME','xxxxxxxxxx');
define("UPLOAD_PATH","xxxxxxxxxxxx");
define("BASE_PATH","xxxxxxxxxxxxxx");
Problem solved. I was having a localhost check in my config.php file. At first, I made the webservices at localhost using wamp, so the config was of localhost. Later, I moved the project on my server. And I changed the config by adding:
if(server="http://myserver.com")
//take server config
else
//take localhost config
And cron service picked the config inside else clause.
CRONs typically run from the CLI, so it may not be accessing this file from the webroot like when you browse to cron.php. Try changing the require to an absolute path:
require_once __DIR__ . 'phpInclude/db_connection.php';
I have some code that uses PHP and LDAP to connect to AD:
$host = 'ldap://stack.overflow.com';
$port = 389;
$username = 'stackOverflow';
$password = 'IaMP4ssWord';
$dn = 'CN=Users, DC=STACK, DC=OVERFLOW, DC=COM';
$cond = '(&(objectcategory=user)(displayname=*))';//All users that have a displayname
if($ldap = ldap_connect($host, $port))
{
if(ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3))
{
if(ldap_bind($ldap, $username, $password))
{
$attrs = array('displayname', 'mail');
if($rs = ldap_search($ldap, $dn, $cond, $attrs))
{
$results = ldap_get_entries($ldap, $rs);
echo "<pre>";print_r($result);echo "</pre>";//Print the results
}
}
else
{ echo 'Binding failed';}
}
else
{ echo 'Setting options failed';}
}
else
{ echo 'Connection failed'; }
Now this code works just fine. It print out every user that has a displayname in AD.
Problem is for the username/password binding i am using my own user credential to bind to the server.
I would like to know if there is a way to bind using the servers credentials.
I am setup using PHP 5.3 + IIS on windows server 2008 R2 for both the server with IIS and the one that has AD.(two different VM).
I also know that IIS has a AD account named IISStackOverflow but I don't know the password or even if it has a password...
Thanks!
Oh! I tried changing $username to IISStackOverflow and $password to ''
But it gave invalid credential error.
--EDIT--
Do I have to do the binding part at all? (If I am only reading data)
As you run it from server itself, and you just want to read I would try to use :
...
if(ldap_bind($ldap))
...
According to PHP documentation if bind_rdn and bind_password are not specified, an anonymous bind is attempted.
Then if your anonymous logon is refused (this should not be, because running under IIS on the server your code is at least executed as a domain user) you will find there how to enable anonymous LDAP binds to Windows Server. This used to work forme on W2K8, Inever test it on W2K12.
I've been looking at a couple of guides (and the PHP manual) trying to validate AD users on an intranet site I'm about to make. This is the first time I've used ldap_connect, and I haven't had the best of luck.
Could anyone look at my code and see what I'm missing?
Thanks.
<?php
$user = "08jf1";
$password = "pass";
// Active Directory server
$ldap_host = "10.43.48.5";
// Active Directory DN
$ldap_dn = "OU=CSE-W7,OU=Students-W7,DC=server,DC=local";
// Domain, for purposes of constructing $user
$ldap_usr_domain = "#server.local";
// Connect to AD host
$ldapconn = ldap_connect("10.43.48.5");
if ($ldapconn) {
$bind = ldap_bind($ldap_host, $ldap_dn, $user . $ldap_usr_domain, $password);
if ($bind) {
echo "Verified user";
//$_SESSION['username'] = $session_username;
//$_SESSION['password'] = $session_password;
} else {
echo "User does not exist";
}
}
?>
Edit: I can confirm ldap is enabled though phpinfo!
Is that syntax of ldap_bind correct?. Isn't it ldap_bind($ldapconn,$rdn,$password) ?
Binding may need a elevated privilege or authbind wrapper. Refer to authbind for ldap. LDAP AuthBind
Take a look at this very simple example: How to use LDAP Active Directory Authentication with PHP
INFO: I am trying to authenticate and adLDAP
PROBLEM: adLDAP telling me "User authentication unsuccessful"
QUESTION: How do I find out what I need to do when there are no errors telling me what handle this.
SEARCHED/TRIED:
http://adldap.sourceforge.net/faq.php
stackoverflow.com/questions/2465260/using-adldap-php-class-but-getting-error-when-looking-for-group-user-belongs-to
adldap.sourceforge.net/wiki/doku.php?id=documentation_examples#authenticating_a_user
http://phreek.org/blog/2011/12/enable-php-ldap-module-in-xampp
CODE:
require_once(dirname(__FILE__) . '/adLDAP.php');
$adldap = new adLDAP();
$username = "user";
// $username = "domain\user"; // I have also tried
$password = "pass";
$authUser = $adldap->authenticate($username, $password);
if ($authUser == true) {
echo "User authenticated successfully";
}
else {
echo "User authentication unsuccessful";
}
echo('<hr />');
$result=$adldap->user_info("jboyle");
print_r($result);
HTML OUTPUT:
User authentication unsuccessful
Fatal error: Call to undefined method adLDAP::user_info() in C:\xampp\htdocs\adLDAP\compare.php on line 18
Replace:
echo "User authentication unsuccessful";
with
echo "Username '{$username}' login failed: ".$adldap->getLastError();
Result:
Username 'user' login failed: Can't contact LDAP server
Info/sources:
https://sourceforge.net/projects/adldap/forums/forum/358759/topic/1719128?message=4368835
http://adldap.sourceforge.net/wiki/doku.php?id=ldap_over_ssl#tell_apache_how_to_use_ldaps
Do a phpinfo() and check where the HOME variable points to in the Apache environment. Create a symbolic link or copy ldap.conf to this location.
If you get a connect error may be because your local OpenSSL installation doesn't recognise the certificate (or its authority) provided by the server. This can be circumvented by adding the following line to ldap.conf on your server or similar:
Change TLS_REQCERT allow to TLS_REQCERT never
Apache must be able to read ldap.conf, you cannot skip this step.