Use PHP to authenticate to AD | | |
Going to sound strange, but here i go.
We use Windows 2000 AD for everything. However, we are also running
XAMPP (basically Apache, MySQL, PHP for windows) on a Windows box for
our Intranet. I have a few applications that need to authenticate via
AD from PHP and every example I see uses the LDAP functions built into
PHP.
I cannot query our AD server via LDAP. If I type
ldap://domaincontroller it fails, so of course, when I try to use the
LDAP function in PHP they fail.
How do I get LDAP running on AD? I'm sure I'm missing something simple,
but I'm very frustrated.
BTW, I've started coding another app that queries AD using ASP and it
is soooo easy it hurts.
| | | | re: Use PHP to authenticate to AD
Bonegavel wrote:[color=blue]
> BTW, I've started coding another app that queries AD using ASP and it
> is soooo easy it hurts.[/color]
So what are you doing in ASP to enable such an authentication?
Have a look at http://www.php.net/w32api. Whatever you are doing in ASP, you
should be able to duplicate exactly using that API.
Kristian
DISCLAIMER: I don't do windows. | | | | re: Use PHP to authenticate to AD
Bonegavel wrote:[color=blue]
> Going to sound strange, but here i go.
>
> We use Windows 2000 AD for everything. However, we are also running
> XAMPP (basically Apache, MySQL, PHP for windows) on a Windows box for
> our Intranet. I have a few applications that need to authenticate via
> AD from PHP and every example I see uses the LDAP functions built into
> PHP.
>
> I cannot query our AD server via LDAP. If I type
> ldap://domaincontroller it fails, so of course, when I try to use the
> LDAP function in PHP they fail.
>
> How do I get LDAP running on AD? I'm sure I'm missing something simple,
> but I'm very frustrated.
>
> BTW, I've started coding another app that queries AD using ASP and it
> is soooo easy it hurts.
>[/color]
What we do for this is to bind using a generic account, search for the
sAMAccountName then attempt to rebind using that DN and the supplied
password. If the bind works, the user/password is correct, if it
doesn't the users forgotten their password again.
This is on Linux, don't know anything about Windoze, so this might be
different for you!
e.g.
$ldap_server = "ad_controller.company.com";
$ldap_base_dn = "ou=Users,dc=company,dc=com";
$ldap_def_user = "cn=ldapquery,ou=Users,dc=company,dc=com";
$ldap_def_pass = "password";
$Username = "dumbuser";
$Passwowd = "abc123";
$ld_connect = @ldap_connect($ldap_server);
$bind = @ldap_bind($ld_connect, $ldap_def_user, $ldap_def_pass);
if(!$bind) {
print "Eeek! Cannot bind to ldap server.";
exit;
}
$ld_filter = '(sAMAccountName='. $Username .')';
$ld_data = array('dn');
$ld_sr = ldap_search($ld_connect, $ldap_base_dn, $ld_filter, $ld_data);
$ld_info = ldap_get_entries($ld_connect, $ld_sr);
$ldap_user_dn = $ld_info[0]['dn'];
$bind = @ldap_bind($ld_connect, $ldap_user_dn, $Password);
if(!$bind) {
print "Invalid login, get lost";
exit;
} else {
print "Logged in Ok!";
}
Good luck! Accessing AD from anything other than MS software can be a
pain in the @ss, especially when you start plaing with the GUID. (A 16
byte octect string than may contain nulls!!!)
Sacs
| | | | re: Use PHP to authenticate to AD
i guess what is hurting me at this point is I cannot use any PHP ldap
functions because my domain controller isn't answering LDAP calls. From
what I understand, I should be able to type ldap://domaincontroller
into my browser and it should allow me to query my DC. Doesn't work. I
can't even use one of the free ldap browsers out there.
How do i get my domain controller to respond to LDAP queries? Do I need
to run an LDAP server? Do i need to add LDAP schema to the AD?
| | | | re: Use PHP to authenticate to AD
Nice! I'll have to take a look at this at work tomorrow.
| | | | re: Use PHP to authenticate to AD
Bonegavel wrote:[color=blue]
> i guess what is hurting me at this point is I cannot use any PHP ldap
> functions because my domain controller isn't answering LDAP calls. From
> what I understand, I should be able to type ldap://domaincontroller
> into my browser and it should allow me to query my DC. Doesn't work. I
> can't even use one of the free ldap browsers out there.
>
> How do i get my domain controller to respond to LDAP queries? Do I need
> to run an LDAP server? Do i need to add LDAP schema to the AD?
>[/color]
Hmm, ok, sorry I got the wrong end of the stick :-)
AD is an LDAP server, so it should just work. I don't know too much
about windoze admin, I dont do that, but is it possible they've turned
off plain ldap and are enforcing ldapssl?
Sacs
| | | | re: Use PHP to authenticate to AD
alan_nospam_@way.co.nz says...[color=blue]
> Bonegavel wrote:[color=green]
> > How do i get my domain controller to respond to LDAP queries? Do I need
> > to run an LDAP server? Do i need to add LDAP schema to the AD?
> >[/color]
> Hmm, ok, sorry I got the wrong end of the stick :-)
>
> AD is an LDAP server, so it should just work. I don't know too much
> about windoze admin, I dont do that, but is it possible they've turned
> off plain ldap and are enforcing ldapssl?[/color]
Neither MS Active Directory or Novell E-directory are fully ldap v.3
standards compliant, so don't expect everything to work out of the box.
Geoff M | | | | re: Use PHP to authenticate to AD
This is what is making me crazy: Why can I not connect to my Windows
2000 Domain Controller via LDAP?
| | | | re: Use PHP to authenticate to AD
Still having problems but taking it one step at a time I tried this:
<?
$connect = ldap_connect("myDC", 389);
echo $connect;
?>
and the echo is: Resource id #2
so, it appears to connect.
However, when I try ldap_bind() it fails to bind.
| | | | re: Use PHP to authenticate to AD
Bonegavel wrote:[color=blue]
> Still having problems but taking it one step at a time I tried this:
>
> <?
> $connect = ldap_connect("myDC", 389);
>
> echo $connect;
> ?>
>
> and the echo is: Resource id #2
>
> so, it appears to connect.
>
> However, when I try ldap_bind() it fails to bind.
>[/color]
A step forward anyway!
How are you binding? You need the full dn of a user and the correct
password.
Sacs
| | | | re: Use PHP to authenticate to AD
I cannot believe the answer to my problem was so simple...
The code I was using was correct and only missing one thing:
username had to have @domain.com added on. In my ldap_bind() i was
passing
ldap_bind($ldapconnect, "username", "password")
and it has to be
ldap_bind($ldapconnect, "username@mydomain.com", "password")
Uggh. Thank you to everyone that replied to this.
| | | | re: Use PHP to authenticate to AD
Thanks for the code. As I was testing it on our systems here I found
that if the username in the second attempt to connect was blank, it
would respond as if it succeeded. So it might be best to change the
second if !$bind to if ( (!bind) && ($ldap_user_dn=="") )
Sacs wrote:
[color=blue]
> This is on Linux, don't know anything about Windoze, so this might be[/color]
[color=blue]
> different for you!
>
> e.g.
>
> $ldap_server = "ad_controller.company.com";
> $ldap_base_dn = "ou=Users,dc=company,dc=com";
> $ldap_def_user = "cn=ldapquery,ou=Users,dc=company,dc=com";
> $ldap_def_pass = "password";
>
> $Username = "dumbuser";
> $Passwowd = "abc123";
>
> $ld_connect = @ldap_connect($ldap_server);
> $bind = @ldap_bind($ld_connect, $ldap_def_user, $ldap_def_pass);
> if(!$bind) {
> print "Eeek! Cannot bind to ldap server.";
> exit;
> }
>
>
> $ld_filter = '(sAMAccountName='. $Username .')';
> $ld_data = array('dn');
> $ld_sr = ldap_search($ld_connect, $ldap_base_dn, $ld_filter,[/color]
$ld_data);[color=blue]
> $ld_info = ldap_get_entries($ld_connect, $ld_sr);
> $ldap_user_dn = $ld_info[0]['dn'];
>
> $bind = @ldap_bind($ld_connect, $ldap_user_dn, $Password);
>
> if(!$bind) {
> print "Invalid login, get lost";
> exit;
> } else {
> print "Logged in Ok!";
> }[/color]
| | | | re: Use PHP to authenticate to AD
jd142 wrote:[color=blue]
> Thanks for the code. As I was testing it on our systems here I found
> that if the username in the second attempt to connect was blank, it
> would respond as if it succeeded. So it might be best to change the
> second if !$bind to if ( (!bind) && ($ldap_user_dn=="") )
>
>[/color]
Hmm, intersting. Was that against Active Directory or a real LDAP
server? AD isn't meant to allow unauthenticated searches, and it
shouldn't return a bind resource on an invalid bind attempt. *shrug*
Watch out when getting the GUID from AD, it's a pig to deal with, 16
byte octect string, with NULLs, so you can't treat it as a string. It is
the unique identifier for an AD object, thus usefull for treating AD
as an authoritative source for user info.
Glad to have helped!
Sacs
[color=blue]
> Sacs wrote:
>
>[color=green]
>>This is on Linux, don't know anything about Windoze, so this might be[/color]
>
>[color=green]
>>different for you!
>>
>>e.g.
>>
>>$ldap_server = "ad_controller.company.com";
>>$ldap_base_dn = "ou=Users,dc=company,dc=com";
>>$ldap_def_user = "cn=ldapquery,ou=Users,dc=company,dc=com";
>>$ldap_def_pass = "password";
>>
>>$Username = "dumbuser";
>>$Passwowd = "abc123";
>>
>>$ld_connect = @ldap_connect($ldap_server);
>>$bind = @ldap_bind($ld_connect, $ldap_def_user, $ldap_def_pass);
>>if(!$bind) {
>> print "Eeek! Cannot bind to ldap server.";
>> exit;
>>}
>>
>>
>>$ld_filter = '(sAMAccountName='. $Username .')';
>>$ld_data = array('dn');
>>$ld_sr = ldap_search($ld_connect, $ldap_base_dn, $ld_filter,[/color]
>
> $ld_data);
>[color=green]
>> $ld_info = ldap_get_entries($ld_connect, $ld_sr);
>>$ldap_user_dn = $ld_info[0]['dn'];
>>
>>$bind = @ldap_bind($ld_connect, $ldap_user_dn, $Password);
>>
>>if(!$bind) {
>> print "Invalid login, get lost";
>> exit;
>>} else {
>> print "Logged in Ok!";
>>}[/color]
>
>[/color]
| | | | re: Use PHP to authenticate to AD
Bonegavel wrote:[color=blue]
> I cannot believe the answer to my problem was so simple...
>
> The code I was using was correct and only missing one thing:
>
> username had to have @domain.com added on. In my ldap_bind() i was
> passing
>
> ldap_bind($ldapconnect, "username", "password")
>
> and it has to be
>
> ldap_bind($ldapconnect, "username@mydomain.com", "password")
>
> Uggh. Thank you to everyone that replied to this.
>[/color]
Glad to hear you've nailed it! Personally I found this LDAP/AD stuff
the hardest thing I've ever had to grok. Once it works though, it is SO
usefull!
Sacs
| | | | re: Use PHP to authenticate to AD
Hey!
I am working on the same thing and I having a huge problem here with
the searching of my ad structure..
i am able to get my script to run far enough to bind but then the
search fails:
LDAP query test
Connecting ...connect result is Resource id #3
Binding ...Bind result is 1
Searching ...
Warning: ldap_search(): Search: Partial results and referral received
in /home/engage/public_html/authenticate.php on line 47
Search result is
here is my script:
<?php
echo "<h3>LDAP query test</h3>";
echo "Connecting ...";
$ds=ldap_connect("ads.iu.edu"); // must be a valid LDAP server!
echo "connect result is " . $ds . "<br />";
$ldaprdn = 'xxxxx';
$ldappass = 'xxxx';
//set ldap option
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
if ($ds) {
echo "Binding ...";
$r=ldap_bind($ds, $ldaprdn, $ldappass);
echo "Bind result is " . $r . "<br />";
echo "Searching ...";
$username="msgreenf";
$dn = "dc=ads, dc=iu, dc=edu";
$filter="(cn=$username)";
$justthese = array("srname", "givenname", "mail", "memberOf");
//echo $ds. " ". $dn . " " . $filter . " " . $justthese;
$sr=ldap_search($ds, $dn, $filter, $justthese);
echo "Search result is " . $sr . "<br />";
echo "Number of entires returned is " . ldap_count_entries($ds, $sr)
..
"<br />";
echo "Getting entries ...<p>";
$info = ldap_get_entries($ds, $sr);
echo "Data for " . $info["count"] . " items returned:<p>";
for ($i=0; $i<$info["count"]; $i++) {
echo "dn is: " . $info[$i]["dn"] . "<br />";
echo "first cn entry is: " . $info[$i]["cn"][0] . "<br />";
echo "first email entry is: " . $info[$i]["mail"][0] . "<br
/><hr />";
}
echo "Closing connection";
ldap_close($ds);
} else {
echo "<h4>Unable to connect to LDAP server</h4>";
}
//header to redirect at the end
// echo("Output: ".$result);
header("Location: http://www.indiana.edu/~engage/index.php");
?>
Sacs wrote:[color=blue]
> Bonegavel wrote:[color=green]
> > I cannot believe the answer to my problem was so simple...
> >
> > The code I was using was correct and only missing one thing:
> >
> > username had to have @domain.com added on. In my ldap_bind() i was
> > passing
> >
> > ldap_bind($ldapconnect, "username", "password")
> >
> > and it has to be
> >
> > ldap_bind($ldapconnect, "username@mydomain.com", "password")
> >
> > Uggh. Thank you to everyone that replied to this.
> >[/color]
>
> Glad to hear you've nailed it! Personally I found this LDAP/AD stuff[/color]
[color=blue]
> the hardest thing I've ever had to grok. Once it works though, it is[/color]
SO[color=blue]
> usefull!
>
> Sacs[/color] | | | | re: Use PHP to authenticate to AD
Mitch wrote:[color=blue]
> Hey!
>
> I am working on the same thing and I having a huge problem here with
> the searching of my ad structure..
> i am able to get my script to run far enough to bind but then the
> search fails:
> LDAP query test
> Connecting ...connect result is Resource id #3
> Binding ...Bind result is 1
> Searching ...
> Warning: ldap_search(): Search: Partial results and referral received
> in /home/engage/public_html/authenticate.php on line 47
> Search result is
>
>
> here is my script:
>
> <?php
> echo "<h3>LDAP query test</h3>";
> echo "Connecting ...";
> $ds=ldap_connect("ads.iu.edu"); // must be a valid LDAP server!
> echo "connect result is " . $ds . "<br />";
> $ldaprdn = 'xxxxx';
> $ldappass = 'xxxx';
>
> //set ldap option
> ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
>
> if ($ds) {
> echo "Binding ...";
> $r=ldap_bind($ds, $ldaprdn, $ldappass);
> echo "Bind result is " . $r . "<br />";
>
> echo "Searching ...";
> $username="msgreenf";
> $dn = "dc=ads, dc=iu, dc=edu";
> $filter="(cn=$username)";
> $justthese = array("srname", "givenname", "mail", "memberOf");
> //echo $ds. " ". $dn . " " . $filter . " " . $justthese;
> $sr=ldap_search($ds, $dn, $filter, $justthese);
> echo "Search result is " . $sr . "<br />";
>
> echo "Number of entires returned is " . ldap_count_entries($ds, $sr)
> .
> "<br />";
>
> echo "Getting entries ...<p>";
> $info = ldap_get_entries($ds, $sr);
> echo "Data for " . $info["count"] . " items returned:<p>";
>
> for ($i=0; $i<$info["count"]; $i++) {
> echo "dn is: " . $info[$i]["dn"] . "<br />";
> echo "first cn entry is: " . $info[$i]["cn"][0] . "<br />";
> echo "first email entry is: " . $info[$i]["mail"][0] . "<br
> /><hr />";
> }
>
> echo "Closing connection";
> ldap_close($ds);
>
> } else {
> echo "<h4>Unable to connect to LDAP server</h4>";
> }
>
> //header to redirect at the end
> // echo("Output: ".$result);
> header("Location: http://www.indiana.edu/~engage/index.php");
>
> ?>
>[/color]
<snip>
Ok, I got the same results (once I had changed the obvious bits :-). I
changed the line:
$dn = "dc=ads, dc=iu, dc=edu";
to:
$dn = "ou=Domain Users,dc=mycomany,dc=co,dc=nz";
and it worked!
Try setting the $dn to be the top level organisational unit in you AD.
(Might be "Users" or something - it may be AD not allowing a full search
of the forest)
Sacs |  |
| | |  /bytes/about
We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights.
Get the best answers to your questions from over 226,327 network members.
|
