Use PHP to authenticate to AD

Bonegavel wrote:

BTW, I've started coding another app that queries AD using ASP and it
is soooo easy it hurts.

So what are you doing in ASP to enable such an authentication?

Have a look at http://www.php.net/w32api. Whatever you are doing in ASP, you
should be able to duplicate exactly using that API.

Kristian

DISCLAIMER: I don't do windows.

Bonegavel wrote:

Going to sound strange, but here i go.

We use Windows 2000 AD for everything. However, we are also running
XAMPP (basically Apache, MySQL, PHP for windows) on a Windows box for
our Intranet. I have a few applications that need to authenticate via
AD from PHP and every example I see uses the LDAP functions built into
PHP.

I cannot query our AD server via LDAP. If I type
ldap://domaincontrolle r it fails, so of course, when I try to use the
LDAP function in PHP they fail.

How do I get LDAP running on AD? I'm sure I'm missing something simple,
but I'm very frustrated.

BTW, I've started coding another app that queries AD using ASP and it
is soooo easy it hurts.

What we do for this is to bind using a generic account, search for the
sAMAccountName then attempt to rebind using that DN and the supplied
password. If the bind works, the user/password is correct, if it
doesn't the users forgotten their password again.

This is on Linux, don't know anything about Windoze, so this might be
different for you!

e.g.

$ldap_server = "ad_controller. company.com";
$ldap_base_dn = "ou=Users,dc=co mpany,dc=com";
$ldap_def_user = "cn=ldapquery,o u=Users,dc=comp any,dc=com";
$ldap_def_pass = "password";

$Username = "dumbuser";
$Passwowd = "abc123";

$ld_connect = @ldap_connect($ ldap_server);
$bind = @ldap_bind($ld_ connect, $ldap_def_user, $ldap_def_pass) ;
if(!$bind) {
print "Eeek! Cannot bind to ldap server.";
exit;
}
$ld_filter = '(sAMAccountNam e='. $Username .')';
$ld_data = array('dn');
$ld_sr = ldap_search($ld _connect, $ldap_base_dn, $ld_filter, $ld_data);
$ld_info = ldap_get_entrie s($ld_connect, $ld_sr);
$ldap_user_dn = $ld_info[0]['dn'];

$bind = @ldap_bind($ld_ connect, $ldap_user_dn, $Password);

if(!$bind) {
print "Invalid login, get lost";
exit;
} else {
print "Logged in Ok!";
}
Good luck! Accessing AD from anything other than MS software can be a
pain in the @ss, especially when you start plaing with the GUID. (A 16
byte octect string than may contain nulls!!!)

Sacs

i guess what is hurting me at this point is I cannot use any PHP ldap
functions because my domain controller isn't answering LDAP calls. From
what I understand, I should be able to type ldap://domaincontrolle r
into my browser and it should allow me to query my DC. Doesn't work. I
can't even use one of the free ldap browsers out there.

How do i get my domain controller to respond to LDAP queries? Do I need
to run an LDAP server? Do i need to add LDAP schema to the AD?

Nice! I'll have to take a look at this at work tomorrow.

Bonegavel wrote:

i guess what is hurting me at this point is I cannot use any PHP ldap
functions because my domain controller isn't answering LDAP calls. From
what I understand, I should be able to type ldap://domaincontrolle r
into my browser and it should allow me to query my DC. Doesn't work. I
can't even use one of the free ldap browsers out there.

How do i get my domain controller to respond to LDAP queries? Do I need
to run an LDAP server? Do i need to add LDAP schema to the AD?

Hmm, ok, sorry I got the wrong end of the stick :-)

AD is an LDAP server, so it should just work. I don't know too much
about windoze admin, I dont do that, but is it possible they've turned
off plain ldap and are enforcing ldapssl?

Sacs

al**********@wa y.co.nz says...

Bonegavel wrote:

How do i get my domain controller to respond to LDAP queries? Do I need
to run an LDAP server? Do i need to add LDAP schema to the AD?

Hmm, ok, sorry I got the wrong end of the stick :-)

AD is an LDAP server, so it should just work. I don't know too much
about windoze admin, I dont do that, but is it possible they've turned
off plain ldap and are enforcing ldapssl?

Neither MS Active Directory or Novell E-directory are fully ldap v.3
standards compliant, so don't expect everything to work out of the box.

Geoff M

This is what is making me crazy: Why can I not connect to my Windows
2000 Domain Controller via LDAP?

Still having problems but taking it one step at a time I tried this:

<?
$connect = ldap_connect("m yDC", 389);

echo $connect;
?>

and the echo is: Resource id #2

so, it appears to connect.

However, when I try ldap_bind() it fails to bind.

Bonegavel wrote:

Still having problems but taking it one step at a time I tried this:

<?
$connect = ldap_connect("m yDC", 389);

echo $connect;
?>

and the echo is: Resource id #2

so, it appears to connect.

However, when I try ldap_bind() it fails to bind.

A step forward anyway!

How are you binding? You need the full dn of a user and the correct
password.

Sacs