By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,304 Members | 3,172 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,304 IT Pros & Developers. It's quick & easy.

Use PHP to authenticate to AD

P: n/a
Going to sound strange, but here i go.

We use Windows 2000 AD for everything. However, we are also running
XAMPP (basically Apache, MySQL, PHP for windows) on a Windows box for
our Intranet. I have a few applications that need to authenticate via
AD from PHP and every example I see uses the LDAP functions built into
PHP.

I cannot query our AD server via LDAP. If I type
ldap://domaincontroller it fails, so of course, when I try to use the
LDAP function in PHP they fail.

How do I get LDAP running on AD? I'm sure I'm missing something simple,
but I'm very frustrated.

BTW, I've started coding another app that queries AD using ASP and it
is soooo easy it hurts.

Jul 17 '05 #1
Share this Question
Share on Google+
15 Replies


P: n/a
Bonegavel wrote:
BTW, I've started coding another app that queries AD using ASP and it
is soooo easy it hurts.


So what are you doing in ASP to enable such an authentication?

Have a look at http://www.php.net/w32api. Whatever you are doing in ASP, you
should be able to duplicate exactly using that API.

Kristian

DISCLAIMER: I don't do windows.

Jul 17 '05 #2

P: n/a
Bonegavel wrote:
Going to sound strange, but here i go.

We use Windows 2000 AD for everything. However, we are also running
XAMPP (basically Apache, MySQL, PHP for windows) on a Windows box for
our Intranet. I have a few applications that need to authenticate via
AD from PHP and every example I see uses the LDAP functions built into
PHP.

I cannot query our AD server via LDAP. If I type
ldap://domaincontroller it fails, so of course, when I try to use the
LDAP function in PHP they fail.

How do I get LDAP running on AD? I'm sure I'm missing something simple,
but I'm very frustrated.

BTW, I've started coding another app that queries AD using ASP and it
is soooo easy it hurts.


What we do for this is to bind using a generic account, search for the
sAMAccountName then attempt to rebind using that DN and the supplied
password. If the bind works, the user/password is correct, if it
doesn't the users forgotten their password again.

This is on Linux, don't know anything about Windoze, so this might be
different for you!

e.g.

$ldap_server = "ad_controller.company.com";
$ldap_base_dn = "ou=Users,dc=company,dc=com";
$ldap_def_user = "cn=ldapquery,ou=Users,dc=company,dc=com";
$ldap_def_pass = "password";

$Username = "dumbuser";
$Passwowd = "abc123";

$ld_connect = @ldap_connect($ldap_server);
$bind = @ldap_bind($ld_connect, $ldap_def_user, $ldap_def_pass);
if(!$bind) {
print "Eeek! Cannot bind to ldap server.";
exit;
}
$ld_filter = '(sAMAccountName='. $Username .')';
$ld_data = array('dn');
$ld_sr = ldap_search($ld_connect, $ldap_base_dn, $ld_filter, $ld_data);
$ld_info = ldap_get_entries($ld_connect, $ld_sr);
$ldap_user_dn = $ld_info[0]['dn'];

$bind = @ldap_bind($ld_connect, $ldap_user_dn, $Password);

if(!$bind) {
print "Invalid login, get lost";
exit;
} else {
print "Logged in Ok!";
}
Good luck! Accessing AD from anything other than MS software can be a
pain in the @ss, especially when you start plaing with the GUID. (A 16
byte octect string than may contain nulls!!!)

Sacs
Jul 17 '05 #3

P: n/a
i guess what is hurting me at this point is I cannot use any PHP ldap
functions because my domain controller isn't answering LDAP calls. From
what I understand, I should be able to type ldap://domaincontroller
into my browser and it should allow me to query my DC. Doesn't work. I
can't even use one of the free ldap browsers out there.

How do i get my domain controller to respond to LDAP queries? Do I need
to run an LDAP server? Do i need to add LDAP schema to the AD?

Jul 17 '05 #4

P: n/a
Nice! I'll have to take a look at this at work tomorrow.

Jul 17 '05 #5

P: n/a
Bonegavel wrote:
i guess what is hurting me at this point is I cannot use any PHP ldap
functions because my domain controller isn't answering LDAP calls. From
what I understand, I should be able to type ldap://domaincontroller
into my browser and it should allow me to query my DC. Doesn't work. I
can't even use one of the free ldap browsers out there.

How do i get my domain controller to respond to LDAP queries? Do I need
to run an LDAP server? Do i need to add LDAP schema to the AD?

Hmm, ok, sorry I got the wrong end of the stick :-)

AD is an LDAP server, so it should just work. I don't know too much
about windoze admin, I dont do that, but is it possible they've turned
off plain ldap and are enforcing ldapssl?

Sacs
Jul 17 '05 #6

P: n/a
al**********@way.co.nz says...
Bonegavel wrote:
How do i get my domain controller to respond to LDAP queries? Do I need
to run an LDAP server? Do i need to add LDAP schema to the AD?

Hmm, ok, sorry I got the wrong end of the stick :-)

AD is an LDAP server, so it should just work. I don't know too much
about windoze admin, I dont do that, but is it possible they've turned
off plain ldap and are enforcing ldapssl?


Neither MS Active Directory or Novell E-directory are fully ldap v.3
standards compliant, so don't expect everything to work out of the box.

Geoff M

Jul 17 '05 #7

P: n/a
This is what is making me crazy: Why can I not connect to my Windows
2000 Domain Controller via LDAP?

Jul 17 '05 #8

P: n/a
Still having problems but taking it one step at a time I tried this:

<?
$connect = ldap_connect("myDC", 389);

echo $connect;
?>

and the echo is: Resource id #2

so, it appears to connect.

However, when I try ldap_bind() it fails to bind.

Jul 17 '05 #9

P: n/a
Bonegavel wrote:
Still having problems but taking it one step at a time I tried this:

<?
$connect = ldap_connect("myDC", 389);

echo $connect;
?>

and the echo is: Resource id #2

so, it appears to connect.

However, when I try ldap_bind() it fails to bind.

A step forward anyway!

How are you binding? You need the full dn of a user and the correct
password.

Sacs
Jul 17 '05 #10

P: n/a
I cannot believe the answer to my problem was so simple...

The code I was using was correct and only missing one thing:

username had to have @domain.com added on. In my ldap_bind() i was
passing

ldap_bind($ldapconnect, "username", "password")

and it has to be

ldap_bind($ldapconnect, "us******@mydomain.com", "password")

Uggh. Thank you to everyone that replied to this.

Jul 17 '05 #11

P: n/a
Thanks for the code. As I was testing it on our systems here I found
that if the username in the second attempt to connect was blank, it
would respond as if it succeeded. So it might be best to change the
second if !$bind to if ( (!bind) && ($ldap_user_dn=="") )
Sacs wrote:
This is on Linux, don't know anything about Windoze, so this might be different for you!

e.g.

$ldap_server = "ad_controller.company.com";
$ldap_base_dn = "ou=Users,dc=company,dc=com";
$ldap_def_user = "cn=ldapquery,ou=Users,dc=company,dc=com";
$ldap_def_pass = "password";

$Username = "dumbuser";
$Passwowd = "abc123";

$ld_connect = @ldap_connect($ldap_server);
$bind = @ldap_bind($ld_connect, $ldap_def_user, $ldap_def_pass);
if(!$bind) {
print "Eeek! Cannot bind to ldap server.";
exit;
}
$ld_filter = '(sAMAccountName='. $Username .')';
$ld_data = array('dn');
$ld_sr = ldap_search($ld_connect, $ldap_base_dn, $ld_filter, $ld_data); $ld_info = ldap_get_entries($ld_connect, $ld_sr);
$ldap_user_dn = $ld_info[0]['dn'];

$bind = @ldap_bind($ld_connect, $ldap_user_dn, $Password);

if(!$bind) {
print "Invalid login, get lost";
exit;
} else {
print "Logged in Ok!";
}


Jul 17 '05 #12

P: n/a
jd142 wrote:
Thanks for the code. As I was testing it on our systems here I found
that if the username in the second attempt to connect was blank, it
would respond as if it succeeded. So it might be best to change the
second if !$bind to if ( (!bind) && ($ldap_user_dn=="") )


Hmm, intersting. Was that against Active Directory or a real LDAP
server? AD isn't meant to allow unauthenticated searches, and it
shouldn't return a bind resource on an invalid bind attempt. *shrug*

Watch out when getting the GUID from AD, it's a pig to deal with, 16
byte octect string, with NULLs, so you can't treat it as a string. It is
the unique identifier for an AD object, thus usefull for treating AD
as an authoritative source for user info.

Glad to have helped!

Sacs
Sacs wrote:

This is on Linux, don't know anything about Windoze, so this might be


different for you!

e.g.

$ldap_server = "ad_controller.company.com";
$ldap_base_dn = "ou=Users,dc=company,dc=com";
$ldap_def_user = "cn=ldapquery,ou=Users,dc=company,dc=com";
$ldap_def_pass = "password";

$Username = "dumbuser";
$Passwowd = "abc123";

$ld_connect = @ldap_connect($ldap_server);
$bind = @ldap_bind($ld_connect, $ldap_def_user, $ldap_def_pass);
if(!$bind) {
print "Eeek! Cannot bind to ldap server.";
exit;
}
$ld_filter = '(sAMAccountName='. $Username .')';
$ld_data = array('dn');
$ld_sr = ldap_search($ld_connect, $ldap_base_dn, $ld_filter,


$ld_data);
$ld_info = ldap_get_entries($ld_connect, $ld_sr);
$ldap_user_dn = $ld_info[0]['dn'];

$bind = @ldap_bind($ld_connect, $ldap_user_dn, $Password);

if(!$bind) {
print "Invalid login, get lost";
exit;
} else {
print "Logged in Ok!";
}


Jul 17 '05 #13

P: n/a
Bonegavel wrote:
I cannot believe the answer to my problem was so simple...

The code I was using was correct and only missing one thing:

username had to have @domain.com added on. In my ldap_bind() i was
passing

ldap_bind($ldapconnect, "username", "password")

and it has to be

ldap_bind($ldapconnect, "us******@mydomain.com", "password")

Uggh. Thank you to everyone that replied to this.


Glad to hear you've nailed it! Personally I found this LDAP/AD stuff
the hardest thing I've ever had to grok. Once it works though, it is SO
usefull!

Sacs
Jul 17 '05 #14

P: n/a
Hey!

I am working on the same thing and I having a huge problem here with
the searching of my ad structure..
i am able to get my script to run far enough to bind but then the
search fails:
LDAP query test
Connecting ...connect result is Resource id #3
Binding ...Bind result is 1
Searching ...
Warning: ldap_search(): Search: Partial results and referral received
in /home/engage/public_html/authenticate.php on line 47
Search result is
here is my script:

<?php
echo "<h3>LDAP query test</h3>";
echo "Connecting ...";
$ds=ldap_connect("ads.iu.edu"); // must be a valid LDAP server!
echo "connect result is " . $ds . "<br />";
$ldaprdn = 'xxxxx';
$ldappass = 'xxxx';

//set ldap option
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);

if ($ds) {
echo "Binding ...";
$r=ldap_bind($ds, $ldaprdn, $ldappass);
echo "Bind result is " . $r . "<br />";

echo "Searching ...";
$username="msgreenf";
$dn = "dc=ads, dc=iu, dc=edu";
$filter="(cn=$username)";
$justthese = array("srname", "givenname", "mail", "memberOf");
//echo $ds. " ". $dn . " " . $filter . " " . $justthese;
$sr=ldap_search($ds, $dn, $filter, $justthese);
echo "Search result is " . $sr . "<br />";

echo "Number of entires returned is " . ldap_count_entries($ds, $sr)
..
"<br />";

echo "Getting entries ...<p>";
$info = ldap_get_entries($ds, $sr);
echo "Data for " . $info["count"] . " items returned:<p>";

for ($i=0; $i<$info["count"]; $i++) {
echo "dn is: " . $info[$i]["dn"] . "<br />";
echo "first cn entry is: " . $info[$i]["cn"][0] . "<br />";
echo "first email entry is: " . $info[$i]["mail"][0] . "<br
/><hr />";
}

echo "Closing connection";
ldap_close($ds);

} else {
echo "<h4>Unable to connect to LDAP server</h4>";
}

//header to redirect at the end
// echo("Output: ".$result);
header("Location: http://www.indiana.edu/~engage/index.php");

?>

Sacs wrote:
Bonegavel wrote:
I cannot believe the answer to my problem was so simple...

The code I was using was correct and only missing one thing:

username had to have @domain.com added on. In my ldap_bind() i was
passing

ldap_bind($ldapconnect, "username", "password")

and it has to be

ldap_bind($ldapconnect, "us******@mydomain.com", "password")

Uggh. Thank you to everyone that replied to this.

Glad to hear you've nailed it! Personally I found this LDAP/AD stuff

the hardest thing I've ever had to grok. Once it works though, it is SO usefull!

Sacs


Jul 17 '05 #15

P: n/a
Mitch wrote:
Hey!

I am working on the same thing and I having a huge problem here with
the searching of my ad structure..
i am able to get my script to run far enough to bind but then the
search fails:
LDAP query test
Connecting ...connect result is Resource id #3
Binding ...Bind result is 1
Searching ...
Warning: ldap_search(): Search: Partial results and referral received
in /home/engage/public_html/authenticate.php on line 47
Search result is
here is my script:

<?php
echo "<h3>LDAP query test</h3>";
echo "Connecting ...";
$ds=ldap_connect("ads.iu.edu"); // must be a valid LDAP server!
echo "connect result is " . $ds . "<br />";
$ldaprdn = 'xxxxx';
$ldappass = 'xxxx';

//set ldap option
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);

if ($ds) {
echo "Binding ...";
$r=ldap_bind($ds, $ldaprdn, $ldappass);
echo "Bind result is " . $r . "<br />";

echo "Searching ...";
$username="msgreenf";
$dn = "dc=ads, dc=iu, dc=edu";
$filter="(cn=$username)";
$justthese = array("srname", "givenname", "mail", "memberOf");
//echo $ds. " ". $dn . " " . $filter . " " . $justthese;
$sr=ldap_search($ds, $dn, $filter, $justthese);
echo "Search result is " . $sr . "<br />";

echo "Number of entires returned is " . ldap_count_entries($ds, $sr)
.
"<br />";

echo "Getting entries ...<p>";
$info = ldap_get_entries($ds, $sr);
echo "Data for " . $info["count"] . " items returned:<p>";

for ($i=0; $i<$info["count"]; $i++) {
echo "dn is: " . $info[$i]["dn"] . "<br />";
echo "first cn entry is: " . $info[$i]["cn"][0] . "<br />";
echo "first email entry is: " . $info[$i]["mail"][0] . "<br
/><hr />";
}

echo "Closing connection";
ldap_close($ds);

} else {
echo "<h4>Unable to connect to LDAP server</h4>";
}

//header to redirect at the end
// echo("Output: ".$result);
header("Location: http://www.indiana.edu/~engage/index.php");

?>

<snip>

Ok, I got the same results (once I had changed the obvious bits :-). I
changed the line:

$dn = "dc=ads, dc=iu, dc=edu";

to:

$dn = "ou=Domain Users,dc=mycomany,dc=co,dc=nz";

and it worked!

Try setting the $dn to be the top level organisational unit in you AD.
(Might be "Users" or something - it may be AD not allowing a full search
of the forest)

Sacs
Jul 17 '05 #16

This discussion thread is closed

Replies have been disabled for this discussion.