Use PHP to authenticate to AD

Bonegavel wrote:

BTW, I've started coding another app that queries AD using ASP and it
is soooo easy it hurts.

So what are you doing in ASP to enable such an authentication?

Have a look at http://www.php.net/w32api. Whatever you are doing in ASP, you
should be able to duplicate exactly using that API.

Kristian

DISCLAIMER: I don't do windows.

Bonegavel wrote:

Going to sound strange, but here i go.

We use Windows 2000 AD for everything. However, we are also running
XAMPP (basically Apache, MySQL, PHP for windows) on a Windows box for
our Intranet. I have a few applications that need to authenticate via
AD from PHP and every example I see uses the LDAP functions built into
PHP.

I cannot query our AD server via LDAP. If I type
ldap://domaincontroller it fails, so of course, when I try to use the
LDAP function in PHP they fail.

How do I get LDAP running on AD? I'm sure I'm missing something simple,
but I'm very frustrated.

BTW, I've started coding another app that queries AD using ASP and it
is soooo easy it hurts.

What we do for this is to bind using a generic account, search for the
sAMAccountName then attempt to rebind using that DN and the supplied
password. If the bind works, the user/password is correct, if it
doesn't the users forgotten their password again.

This is on Linux, don't know anything about Windoze, so this might be
different for you!

e.g.

$ldap_server = "ad_controller.company.com";
$ldap_base_dn = "ou=Users,dc=company,dc=com";
$ldap_def_user = "cn=ldapquery,ou=Users,dc=company,dc=com";
$ldap_def_pass = "password";

$Username = "dumbuser";
$Passwowd = "abc123";

$ld_connect = @ldap_connect($ldap_server);
$bind = @ldap_bind($ld_connect, $ldap_def_user, $ldap_def_pass);
if(!$bind) {
print "Eeek! Cannot bind to ldap server.";
exit;
}
$ld_filter = '(sAMAccountName='. $Username .')';
$ld_data = array('dn');
$ld_sr = ldap_search($ld_connect, $ldap_base_dn, $ld_filter, $ld_data);
$ld_info = ldap_get_entries($ld_connect, $ld_sr);
$ldap_user_dn = $ld_info[0]['dn'];

$bind = @ldap_bind($ld_connect, $ldap_user_dn, $Password);

if(!$bind) {
print "Invalid login, get lost";
exit;
} else {
print "Logged in Ok!";
}
Good luck! Accessing AD from anything other than MS software can be a
pain in the @ss, especially when you start plaing with the GUID. (A 16
byte octect string than may contain nulls!!!)

Sacs

i guess what is hurting me at this point is I cannot use any PHP ldap
functions because my domain controller isn't answering LDAP calls. From
what I understand, I should be able to type ldap://domaincontroller
into my browser and it should allow me to query my DC. Doesn't work. I
can't even use one of the free ldap browsers out there.

How do i get my domain controller to respond to LDAP queries? Do I need
to run an LDAP server? Do i need to add LDAP schema to the AD?

Nice! I'll have to take a look at this at work tomorrow.

Bonegavel wrote:

i guess what is hurting me at this point is I cannot use any PHP ldap
functions because my domain controller isn't answering LDAP calls. From
what I understand, I should be able to type ldap://domaincontroller
into my browser and it should allow me to query my DC. Doesn't work. I
can't even use one of the free ldap browsers out there.

How do i get my domain controller to respond to LDAP queries? Do I need
to run an LDAP server? Do i need to add LDAP schema to the AD?

Hmm, ok, sorry I got the wrong end of the stick :-)

AD is an LDAP server, so it should just work. I don't know too much
about windoze admin, I dont do that, but is it possible they've turned
off plain ldap and are enforcing ldapssl?

Sacs

al**********@way.co.nz says...

Bonegavel wrote:

How do i get my domain controller to respond to LDAP queries? Do I need
to run an LDAP server? Do i need to add LDAP schema to the AD?

Hmm, ok, sorry I got the wrong end of the stick :-)

AD is an LDAP server, so it should just work. I don't know too much
about windoze admin, I dont do that, but is it possible they've turned
off plain ldap and are enforcing ldapssl?

Neither MS Active Directory or Novell E-directory are fully ldap v.3
standards compliant, so don't expect everything to work out of the box.

Geoff M

This is what is making me crazy: Why can I not connect to my Windows
2000 Domain Controller via LDAP?

Still having problems but taking it one step at a time I tried this:

<?
$connect = ldap_connect("myDC", 389);

echo $connect;
?>

and the echo is: Resource id #2

so, it appears to connect.

However, when I try ldap_bind() it fails to bind.

Bonegavel wrote:

Still having problems but taking it one step at a time I tried this:

<?
$connect = ldap_connect("myDC", 389);

echo $connect;
?>

and the echo is: Resource id #2

so, it appears to connect.

However, when I try ldap_bind() it fails to bind.

A step forward anyway!

How are you binding? You need the full dn of a user and the correct
password.

Sacs

I cannot believe the answer to my problem was so simple...

The code I was using was correct and only missing one thing:

username had to have @domain.com added on. In my ldap_bind() i was
passing

ldap_bind($ldapconnect, "username", "password")

and it has to be

ldap_bind($ldapconnect, "us******@mydomain.com", "password")

Uggh. Thank you to everyone that replied to this.

Thanks for the code. As I was testing it on our systems here I found
that if the username in the second attempt to connect was blank, it
would respond as if it succeeded. So it might be best to change the
second if !$bind to if ( (!bind) && ($ldap_user_dn=="") )
Sacs wrote:

This is on Linux, don't know anything about Windoze, so this might be different for you!

e.g.

$ldap_server = "ad_controller.company.com";
$ldap_base_dn = "ou=Users,dc=company,dc=com";
$ldap_def_user = "cn=ldapquery,ou=Users,dc=company,dc=com";
$ldap_def_pass = "password";

$Username = "dumbuser";
$Passwowd = "abc123";

$ld_connect = @ldap_connect($ldap_server);
$bind = @ldap_bind($ld_connect, $ldap_def_user, $ldap_def_pass);
if(!$bind) {
print "Eeek! Cannot bind to ldap server.";
exit;
}
$ld_filter = '(sAMAccountName='. $Username .')';
$ld_data = array('dn');
$ld_sr = ldap_search($ld_connect, $ldap_base_dn, $ld_filter, $ld_data); $ld_info = ldap_get_entries($ld_connect, $ld_sr);
$ldap_user_dn = $ld_info[0]['dn'];

$bind = @ldap_bind($ld_connect, $ldap_user_dn, $Password);

if(!$bind) {
print "Invalid login, get lost";
exit;
} else {
print "Logged in Ok!";
}

jd142 wrote:

Thanks for the code. As I was testing it on our systems here I found
that if the username in the second attempt to connect was blank, it
would respond as if it succeeded. So it might be best to change the
second if !$bind to if ( (!bind) && ($ldap_user_dn=="") )


Hmm, intersting. Was that against Active Directory or a real LDAP
server? AD isn't meant to allow unauthenticated searches, and it
shouldn't return a bind resource on an invalid bind attempt. *shrug*

Watch out when getting the GUID from AD, it's a pig to deal with, 16
byte octect string, with NULLs, so you can't treat it as a string. It is
the unique identifier for an AD object, thus usefull for treating AD
as an authoritative source for user info.

Glad to have helped!

Sacs
Sacs wrote:

This is on Linux, don't know anything about Windoze, so this might be

different for you!

e.g.

$ldap_server = "ad_controller.company.com";
$ldap_base_dn = "ou=Users,dc=company,dc=com";
$ldap_def_user = "cn=ldapquery,ou=Users,dc=company,dc=com";
$ldap_def_pass = "password";

$Username = "dumbuser";
$Passwowd = "abc123";

$ld_connect = @ldap_connect($ldap_server);
$bind = @ldap_bind($ld_connect, $ldap_def_user, $ldap_def_pass);
if(!$bind) {
print "Eeek! Cannot bind to ldap server.";
exit;
}
$ld_filter = '(sAMAccountName='. $Username .')';
$ld_data = array('dn');
$ld_sr = ldap_search($ld_connect, $ldap_base_dn, $ld_filter,

$ld_data);

$ld_info = ldap_get_entries($ld_connect, $ld_sr);
$ldap_user_dn = $ld_info[0]['dn'];

$bind = @ldap_bind($ld_connect, $ldap_user_dn, $Password);

if(!$bind) {
print "Invalid login, get lost";
exit;
} else {
print "Logged in Ok!";
}

Bonegavel wrote:

I cannot believe the answer to my problem was so simple...

The code I was using was correct and only missing one thing:

username had to have @domain.com added on. In my ldap_bind() i was
passing

ldap_bind($ldapconnect, "username", "password")

and it has to be

ldap_bind($ldapconnect, "us******@mydomain.com", "password")

Uggh. Thank you to everyone that replied to this.

Glad to hear you've nailed it! Personally I found this LDAP/AD stuff
the hardest thing I've ever had to grok. Once it works though, it is SO
usefull!

Sacs

Hey!

I am working on the same thing and I having a huge problem here with
the searching of my ad structure..
i am able to get my script to run far enough to bind but then the
search fails:
LDAP query test
Connecting ...connect result is Resource id #3
Binding ...Bind result is 1
Searching ...
Warning: ldap_search(): Search: Partial results and referral received
in /home/engage/public_html/authenticate.php on line 47
Search result is
here is my script:

<?php
echo "<h3>LDAP query test</h3>";
echo "Connecting ...";
$ds=ldap_connect("ads.iu.edu"); // must be a valid LDAP server!
echo "connect result is " . $ds . "<br />";
$ldaprdn = 'xxxxx';
$ldappass = 'xxxx';

//set ldap option
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);

if ($ds) {
echo "Binding ...";
$r=ldap_bind($ds, $ldaprdn, $ldappass);
echo "Bind result is " . $r . "<br />";

echo "Searching ...";
$username="msgreenf";
$dn = "dc=ads, dc=iu, dc=edu";
$filter="(cn=$username)";
$justthese = array("srname", "givenname", "mail", "memberOf");
//echo $ds. " ". $dn . " " . $filter . " " . $justthese;
$sr=ldap_search($ds, $dn, $filter, $justthese);
echo "Search result is " . $sr . "<br />";

echo "Number of entires returned is " . ldap_count_entries($ds, $sr)
..
"<br />";

echo "Getting entries ...<p>";
$info = ldap_get_entries($ds, $sr);
echo "Data for " . $info["count"] . " items returned:<p>";

for ($i=0; $i<$info["count"]; $i++) {
echo "dn is: " . $info[$i]["dn"] . "<br />";
echo "first cn entry is: " . $info[$i]["cn"][0] . "<br />";
echo "first email entry is: " . $info[$i]["mail"][0] . "<br
/><hr />";
}

echo "Closing connection";
ldap_close($ds);

} else {
echo "<h4>Unable to connect to LDAP server</h4>";
}

//header to redirect at the end
// echo("Output: ".$result);
header("Location: http://www.indiana.edu/~engage/index.php");

?>

Sacs wrote:

Bonegavel wrote:

I cannot believe the answer to my problem was so simple...

The code I was using was correct and only missing one thing:

username had to have @domain.com added on. In my ldap_bind() i was
passing

ldap_bind($ldapconnect, "username", "password")

and it has to be

ldap_bind($ldapconnect, "us******@mydomain.com", "password")

Uggh. Thank you to everyone that replied to this.

Glad to hear you've nailed it! Personally I found this LDAP/AD stuff

the hardest thing I've ever had to grok. Once it works though, it is SO usefull!

Sacs

Mitch wrote:

Hey!

I am working on the same thing and I having a huge problem here with
the searching of my ad structure..
i am able to get my script to run far enough to bind but then the
search fails:
LDAP query test
Connecting ...connect result is Resource id #3
Binding ...Bind result is 1
Searching ...
Warning: ldap_search(): Search: Partial results and referral received
in /home/engage/public_html/authenticate.php on line 47
Search result is
here is my script:

<?php
echo "<h3>LDAP query test</h3>";
echo "Connecting ...";
$ds=ldap_connect("ads.iu.edu"); // must be a valid LDAP server!
echo "connect result is " . $ds . "<br />";
$ldaprdn = 'xxxxx';
$ldappass = 'xxxx';

//set ldap option
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);

if ($ds) {
echo "Binding ...";
$r=ldap_bind($ds, $ldaprdn, $ldappass);
echo "Bind result is " . $r . "<br />";

echo "Searching ...";
$username="msgreenf";
$dn = "dc=ads, dc=iu, dc=edu";
$filter="(cn=$username)";
$justthese = array("srname", "givenname", "mail", "memberOf");
//echo $ds. " ". $dn . " " . $filter . " " . $justthese;
$sr=ldap_search($ds, $dn, $filter, $justthese);
echo "Search result is " . $sr . "<br />";

echo "Number of entires returned is " . ldap_count_entries($ds, $sr)
.
"<br />";

echo "Getting entries ...<p>";
$info = ldap_get_entries($ds, $sr);
echo "Data for " . $info["count"] . " items returned:<p>";

for ($i=0; $i<$info["count"]; $i++) {
echo "dn is: " . $info[$i]["dn"] . "<br />";
echo "first cn entry is: " . $info[$i]["cn"][0] . "<br />";
echo "first email entry is: " . $info[$i]["mail"][0] . "<br
/><hr />";
}

echo "Closing connection";
ldap_close($ds);

} else {
echo "<h4>Unable to connect to LDAP server</h4>";
}

//header to redirect at the end
// echo("Output: ".$result);
header("Location: http://www.indiana.edu/~engage/index.php");

?>

<snip>

Ok, I got the same results (once I had changed the obvious bits :-). I
changed the line:

$dn = "dc=ads, dc=iu, dc=edu";

to:

$dn = "ou=Domain Users,dc=mycomany,dc=co,dc=nz";

and it worked!

Try setting the $dn to be the top level organisational unit in you AD.
(Might be "Users" or something - it may be AD not allowing a full search
of the forest)

Sacs