By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
455,747 Members | 1,701 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 455,747 IT Pros & Developers. It's quick & easy.

-> LDAP in SSL problem <-

P: n/a

it seems to me that I have a problem using an LDAPS connection
to our server for identification purposes (using OpenLDAP and

Using PHP 4.4.4 I have the following code which correctly
binds in SSL but any "search" for attributes and their values
seems to return only the attributes for an anonymous connection.
Thus, this is restricted to a few ones instead of having them all
(especially the groupMembership I'm looking for).
$ldapconn = ldap_connect("ldaps://ldapserver", 636 )
or die( "Connection problem.<BR>" ) ;

if (ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3)) {
echo "Using LDAPv3<BR>\n";
} else {
echo "Failed to set protocol version to 3";

// Verify whether the provided name exists
$ldapresult = @ldap_search( $ldapconn, "o=mydomain", "cn=".$name ) ;
if( $ldapresult ) {
// User exists, now retrieve his DN and bind in SSL
$entries = @ldap_get_entries( $ldapconn, $ldapresult ) ;
if( $entries["count"] ) {
$ldapbind = ldap_bind( $ldapconn, $entries[0]['dn'], $pwd ) ;
if( $ldapbind ) {
echo "Succesfully bound<BR>" ;
// do some new ldap_search here
else {
echo "Bound failed<br>" ;

This prints "Succesfully bound" with the correct credentials.

That's where I have a doubt. How does the ldap function then work
knowing it has correct credentials?

After the succesful bind, if I do another search, I still get the
basic attributes (about 6 of them), not all of them.
For example:
$result = @ldap_search( $ldapconn, "o=mydomain", "cn=".$name ) ;

Does ldap_bind change the content of $ldapconn in order to know
that we're now securely authotified???

I really miss something there. Does the ldap_bind call change anything
to the ldap function behaviors after being succesful?
How does the application know we're correctly identified?

The server has a valid certificate (the bind() wouldn't work anyway if
that were not the case).

Thanks for any help.

(Remove the K_I_L_LSPAM from my email address)
1197 Prangins Email: st*******************
Switzerland WWW:
Volcanoes at
MovieDB at
Jan 17 '07 #1
Share this Question
Share on Google+
1 Reply

P: n/a
forget about it,
a new call to ldap_search just after the bind works ok.
Jan 17 '07 #2

This discussion thread is closed

Replies have been disabled for this discussion.