Use PHP to authenticate to AD

Re: Use PHP to authenticate to AD

Bonegavel wrote:[color=blue]
> BTW, I've started coding another app that queries AD using ASP and it
> is soooo easy it hurts.[/color]

So what are you doing in ASP to enable such an authentication?

Have a look at http://www.php.net/w32api. Whatever you are doing in ASP, you
should be able to duplicate exactly using that API.

Kristian

DISCLAIMER: I don't do windows.

Re: Use PHP to authenticate to AD

Bonegavel wrote:[color=blue]
> Going to sound strange, but here i go.
>
> We use Windows 2000 AD for everything. However, we are also running
> XAMPP (basically Apache, MySQL, PHP for windows) on a Windows box for
> our Intranet. I have a few applications that need to authenticate via
> AD from PHP and every example I see uses the LDAP functions built into
> PHP.
>
> I cannot query our AD server via LDAP. If I type
> ldap://domaincontrolle r it fails, so of course, when I try to use the
> LDAP function in PHP they fail.
>
> How do I get LDAP running on AD? I'm sure I'm missing something simple,
> but I'm very frustrated.
>
> BTW, I've started coding another app that queries AD using ASP and it
> is soooo easy it hurts.
>[/color]

What we do for this is to bind using a generic account, search for the
sAMAccountName then attempt to rebind using that DN and the supplied
password. If the bind works, the user/password is correct, if it
doesn't the users forgotten their password again.

This is on Linux, don't know anything about Windoze, so this might be
different for you!

e.g.

$ldap_server = "ad_controller. company.com";
$ldap_base_dn = "ou=Users,dc=co mpany,dc=com";
$ldap_def_user = "cn=ldapquery,o u=Users,dc=comp any,dc=com";
$ldap_def_pass = "password";

$Username = "dumbuser";
$Passwowd = "abc123";

$ld_connect = @ldap_connect($ ldap_server);
$bind = @ldap_bind($ld_ connect, $ldap_def_user, $ldap_def_pass) ;
if(!$bind) {
print "Eeek! Cannot bind to ldap server.";
exit;
}


$ld_filter = '(sAMAccountNam e='. $Username .')';
$ld_data = array('dn');
$ld_sr = ldap_search($ld _connect, $ldap_base_dn, $ld_filter, $ld_data);
$ld_info = ldap_get_entrie s($ld_connect, $ld_sr);
$ldap_user_dn = $ld_info[0]['dn'];

$bind = @ldap_bind($ld_ connect, $ldap_user_dn, $Password);

if(!$bind) {
print "Invalid login, get lost";
exit;
} else {
print "Logged in Ok!";
}


Good luck! Accessing AD from anything other than MS software can be a
pain in the @ss, especially when you start plaing with the GUID. (A 16
byte octect string than may contain nulls!!!)

Sacs

Re: Use PHP to authenticate to AD

i guess what is hurting me at this point is I cannot use any PHP ldap
functions because my domain controller isn't answering LDAP calls. From
what I understand, I should be able to type ldap://domaincontrolle r
into my browser and it should allow me to query my DC. Doesn't work. I
can't even use one of the free ldap browsers out there.

How do i get my domain controller to respond to LDAP queries? Do I need
to run an LDAP server? Do i need to add LDAP schema to the AD?

Re: Use PHP to authenticate to AD

Nice! I'll have to take a look at this at work tomorrow.

Re: Use PHP to authenticate to AD

Bonegavel wrote:[color=blue]
> i guess what is hurting me at this point is I cannot use any PHP ldap
> functions because my domain controller isn't answering LDAP calls. From
> what I understand, I should be able to type ldap://domaincontrolle r
> into my browser and it should allow me to query my DC. Doesn't work. I
> can't even use one of the free ldap browsers out there.
>
> How do i get my domain controller to respond to LDAP queries? Do I need
> to run an LDAP server? Do i need to add LDAP schema to the AD?
>[/color]
Hmm, ok, sorry I got the wrong end of the stick :-)

AD is an LDAP server, so it should just work. I don't know too much
about windoze admin, I dont do that, but is it possible they've turned
off plain ldap and are enforcing ldapssl?

Sacs

Re: Use PHP to authenticate to AD

alan_nospam_@wa y.co.nz says...[color=blue]
> Bonegavel wrote:[color=green]
> > How do i get my domain controller to respond to LDAP queries? Do I need
> > to run an LDAP server? Do i need to add LDAP schema to the AD?
> >[/color]
> Hmm, ok, sorry I got the wrong end of the stick :-)
>
> AD is an LDAP server, so it should just work. I don't know too much
> about windoze admin, I dont do that, but is it possible they've turned
> off plain ldap and are enforcing ldapssl?[/color]

Neither MS Active Directory or Novell E-directory are fully ldap v.3
standards compliant, so don't expect everything to work out of the box.

Geoff M

Re: Use PHP to authenticate to AD

This is what is making me crazy: Why can I not connect to my Windows
2000 Domain Controller via LDAP?

Re: Use PHP to authenticate to AD

Still having problems but taking it one step at a time I tried this:

<?
$connect = ldap_connect("m yDC", 389);

echo $connect;
?>

and the echo is: Resource id #2

so, it appears to connect.

However, when I try ldap_bind() it fails to bind.

Re: Use PHP to authenticate to AD

Bonegavel wrote:[color=blue]
> Still having problems but taking it one step at a time I tried this:
>
> <?
> $connect = ldap_connect("m yDC", 389);
>
> echo $connect;
> ?>
>
> and the echo is: Resource id #2
>
> so, it appears to connect.
>
> However, when I try ldap_bind() it fails to bind.
>[/color]
A step forward anyway!

How are you binding? You need the full dn of a user and the correct
password.

Sacs

Re: Use PHP to authenticate to AD

I cannot believe the answer to my problem was so simple...

The code I was using was correct and only missing one thing:

username had to have @domain.com added on. In my ldap_bind() i was
passing

ldap_bind($ldap connect, "username", "password")

and it has to be

ldap_bind($ldap connect, "username@mydom ain.com", "password")

Uggh. Thank you to everyone that replied to this.

Re: Use PHP to authenticate to AD

Thanks for the code. As I was testing it on our systems here I found
that if the username in the second attempt to connect was blank, it
would respond as if it succeeded. So it might be best to change the
second if !$bind to if ( (!bind) && ($ldap_user_dn= ="") )


Sacs wrote:
[color=blue]
> This is on Linux, don't know anything about Windoze, so this might be[/color]
[color=blue]
> different for you!
>
> e.g.
>
> $ldap_server = "ad_controller. company.com";
> $ldap_base_dn = "ou=Users,dc=co mpany,dc=com";
> $ldap_def_user = "cn=ldapquery,o u=Users,dc=comp any,dc=com";
> $ldap_def_pass = "password";
>
> $Username = "dumbuser";
> $Passwowd = "abc123";
>
> $ld_connect = @ldap_connect($ ldap_server);
> $bind = @ldap_bind($ld_ connect, $ldap_def_user, $ldap_def_pass) ;
> if(!$bind) {
> print "Eeek! Cannot bind to ldap server.";
> exit;
> }
>
>
> $ld_filter = '(sAMAccountNam e='. $Username .')';
> $ld_data = array('dn');
> $ld_sr = ldap_search($ld _connect, $ldap_base_dn, $ld_filter,[/color]
$ld_data);[color=blue]
> $ld_info = ldap_get_entrie s($ld_connect, $ld_sr);
> $ldap_user_dn = $ld_info[0]['dn'];
>
> $bind = @ldap_bind($ld_ connect, $ldap_user_dn, $Password);
>
> if(!$bind) {
> print "Invalid login, get lost";
> exit;
> } else {
> print "Logged in Ok!";
> }[/color]

Re: Use PHP to authenticate to AD

jd142 wrote:[color=blue]
> Thanks for the code. As I was testing it on our systems here I found
> that if the username in the second attempt to connect was blank, it
> would respond as if it succeeded. So it might be best to change the
> second if !$bind to if ( (!bind) && ($ldap_user_dn= ="") )
>
>[/color]

Hmm, intersting. Was that against Active Directory or a real LDAP
server? AD isn't meant to allow unauthenticated searches, and it
shouldn't return a bind resource on an invalid bind attempt. *shrug*

Watch out when getting the GUID from AD, it's a pig to deal with, 16
byte octect string, with NULLs, so you can't treat it as a string. It is
the unique identifier for an AD object, thus usefull for treating AD
as an authoritative source for user info.

Glad to have helped!

Sacs
[color=blue]
> Sacs wrote:
>
>[color=green]
>>This is on Linux, don't know anything about Windoze, so this might be[/color]
>
>[color=green]
>>different for you!
>>
>>e.g.
>>
>>$ldap_serve r = "ad_controller. company.com";
>>$ldap_base_ dn = "ou=Users,dc=co mpany,dc=com";
>>$ldap_def_use r = "cn=ldapquery,o u=Users,dc=comp any,dc=com";
>>$ldap_def_pas s = "password";
>>
>>$Username = "dumbuser";
>>$Passwowd = "abc123";
>>
>>$ld_connect = @ldap_connect($ ldap_server);
>>$bind = @ldap_bind($ld_ connect, $ldap_def_user, $ldap_def_pass) ;
>>if(!$bind) {
>> print "Eeek! Cannot bind to ldap server.";
>> exit;
>>}
>>
>>
>>$ld_filter = '(sAMAccountNam e='. $Username .')';
>>$ld_data = array('dn');
>>$ld_sr = ldap_search($ld _connect, $ldap_base_dn, $ld_filter,[/color]
>
> $ld_data);
>[color=green]
>> $ld_info = ldap_get_entrie s($ld_connect, $ld_sr);
>>$ldap_user_ dn = $ld_info[0]['dn'];
>>
>>$bind = @ldap_bind($ld_ connect, $ldap_user_dn, $Password);
>>
>>if(!$bind) {
>> print "Invalid login, get lost";
>> exit;
>>} else {
>> print "Logged in Ok!";
>>}[/color]
>
>[/color]

Re: Use PHP to authenticate to AD

Bonegavel wrote:[color=blue]
> I cannot believe the answer to my problem was so simple...
>
> The code I was using was correct and only missing one thing:
>
> username had to have @domain.com added on. In my ldap_bind() i was
> passing
>
> ldap_bind($ldap connect, "username", "password")
>
> and it has to be
>
> ldap_bind($ldap connect, "username@mydom ain.com", "password")
>
> Uggh. Thank you to everyone that replied to this.
>[/color]

Glad to hear you've nailed it! Personally I found this LDAP/AD stuff
the hardest thing I've ever had to grok. Once it works though, it is SO
usefull!

Sacs

Re: Use PHP to authenticate to AD

Hey!

I am working on the same thing and I having a huge problem here with
the searching of my ad structure..
i am able to get my script to run far enough to bind but then the
search fails:
LDAP query test
Connecting ...connect result is Resource id #3
Binding ...Bind result is 1
Searching ...
Warning: ldap_search(): Search: Partial results and referral received
in /home/engage/public_html/authenticate.ph p on line 47
Search result is


here is my script:

<?php
echo "<h3>LDAP query test</h3>";
echo "Connecting ...";
$ds=ldap_connec t("ads.iu.edu") ; // must be a valid LDAP server!
echo "connect result is " . $ds . "<br />";
$ldaprdn = 'xxxxx';
$ldappass = 'xxxx';

//set ldap option
ldap_set_option ($ds, LDAP_OPT_REFERR ALS, 0);

if ($ds) {
echo "Binding ...";
$r=ldap_bind($d s, $ldaprdn, $ldappass);
echo "Bind result is " . $r . "<br />";

echo "Searching ...";
$username="msgr eenf";
$dn = "dc=ads, dc=iu, dc=edu";
$filter="(cn=$u sername)";
$justthese = array("srname", "givenname" , "mail", "memberOf") ;
//echo $ds. " ". $dn . " " . $filter . " " . $justthese;
$sr=ldap_search ($ds, $dn, $filter, $justthese);
echo "Search result is " . $sr . "<br />";

echo "Number of entires returned is " . ldap_count_entr ies($ds, $sr)
..
"<br />";

echo "Getting entries ...<p>";
$info = ldap_get_entrie s($ds, $sr);
echo "Data for " . $info["count"] . " items returned:<p>";

for ($i=0; $i<$info["count"]; $i++) {
echo "dn is: " . $info[$i]["dn"] . "<br />";
echo "first cn entry is: " . $info[$i]["cn"][0] . "<br />";
echo "first email entry is: " . $info[$i]["mail"][0] . "<br
/><hr />";
}

echo "Closing connection";
ldap_close($ds) ;

} else {
echo "<h4>Unable to connect to LDAP server</h4>";
}

//header to redirect at the end
// echo("Output: ".$result);
header("Locatio n: http://www.indiana.edu/~engage/index.php");

?>

Sacs wrote:[color=blue]
> Bonegavel wrote:[color=green]
> > I cannot believe the answer to my problem was so simple...
> >
> > The code I was using was correct and only missing one thing:
> >
> > username had to have @domain.com added on. In my ldap_bind() i was
> > passing
> >
> > ldap_bind($ldap connect, "username", "password")
> >
> > and it has to be
> >
> > ldap_bind($ldap connect, "username@mydom ain.com", "password")
> >
> > Uggh. Thank you to everyone that replied to this.
> >[/color]
>
> Glad to hear you've nailed it! Personally I found this LDAP/AD stuff[/color]
[color=blue]
> the hardest thing I've ever had to grok. Once it works though, it is[/color]
SO[color=blue]
> usefull!
>
> Sacs[/color]