Search the Community

I have an application that uses the PHP LDAP library to connect to the Windows Active Directory: $ds = ldap_connect($ini['ad_server']) or die("Could not connect"); $admin = $ini['ad_user']; $passwd = $ini['ad_password']; $passwd = base64_decode($passwd); $dn = $ini['ad_basedn']; ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ds, LDAP_OPT_REFERRALS, 0); $rInTouch = ldap_bind($ds, $admin, $passwd); I am wondering if anyone knows if this upcoming patch "2020 LDAP channel binding and LDAP signing" coming from Microsoft will break any PHP applications that are using this ldap library. Thanks in advance, M

Hello there, I have this as login in function for an application. function login($username, $password) { $db =& $this->db; Kit::ClassLoader('userdata'); if (Config::Version('DBVersion') < 62) { // We can't do CSPRNG because the field doesn't exist, so we need to do standard user login // This can ONLY happen during an upgrade. $dbh = PDOConnect::init(); $sth = $dbh->prepare('SELECT UserID, UserName, UserPassword, UserTypeID FROM `user` WHERE UserName = :userName'); $sth->execute(array('userName' => $username)); $rows = $sth->fetchAll(); if (count($rows) != 1) { setMessage(__('Username or Password incorrect')); return false; } $userInfo = $rows[0]; // Check the password using a MD5 if ($userInfo['UserPassword'] != md5($password)) { setMessage(__('Username or Password incorrect')); return false; } } else { // Get the SALT for this username if (!$userInfo = $db->GetSingleRow(sprintf("SELECT UserID, UserName, UserPassword, UserTypeID, CSPRNG FROM `user` WHERE UserName = '%s'", $db->escape_string($username)))) { setMessage(__('Username or Password incorrect')); return false; } // User Data Object to check the password $userData = new Userdata($db); // Is SALT empty if ($userInfo['CSPRNG'] == 0) { // Check the password using a MD5 if ($userInfo['UserPassword'] != md5($password)) { setMessage(__('Username or Password incorrect')); return false; } // Now that we are validated, generate a new SALT and set the users password. $userData->ChangePassword(Kit::ValidateParam($userInfo['UserID'], _INT), null, $password, $password, true /* Force Change */); } else { // Check the users password using the random SALTED password if ($userData->validate_password($password, $userInfo['UserPassword']) === false) { setMessage(__('Username or Password incorrect')); return false; } } } // there is a result so we store the userID in the session variable $_SESSION['userid'] = Kit::ValidateParam($userInfo['UserID'], _INT); $_SESSION['username'] = Kit::ValidateParam($userInfo['UserName'], _USERNAME); $_SESSION['usertype'] = Kit::ValidateParam($userInfo['UserTypeID'], _INT); // Set the User Object $this->usertypeid = $_SESSION['usertype']; $this->userid = $_SESSION['userid']; // update the db // write out to the db that the logged in user has accessed the page $SQL = sprintf("UPDATE user SET lastaccessed = '" . date("Y-m-d H:i:s") . "', loggedin = 1 WHERE userid = %d", $_SESSION['userid']); $db->query($SQL) or trigger_error(__('Can not write last accessed info.'), E_USER_ERROR); // Switch Session ID's global $session; $session->setIsExpired(0); $session->RegenerateSessionID(session_id()); return true; } i am trying to squeeze in an alternative authentication for users on ldap as such if local authentication fails // alternativelly validate against Tivoli Directory server $ldap_host = "www.zflexldap.com:389"; $password = "password"; // Tivoli Directory DN $ldap_dn = "ou=users,ou=guests,dc=zflexsoftware,dc=com"; // connect to active directory $ldap = ldap_connect($ldap_host) or die("Couldn't connect to LDAP Server"); //username specified on post form is from TDS server // $dn = "uid=".$username.","; $dn = "uid=guest1,ou=users,ou=guests,dc=zflexsoftware,dc=com"; ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); // verify user and password if($bind = @ldap_bind($ldap, $dn, $password)) all attempts thou has been breaking the application. thanks

I have been trying for a while now to get mod_auth_sspi up and running to help run a Drupal Intranet. The Drupal LDAP modul and the Drupal SSO instructions https://drupal.org/node/1371478 have been followed. I am running a Uniform Server 8.12 - running apache 2.2 and php 5.3 mod_auth_sspi is installed on the modules, and referenced in httpd.conf file. The LDAP itself works, in that going to /user someone can log into their site using the company login details from their Active Directory. The test mechanism on Drupal also pulls through relevant information such as emails etc. However unfortunately I can't get them to authenticate automatically. The httpd.conf file also contains: # Virtual hosts Include conf/extra/httpd-vhosts.conf # Pass NTLM authentication to Apache LoadModule sspi_auth_module modules/mod_auth_sspi.so <IfModule !mod_auth_sspi.c> LoadModule sspi_auth_module modules/mod_auth_sspi.so </IfModule> Then the vhosts file contains NameVirtualHost intranet.example.co.uk <VirtualHost intranet.example.co.uk> DocumentRoot "C:/UniServer2/www" ServerName Intranet <directory "C:/UniServer2/www"> Options Indexes FollowSymLinks MultiViews AllowOverride All Order Allow,Deny Allow from all </directory> <Location /intranet/user/login/sso> AuthType SSPI AuthName "Intranet" SSPIAuth On SSPIAuthoritative On ### The domain used to authenticate with LDAP; this should match the domain ### configured in the LDAP integration configuration within Drupal SSPIDomain xxx.xxx.x.x SSPIOmitDomain On SSPIOfferBasic On Require valid-user #SSPIBasicPreferred On #SSPIofferSSPI off </Location> </VirtualHost> For information intranet.example.co.uk has been replaced with name of company xxx.xxx.x.x is the IP of the Active Directory. Obviously I've replaced these bits for security reasons. Location is intranet/ because there is also another internal web application on the same server. However when I go the site I receive the error message: This happens at both intranet.example.co.uk and intranet.example.co.uk/user/login/sso The following error reports are logged by Drupal: So clearly Drupal isn't finding the remote user. Furthermore I have a simple whoami.php script running in cgi-bin. The code for this is: <html> <head> <title>whoami at <?php $_SERVER['SERVER_NAME']; ?> </title> </head> <body style='font-family:Verdana;font-size:-1'> <?php $cred = explode('\\',$_SERVER['REMOTE_USER']); if (count($cred) == 1) array_unshift($cred, "(no domain info - perhaps SSPIOmitDomain is On)"); list($domain, $user) = $cred; echo "You appear to be user <B>$user</B><BR/>"; echo "logged into the Windows NT domain <B>$domain</B>"; ?> </body> </html> This produced "You appear to be user" with no following text and "logged into the Windows NT domain (no domain info - perhaps SSPIOmitDomain is On)", suggesting that the server is also not picking up on the remote user. I haven't made any specific odd alterations to the server, so I am assuming the problem I am having must be one suffered by others using mod_auth_sspi. Couple of things it could be although my knowledge isn't enough to tell? I don't have Tomcat on the server. On the Apache wiki (http://wiki.apache.org/httpd/ModAuthSSPI) it says a common problem with mod_auth_sspi is that mod.jk isn't configured correctly. Mod.jk seems to be a file relevant to Tomcat - however I haven't seen Tomcat listed anywhere as a requirement for mod_auth_sspi? Something to do with htaccess? I've seen some mentioned of mod_auth_sspi and htaccess but nothing specific. However htaccess is the only place where I have done something vaguely unusual with the server as it has been configured to only allow people with the same IP address as the organisation to access the site (in other words only people in the offices can use it, and it can't be accessed from the outside). Any advice or steps that could be taken to debug this would be greatly appreciated as I seem to be going round in circles. Thanks.

Hi guys, So I am making a PHP site that I will host and others can make use of (after creating an account), however I want to integrate it with their local LDAP accounts/server. I do not want to distribute copies of the software for them to put on their servers. So I am thinking they would first need to visit myproduct.theircompany.com to login (this code would be on a server able to acces their LDAP server), which when it returns as authenticated (OK) it would then rediret to myproduct.com and have them as logged in. Now my issue is, how do I stop people being able to spoof myproduct.com into thinking someone is logged in, how do I pass the data back from myproduct.theircompany.com to myproduct.com? Any ideas? Or questions? Cheers

Dear Experts, I'm new to php. I want to create a php web app which is hosted in Linux (Apache Server). This application shall verify the input credential against active directory authentication. Below is y src code. But this is displaying error :The website cannot display the page. I want to show either "Congratulations! $username is authenticated."; or "Access Denied!"; in my web page. Plz help <?php $ldaphost = "ldap.mycompanydomain.com"; $ldapport = 389; $ds = ldap_connect($ldaphost, $ldapport) or die("Could not connect to $ldaphost"); if ($ds) { $username = "johndoe@mycompanydomain.com"; $upasswd = "rightpassword"; $ldapbind = ldap_bind($ds, $username, $upasswd); if ($ldapbind) {print "Congratulations! $username is authenticated.";} else {print "Access Denied!";} } ?>

I've been stumped on this for a couple days now. I've tried various solutions to no avail. Please help... Problem: We have two domain controller, which are not under our management. We are able to connect via LDAP on port 389, but are not able to connect securely over port 636. We are developing a system to allow a number of self-service facilities, one of which is a password recovery tool. This works up to the point of resetting the users password. I have found some code via the PHP manual which appears to do what we need, but cant seem to get it to work. This is the code I have thus far if ($caller==="change"){ if (($newPword1 === NULL)||($newPword1 === "" )){ return false;} if (($newPword2 === NULL)||($newPword2 === "" )){ return false;} if ($newPword1 != $newPword2) {$result["ERROR"]="1";$result["DETAILS"]="Your new password and the confirmation must match!";exit(); } try { $adldap = new adLDAP(); } catch (adLDAPException $e) {$result["ERROR"]="1";$result["DETAILS"]="An error occurred in adLDAP";echo json_encode($result);exit(); } $userinfo = $adldap->user()->info($username, array("givenname","dn","lockouttime")); $res = $userinfo[0]["lockouttime"]; $userDN = $userinfo[0]["dn"]; $firstName = $userinfo[0]["givenname"]; $authUser = $adldap->authenticate($username,$currentPword); if ($authUser){ try { $adminUsername = $domain."\\".$adminUsername; $srvDN = "LDAP://".$serverFQDN."/"; try {$ADSI = new COM("LDAP:");} catch (exception $e){$result["ERROR"]="1";$result["ERRORmsg"]=$e->getMessage();echo json_encode($result);exit();} try {$user = $ADSI->OpenDSObject($srvDN.$userDN, $adminUsername, $adminPassword, 1);} catch (exception $e){$result["ERROR"]="2";$result["ERRORmsg"]= $e->getMessage();echo json_encode($result);exit();} try { //set password if ($user){ $result["object"]="Success"; } else { $result["object"]="Failed"; } $user->SetPassword($newPword1); //line:114 -> error occurring on this line $user->SetInfo(); $result["ERROR"]="0"; $result["DETAILS"]="Thank you $firstName[0]<br><strong>Your password has been changed</strong><br><br>This may take up to 30 minutes to take effect depending on your location";} catch (exception $e){$result["ERROR"]="3";$result["ERRORmsg"]=$e." - ".$e->getMessage();$result["DETAILS"]="An Error Occurred.";} unset($user); unset($ADSI); } catch (exception $e){$result["ERROR"]="1";$result["DETAILS"]="An Error Occurred in the ADSI COM";echo json_encode($result);exit();} } else { if ($res[0] != "0"){ $result["ERROR"]="1"; $result["DETAILS"]="Im sorry $firstName[0].<br>Your account is now locked. Please contact the IT Service Desk for advice"; } else { $result["ERROR"]="1"; $result["DETAILS"]="Im sorry $firstName[0].<br>Your current password is incorrect"; } } In testing $result["object"] returns "Success". But the code seems to fail on the $user->SetPassword($newPword1); line. The error that is being returned is: ERROR -> "3" object -> "Success" ERRORmsg -> "exception 'com_exception' with message '<b>Source:</b> Unknown<br/><b>Description:</b> Unknown' in C:\inetpub\wwwroot\<path>\<filename>.php:114 Stack trace: #0 C:\inetpub\wwwroot\<path>\<filename>.php(114): variant->SetPassword('P@ssw0rd') #1 {main} - <b>Source:</b> Unknown<br/><b>Description:</b> Unknown" DETAILS -> "An Error Occurred." The above code is in a php doc on an IIS Web Server which is called by a user viewable page over https Are you able to offer any advice or guidance? Many thanks...