LDAP hep pleeeese

[realjumper]

Hi,

Since posting a similar question yesterday, which got no response, I have searched and searched for quite a few hours and I don't know whether this is a 'state secret' or not, but I cannot find anything helpful to answer what I would imagine is a staight forward question.

I simply wish to use a php script to authenticate users against LDAP! I have seen many convoluted and technically 'over the top' tutorials on the subject, but all I want is to know is simply how to authenticate users.

[i]Please[/i]...can someone help me?

[DylanBlitz]

If your talking about single sign on, there is no simple answer. It's like asking someone to tell you how to build a simple nuclear bomb. LDAP is not easy to work with.
Best I can suggest is look here and learn, or pay someone to do it for you.

http://us2.php.net/manual/en/ref.ldap.php

[realjumper]

Thanks for the reply. I am quite sure that this cannot be that hard.......for example......I have an application that 600 users can access (assuming they have the correct permissions of course). Previously I would use a Msql database for user authentication. The trouble with doing that is that I have to create an account for each user in the Mysql db, and I also have to create an account for them on the LDAP server. I wish to authenticate users of my application(s) against LDAP. If the user exists (uid & passwd), allow then access to the application....if they don't exist, "No Permission to Enter" type of thing. Surely that is not impossible?

[DylanBlitz]

No, not impossible. So you want them to enter a username and password and check that against LDAP? That's a lot easier then what i thought you were doing. Go to that link I posted, they have a bunch of examples in the comments of how to do it.

[realjumper]

Here's an example of what I want to do.......now I know for definite that I have a connection to LDAP, and I know that the username/password exists but code won't work. It just gives me a blank page and I can't see why.

[code]

<?php

$ds=ldap_connect("202.36.110.2");
if(!$ds)
{
print "Can't Connect";
exit(0);
}

if ($ds)
{
   $username = "justme";
   $upasswd = "qwerty";

   $ldapbind = ldap_bind($ds, $username, $upasswd);
                              
   if ($ldapbind)
       {
print "Congratulations! $username is authenticated.";
}
   else
       {
print "Nice try, kid. Better luck next time!";
}

}

?>

[/code]

[realjumper]

Thanks...but those examples don't help......they are mostly to do with Win2k.....and the others don't deal with what I am trying to do. Have a look at this......

[code]

<?php

$ds=ldap_connect("202.36.110.2");
if(!$ds)
{
print "can't connect";
exit(0);
}

if($ds)
{
print "connected";
exit(0);
}


?>

[/code]

The above returns 'connected'......so I know it is connected. If I add [u]anything at all[/u] from the below, all I get is a white page. What's wrong? This is so frustrating :(

[code]

if ($ds)
{
   $username = "[email protected]";
   $upasswd = "pass";

   $ldapbind = ldap_bind($ds, $username, $upasswd);
}


  if ($ldapbind)
       {
print "Congratulations! $username is authenticated.";
}
   else
       {
print "Nice try, kid. Better luck next time!";
}

[/code]

[DylanBlitz]

Have you tried binding anonymously? Or do you have that blocked?

It should give you some kind of a result one way or the other, your code looks correct.

I can't test it, don't have an LDAP directory to hit.

[realjumper]

I'm pretty sure that anonymous bindining is blocked, but I'll check. Thanks :-)

[realjumper]

*Bump*

Anonymous binding isn't blocked, I checked. Also I installed Moodle, which authenticates via LDAP, and it will authenticate on my username/password with no issue at all. So, it can be done. The authentication (see my code above) should work....according to the sparsely available documentation available. I can connect to LDAP, I can even bind to LDAP....BUT I should be able to authenticate using the method I have above, or very similar.

I don't know if authentication on an LDAP server is a global super secret or not, but I'm sure runnning out of ideas and options.

>:(

[realjumper]

Never let it be said that I quit!!!!

The answer:

[code]

<?php

$ds=ldap_connect("xxx.xxx.xxx.xxx");
if(!$ds)
{
print "can't connect";
exit(0);
}

if($ds)
{
print "connected";
exit(0);
}

// The above was already working fine

  $username = "john_doe";
   $upasswd = "whatever";
   $base_dn = "cn=users, dc=directory,dc=ipc,dc=ac,dc=nz";
   $rdn = "uid=$username, " . $base_dn;

   ldap_set_option($ldap_connect, LDAP_OPT_PROTOCOL_VERSION, 3);
   $ldapbind = ldap_bind($ds, $rdn, $upasswd);


  if ($ldapbind)
       {
print "<br>Congratulations! $username is authenticated.";
}
   else
       {
print "<br>Nice try, kid. Better luck next time!";
}

?>

[/code]

So what I was missing was "uid=$username, "....I was trying to use cn=$username

and more importantly......

LDAP_OPT_PROTOCOL_VERSION, 3 ........it seems that the version number MUST be declared!!

So there you go.....problem solved, and hopefully someone else will learn from this 

;D

[hitman6003]

ldap_connect will always return "true".

Use ldap_error on your bind statement to find out the error that is occurring:

[code]$ldapbind = ldap_bind($ds, $username, $upasswd) or die(ldap_error($ds));[/code]

Also, keep in mind that if you are using a win2k3 AD server, anon connects are disabled by default.

Have you tried using ldaps to connect?

I noticed that you aren't specifing the protocol in your ldap_connect call...when I connect I use:

[code]ldap_connect("ldap://fully.qualified.domain.name.of.server");[/code]
or
[code]ldap_connect("ldaps://fully.qualified.domain.name.of.server");[/code]

[realjumper]

Thanks for the useful info...I will try ldaps and see what happens. I like the ldap_error code, that would have saved me a bit of stress!! Anon connects are enabled on the MAC Tiger server which we are using. This is all very interesting :-)

[hitman6003]

Here's the function I use to authenticate to an LDAP server:

[code]function checkuser($uname, $pword) {
if ($uname != "") {
$username = $uname . "@domain.name";

$ldapconn = ldap_connect("ldaps://ldap.server") //or ldap://ldap.server
or die("Could not connect to LDAP server.");

ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);

$ldapbind = ldap_bind($ldapconn, $username, $pword); // or die("Could not connect to LDAP: " . ldap_error($ldapconn));
if ($ldapbind) {
ldap_close($ldapconn);
return true; // username / password good

} else {
ldap_close($ldapconn);
return "Invalid Username or Password!!";
}
} else {
return "No Username Entered!!";
}
}[/code]

[DylanBlitz]

Glad you got it figured out realjumper. Sorry I couldn't be more help before, only connected to LDAP with things other then PHP.