Jump to content


Photo

LDAP hep pleeeese


  • Please log in to reply
13 replies to this topic

#1 realjumper

realjumper
  • Members
  • PipPipPip
  • Advanced Member
  • 399 posts

Posted 10 August 2006 - 02:34 AM

Hi,

Since posting a similar question yesterday, which got no response, I have searched and searched for quite a few hours and I don't know whether this is a 'state secret' or not, but I cannot find anything helpful to answer what I would imagine is a staight forward question.

I simply wish to use a php script to authenticate users against LDAP! I have seen many convoluted and technically 'over the top' tutorials on the subject, but all I want is to know is simply how to authenticate users.

Please...can someone help me?

#2 DylanBlitz

DylanBlitz
  • Members
  • PipPipPip
  • Advanced Member
  • 99 posts
  • LocationOC Baby!

Posted 10 August 2006 - 03:54 AM

If your talking about single sign on, there is no simple answer. It's like asking someone to tell you how to build a simple nuclear bomb. LDAP is not easy to work with.
Best I can suggest is look here and learn, or pay someone to do it for you.

http://us2.php.net/m...en/ref.ldap.php

#3 realjumper

realjumper
  • Members
  • PipPipPip
  • Advanced Member
  • 399 posts

Posted 10 August 2006 - 04:05 AM

Thanks for the reply. I am quite sure that this cannot be that hard.......for example......I have an application that 600 users can access (assuming they have the correct permissions of course). Previously I would use a Msql database for user authentication. The trouble with doing that is that I have to create an account for each user in the Mysql db, and I also have to create an account for them on the LDAP server. I wish to authenticate users of my application(s) against LDAP. If the user exists (uid & passwd), allow then access to the application....if they don't exist, "No Permission to Enter" type of thing. Surely that is not impossible?

#4 DylanBlitz

DylanBlitz
  • Members
  • PipPipPip
  • Advanced Member
  • 99 posts
  • LocationOC Baby!

Posted 10 August 2006 - 04:13 AM

No, not impossible. So you want them to enter a username and password and check that against LDAP? That's a lot easier then what i thought you were doing. Go to that link I posted, they have a bunch of examples in the comments of how to do it.

#5 realjumper

realjumper
  • Members
  • PipPipPip
  • Advanced Member
  • 399 posts

Posted 10 August 2006 - 04:14 AM

Here's an example of what I want to do.......now I know for definite that I have a connection to LDAP, and I know that the username/password exists but code won't work. It just gives me a blank page and I can't see why.


<?php

$ds=ldap_connect("202.36.110.2");
	if(!$ds)
	{
		print "Can't Connect";
		exit(0);
	}
	
if ($ds) 
{
   $username = "justme";
   $upasswd = "qwerty";

   $ldapbind = ldap_bind($ds, $username, $upasswd);
                               
   if ($ldapbind) 
       {
		print "Congratulations! $username is authenticated.";
		}
   else 
       {
		print "Nice try, kid. Better luck next time!";
		}
		
}	

?>



#6 realjumper

realjumper
  • Members
  • PipPipPip
  • Advanced Member
  • 399 posts

Posted 10 August 2006 - 04:44 AM

Thanks...but those examples don't help......they are mostly to do with Win2k.....and the others don't deal with what I am trying to do. Have a look at this......


<?php

$ds=ldap_connect("202.36.110.2");
	if(!$ds)
	{
		print "can't connect";
		exit(0);
	}
	
	if($ds)
	{
		print "connected";
		exit(0);
	}
	

?>


The above returns 'connected'......so I know it is connected. If I add anything at all from the below, all I get is a white page. What's wrong? This is so frustrating :(


if ($ds) 
{
   $username = "johndoe@what.at.greatnet.com";
   $upasswd = "pass";

   $ldapbind = ldap_bind($ds, $username, $upasswd);
}	


  if ($ldapbind) 
       {
		print "Congratulations! $username is authenticated.";
		}
   else 
       {
		print "Nice try, kid. Better luck next time!";
		}



#7 DylanBlitz

DylanBlitz
  • Members
  • PipPipPip
  • Advanced Member
  • 99 posts
  • LocationOC Baby!

Posted 10 August 2006 - 05:05 AM

Have you tried binding anonymously? Or do you have that blocked?

It should give you some kind of a result one way or the other, your code looks correct.

I can't test it, don't have an LDAP directory to hit.



#8 realjumper

realjumper
  • Members
  • PipPipPip
  • Advanced Member
  • 399 posts

Posted 10 August 2006 - 05:12 AM

I'm pretty sure that anonymous bindining is blocked, but I'll check. Thanks :-)

#9 realjumper

realjumper
  • Members
  • PipPipPip
  • Advanced Member
  • 399 posts

Posted 10 August 2006 - 09:01 PM

*Bump*

Anonymous binding isn't blocked, I checked. Also I installed Moodle, which authenticates via LDAP, and it will authenticate on my username/password with no issue at all. So, it can be done. The authentication (see my code above) should work....according to the sparsely available documentation available. I can connect to LDAP, I can even bind to LDAP....BUT I should be able to authenticate using the method I have above, or very similar.

I don't know if authentication on an LDAP server is a global super secret or not, but I'm sure runnning out of ideas and options.

>:(


#10 realjumper

realjumper
  • Members
  • PipPipPip
  • Advanced Member
  • 399 posts

Posted 14 August 2006 - 12:00 AM

Never let it be said that I quit!!!!

The answer:


<?php

$ds=ldap_connect("xxx.xxx.xxx.xxx");
if(!$ds)
{
print "can't connect";
exit(0);
}

if($ds)
{
print "connected";
exit(0);
}

// The above was already working fine

  $username = "john_doe";
   $upasswd = "whatever";
   $base_dn = "cn=users, dc=directory,dc=ipc,dc=ac,dc=nz";
   $rdn = "uid=$username, " . $base_dn;
 
   ldap_set_option($ldap_connect, LDAP_OPT_PROTOCOL_VERSION, 3);
   $ldapbind = ldap_bind($ds, $rdn, $upasswd);


  if ($ldapbind) 
       {
print "<br>Congratulations! $username is authenticated.";
}
   else 
       {
print "<br>Nice try, kid. Better luck next time!";
}

?>


So what I was missing was "uid=$username, "....I was trying to use cn=$username

and more importantly......

LDAP_OPT_PROTOCOL_VERSION, 3 ........it seems that the version number MUST be declared!!

So there you go.....problem solved, and hopefully someone else will learn from this 

;D

#11 hitman6003

hitman6003
  • Members
  • PipPipPip
  • Advanced Member
  • 1,807 posts

Posted 14 August 2006 - 01:21 AM

ldap_connect will always return "true".

Use ldap_error on your bind statement to find out the error that is occurring:

$ldapbind = ldap_bind($ds, $username, $upasswd) or die(ldap_error($ds));

Also, keep in mind that if you are using a win2k3 AD server, anon connects are disabled by default.

Have you tried using ldaps to connect?

I noticed that you aren't specifing the protocol in your ldap_connect call...when I connect I use:

ldap_connect("ldap://fully.qualified.domain.name.of.server");
or
ldap_connect("ldaps://fully.qualified.domain.name.of.server");


#12 realjumper

realjumper
  • Members
  • PipPipPip
  • Advanced Member
  • 399 posts

Posted 14 August 2006 - 01:46 AM

Thanks for the useful info...I will try ldaps and see what happens. I like the ldap_error code, that would have saved me a bit of stress!! Anon connects are enabled on the MAC Tiger server which we are using. This is all very interesting :-)

#13 hitman6003

hitman6003
  • Members
  • PipPipPip
  • Advanced Member
  • 1,807 posts

Posted 14 August 2006 - 01:57 AM

Here's the function I use to authenticate to an LDAP server:

function checkuser($uname, $pword) {
	if ($uname != "") {
		$username = $uname . "@domain.name";

		$ldapconn = ldap_connect("ldaps://ldap.server") //or ldap://ldap.server
			or die("Could not connect to LDAP server.");
	
		ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
		ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
	
		$ldapbind = ldap_bind($ldapconn, $username, $pword); // or die("Could not connect to LDAP: " . ldap_error($ldapconn));
		if ($ldapbind) {
			ldap_close($ldapconn);
			return true; // username / password good

		} else {
			ldap_close($ldapconn);
			return "Invalid Username or Password!!";
		}
	} else {
		return "No Username Entered!!";
	}
}


#14 DylanBlitz

DylanBlitz
  • Members
  • PipPipPip
  • Advanced Member
  • 99 posts
  • LocationOC Baby!

Posted 14 August 2006 - 01:59 AM

Glad you got it figured out realjumper. Sorry I couldn't be more help before, only connected to LDAP with things other then PHP.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users