Jump to content

Archived

This topic is now archived and is closed to further replies.

realjumper

LDAP hep pleeeese

Recommended Posts

Hi,

Since posting a similar question yesterday, which got no response, I have searched and searched for quite a few hours and I don't know whether this is a 'state secret' or not, but I cannot find anything helpful to answer what I would imagine is a staight forward question.

I simply wish to use a php script to authenticate users against LDAP! I have seen many convoluted and technically 'over the top' tutorials on the subject, but all I want is to know is simply how to authenticate users.

[i]Please[/i]...can someone help me?

Share this post


Link to post
Share on other sites
If your talking about single sign on, there is no simple answer. It's like asking someone to tell you how to build a simple nuclear bomb. LDAP is not easy to work with.
Best I can suggest is look here and learn, or pay someone to do it for you.

http://us2.php.net/manual/en/ref.ldap.php

Share this post


Link to post
Share on other sites
Thanks for the reply. I am quite sure that this cannot be that hard.......for example......I have an application that 600 users can access (assuming they have the correct permissions of course). Previously I would use a Msql database for user authentication. The trouble with doing that is that I have to create an account for each user in the Mysql db, and I also have to create an account for them on the LDAP server. I wish to authenticate users of my application(s) against LDAP. If the user exists (uid & passwd), allow then access to the application....if they don't exist, "No Permission to Enter" type of thing. Surely that is not impossible?

Share this post


Link to post
Share on other sites
No, not impossible. So you want them to enter a username and password and check that against LDAP? That's a lot easier then what i thought you were doing. Go to that link I posted, they have a bunch of examples in the comments of how to do it.

Share this post


Link to post
Share on other sites
Here's an example of what I want to do.......now I know for definite that I have a connection to LDAP, and I know that the username/password exists but code won't work. It just gives me a blank page and I can't see why.

[code]

<?php

$ds=ldap_connect("202.36.110.2");
if(!$ds)
{
print "Can't Connect";
exit(0);
}

if ($ds)
{
   $username = "justme";
   $upasswd = "qwerty";

   $ldapbind = ldap_bind($ds, $username, $upasswd);
                              
   if ($ldapbind)
       {
print "Congratulations! $username is authenticated.";
}
   else
       {
print "Nice try, kid. Better luck next time!";
}

}

?>

[/code]

Share this post


Link to post
Share on other sites
Thanks...but those examples don't help......they are mostly to do with Win2k.....and the others don't deal with what I am trying to do. Have a look at this......

[code]

<?php

$ds=ldap_connect("202.36.110.2");
if(!$ds)
{
print "can't connect";
exit(0);
}

if($ds)
{
print "connected";
exit(0);
}


?>

[/code]

The above returns 'connected'......so I know it is connected. If I add [u]anything at all[/u] from the below, all I get is a white page. What's wrong? This is so frustrating :(

[code]

if ($ds)
{
   $username = "johndoe@what.at.greatnet.com";
   $upasswd = "pass";

   $ldapbind = ldap_bind($ds, $username, $upasswd);
}


  if ($ldapbind)
       {
print "Congratulations! $username is authenticated.";
}
   else
       {
print "Nice try, kid. Better luck next time!";
}

[/code]

Share this post


Link to post
Share on other sites
Have you tried binding anonymously? Or do you have that blocked?

It should give you some kind of a result one way or the other, your code looks correct.

I can't test it, don't have an LDAP directory to hit.

Share this post


Link to post
Share on other sites
*Bump*

Anonymous binding isn't blocked, I checked. Also I installed Moodle, which authenticates via LDAP, and it will authenticate on my username/password with no issue at all. So, it can be done. The authentication (see my code above) should work....according to the sparsely available documentation available. I can connect to LDAP, I can even bind to LDAP....BUT I should be able to authenticate using the method I have above, or very similar.

I don't know if authentication on an LDAP server is a global super secret or not, but I'm sure runnning out of ideas and options.

>:(

Share this post


Link to post
Share on other sites
Never let it be said that I quit!!!!

The answer:

[code]

<?php

$ds=ldap_connect("xxx.xxx.xxx.xxx");
if(!$ds)
{
print "can't connect";
exit(0);
}

if($ds)
{
print "connected";
exit(0);
}

// The above was already working fine

  $username = "john_doe";
   $upasswd = "whatever";
   $base_dn = "cn=users, dc=directory,dc=ipc,dc=ac,dc=nz";
   $rdn = "uid=$username, " . $base_dn;

   ldap_set_option($ldap_connect, LDAP_OPT_PROTOCOL_VERSION, 3);
   $ldapbind = ldap_bind($ds, $rdn, $upasswd);


  if ($ldapbind)
       {
print "<br>Congratulations! $username is authenticated.";
}
   else
       {
print "<br>Nice try, kid. Better luck next time!";
}

?>

[/code]

So what I was missing was "uid=$username, "....I was trying to use cn=$username

and more importantly......

LDAP_OPT_PROTOCOL_VERSION, 3 ........it seems that the version number MUST be declared!!

So there you go.....problem solved, and hopefully someone else will learn from this 

;D

Share this post


Link to post
Share on other sites
ldap_connect will always return "true".

Use ldap_error on your bind statement to find out the error that is occurring:

[code]$ldapbind = ldap_bind($ds, $username, $upasswd) or die(ldap_error($ds));[/code]

Also, keep in mind that if you are using a win2k3 AD server, anon connects are disabled by default.

Have you tried using ldaps to connect?

I noticed that you aren't specifing the protocol in your ldap_connect call...when I connect I use:

[code]ldap_connect("ldap://fully.qualified.domain.name.of.server");[/code]
or
[code]ldap_connect("ldaps://fully.qualified.domain.name.of.server");[/code]

Share this post


Link to post
Share on other sites
Thanks for the useful info...I will try ldaps and see what happens. I like the ldap_error code, that would have saved me a bit of stress!! Anon connects are enabled on the MAC Tiger server which we are using. This is all very interesting :-)

Share this post


Link to post
Share on other sites
Here's the function I use to authenticate to an LDAP server:

[code]function checkuser($uname, $pword) {
if ($uname != "") {
$username = $uname . "@domain.name";

$ldapconn = ldap_connect("ldaps://ldap.server") //or ldap://ldap.server
or die("Could not connect to LDAP server.");

ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);

$ldapbind = ldap_bind($ldapconn, $username, $pword); // or die("Could not connect to LDAP: " . ldap_error($ldapconn));
if ($ldapbind) {
ldap_close($ldapconn);
return true; // username / password good

} else {
ldap_close($ldapconn);
return "Invalid Username or Password!!";
}
} else {
return "No Username Entered!!";
}
}[/code]

Share this post


Link to post
Share on other sites
Glad you got it figured out realjumper. Sorry I couldn't be more help before, only connected to LDAP with things other then PHP.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.