realjumper Posted August 10, 2006 Share Posted August 10, 2006 Hi,Since posting a similar question yesterday, which got no response, I have searched and searched for quite a few hours and I don't know whether this is a 'state secret' or not, but I cannot find anything helpful to answer what I would imagine is a staight forward question.I simply wish to use a php script to authenticate users against LDAP! I have seen many convoluted and technically 'over the top' tutorials on the subject, but all I want is to know is simply how to authenticate users.[i]Please[/i]...can someone help me? Quote Link to comment Share on other sites More sharing options...
DylanBlitz Posted August 10, 2006 Share Posted August 10, 2006 If your talking about single sign on, there is no simple answer. It's like asking someone to tell you how to build a simple nuclear bomb. LDAP is not easy to work with.Best I can suggest is look here and learn, or pay someone to do it for you.http://us2.php.net/manual/en/ref.ldap.php Quote Link to comment Share on other sites More sharing options...
realjumper Posted August 10, 2006 Author Share Posted August 10, 2006 Thanks for the reply. I am quite sure that this cannot be that hard.......for example......I have an application that 600 users can access (assuming they have the correct permissions of course). Previously I would use a Msql database for user authentication. The trouble with doing that is that I have to create an account for each user in the Mysql db, and I also have to create an account for them on the LDAP server. I wish to authenticate users of my application(s) against LDAP. If the user exists (uid & passwd), allow then access to the application....if they don't exist, "No Permission to Enter" type of thing. Surely that is not impossible? Quote Link to comment Share on other sites More sharing options...
DylanBlitz Posted August 10, 2006 Share Posted August 10, 2006 No, not impossible. So you want them to enter a username and password and check that against LDAP? That's a lot easier then what i thought you were doing. Go to that link I posted, they have a bunch of examples in the comments of how to do it. Quote Link to comment Share on other sites More sharing options...
realjumper Posted August 10, 2006 Author Share Posted August 10, 2006 Here's an example of what I want to do.......now I know for definite that I have a connection to LDAP, and I know that the username/password exists but code won't work. It just gives me a blank page and I can't see why.[code]<?php$ds=ldap_connect("202.36.110.2"); if(!$ds) { print "Can't Connect"; exit(0); } if ($ds) { $username = "justme"; $upasswd = "qwerty"; $ldapbind = ldap_bind($ds, $username, $upasswd); if ($ldapbind) { print "Congratulations! $username is authenticated."; } else { print "Nice try, kid. Better luck next time!"; } } ?>[/code] Quote Link to comment Share on other sites More sharing options...
realjumper Posted August 10, 2006 Author Share Posted August 10, 2006 Thanks...but those examples don't help......they are mostly to do with Win2k.....and the others don't deal with what I am trying to do. Have a look at this......[code]<?php$ds=ldap_connect("202.36.110.2"); if(!$ds) { print "can't connect"; exit(0); } if($ds) { print "connected"; exit(0); } ?>[/code]The above returns 'connected'......so I know it is connected. If I add [u]anything at all[/u] from the below, all I get is a white page. What's wrong? This is so frustrating :([code]if ($ds) { $username = "johndoe@what.at.greatnet.com"; $upasswd = "pass"; $ldapbind = ldap_bind($ds, $username, $upasswd);} if ($ldapbind) { print "Congratulations! $username is authenticated."; } else { print "Nice try, kid. Better luck next time!"; }[/code] Quote Link to comment Share on other sites More sharing options...
DylanBlitz Posted August 10, 2006 Share Posted August 10, 2006 Have you tried binding anonymously? Or do you have that blocked?It should give you some kind of a result one way or the other, your code looks correct.I can't test it, don't have an LDAP directory to hit. Quote Link to comment Share on other sites More sharing options...
realjumper Posted August 10, 2006 Author Share Posted August 10, 2006 I'm pretty sure that anonymous bindining is blocked, but I'll check. Thanks :-) Quote Link to comment Share on other sites More sharing options...
realjumper Posted August 10, 2006 Author Share Posted August 10, 2006 *Bump*Anonymous binding isn't blocked, I checked. Also I installed Moodle, which authenticates via LDAP, and it will authenticate on my username/password with no issue at all. So, it can be done. The authentication (see my code above) should work....according to the sparsely available documentation available. I can connect to LDAP, I can even bind to LDAP....BUT I should be able to authenticate using the method I have above, or very similar.I don't know if authentication on an LDAP server is a global super secret or not, but I'm sure runnning out of ideas and options. >:( Quote Link to comment Share on other sites More sharing options...
realjumper Posted August 14, 2006 Author Share Posted August 14, 2006 Never let it be said that I quit!!!!The answer: [code]<?php$ds=ldap_connect("xxx.xxx.xxx.xxx");if(!$ds){print "can't connect";exit(0);}if($ds){print "connected";exit(0);}// The above was already working fine $username = "john_doe"; $upasswd = "whatever"; $base_dn = "cn=users, dc=directory,dc=ipc,dc=ac,dc=nz"; $rdn = "uid=$username, " . $base_dn; ldap_set_option($ldap_connect, LDAP_OPT_PROTOCOL_VERSION, 3); $ldapbind = ldap_bind($ds, $rdn, $upasswd); if ($ldapbind) {print "<br>Congratulations! $username is authenticated.";} else {print "<br>Nice try, kid. Better luck next time!";}?>[/code]So what I was missing was "uid=$username, "....I was trying to use cn=$usernameand more importantly......LDAP_OPT_PROTOCOL_VERSION, 3 ........it seems that the version number MUST be declared!!So there you go.....problem solved, and hopefully someone else will learn from this ;D Quote Link to comment Share on other sites More sharing options...
hitman6003 Posted August 14, 2006 Share Posted August 14, 2006 ldap_connect will always return "true".Use ldap_error on your bind statement to find out the error that is occurring:[code]$ldapbind = ldap_bind($ds, $username, $upasswd) or die(ldap_error($ds));[/code]Also, keep in mind that if you are using a win2k3 AD server, anon connects are disabled by default. Have you tried using ldaps to connect?I noticed that you aren't specifing the protocol in your ldap_connect call...when I connect I use:[code]ldap_connect("ldap://fully.qualified.domain.name.of.server");[/code]or[code]ldap_connect("ldaps://fully.qualified.domain.name.of.server");[/code] Quote Link to comment Share on other sites More sharing options...
realjumper Posted August 14, 2006 Author Share Posted August 14, 2006 Thanks for the useful info...I will try ldaps and see what happens. I like the ldap_error code, that would have saved me a bit of stress!! Anon connects are enabled on the MAC Tiger server which we are using. This is all very interesting :-) Quote Link to comment Share on other sites More sharing options...
hitman6003 Posted August 14, 2006 Share Posted August 14, 2006 Here's the function I use to authenticate to an LDAP server:[code]function checkuser($uname, $pword) { if ($uname != "") { $username = $uname . "@domain.name"; $ldapconn = ldap_connect("ldaps://ldap.server") //or ldap://ldap.server or die("Could not connect to LDAP server."); ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); $ldapbind = ldap_bind($ldapconn, $username, $pword); // or die("Could not connect to LDAP: " . ldap_error($ldapconn)); if ($ldapbind) { ldap_close($ldapconn); return true; // username / password good } else { ldap_close($ldapconn); return "Invalid Username or Password!!"; } } else { return "No Username Entered!!"; }}[/code] Quote Link to comment Share on other sites More sharing options...
DylanBlitz Posted August 14, 2006 Share Posted August 14, 2006 Glad you got it figured out realjumper. Sorry I couldn't be more help before, only connected to LDAP with things other then PHP. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.