Jump to content

LDAP hep pleeeese


realjumper

Recommended Posts

Hi,

Since posting a similar question yesterday, which got no response, I have searched and searched for quite a few hours and I don't know whether this is a 'state secret' or not, but I cannot find anything helpful to answer what I would imagine is a staight forward question.

I simply wish to use a php script to authenticate users against LDAP! I have seen many convoluted and technically 'over the top' tutorials on the subject, but all I want is to know is simply how to authenticate users.

[i]Please[/i]...can someone help me?
Link to comment
Share on other sites

If your talking about single sign on, there is no simple answer. It's like asking someone to tell you how to build a simple nuclear bomb. LDAP is not easy to work with.
Best I can suggest is look here and learn, or pay someone to do it for you.

http://us2.php.net/manual/en/ref.ldap.php
Link to comment
Share on other sites

Thanks for the reply. I am quite sure that this cannot be that hard.......for example......I have an application that 600 users can access (assuming they have the correct permissions of course). Previously I would use a Msql database for user authentication. The trouble with doing that is that I have to create an account for each user in the Mysql db, and I also have to create an account for them on the LDAP server. I wish to authenticate users of my application(s) against LDAP. If the user exists (uid & passwd), allow then access to the application....if they don't exist, "No Permission to Enter" type of thing. Surely that is not impossible?
Link to comment
Share on other sites

Here's an example of what I want to do.......now I know for definite that I have a connection to LDAP, and I know that the username/password exists but code won't work. It just gives me a blank page and I can't see why.

[code]

<?php

$ds=ldap_connect("202.36.110.2");
if(!$ds)
{
print "Can't Connect";
exit(0);
}

if ($ds)
{
   $username = "justme";
   $upasswd = "qwerty";

   $ldapbind = ldap_bind($ds, $username, $upasswd);
                              
   if ($ldapbind)
       {
print "Congratulations! $username is authenticated.";
}
   else
       {
print "Nice try, kid. Better luck next time!";
}

}

?>

[/code]
Link to comment
Share on other sites

Thanks...but those examples don't help......they are mostly to do with Win2k.....and the others don't deal with what I am trying to do. Have a look at this......

[code]

<?php

$ds=ldap_connect("202.36.110.2");
if(!$ds)
{
print "can't connect";
exit(0);
}

if($ds)
{
print "connected";
exit(0);
}


?>

[/code]

The above returns 'connected'......so I know it is connected. If I add [u]anything at all[/u] from the below, all I get is a white page. What's wrong? This is so frustrating :(

[code]

if ($ds)
{
   $username = "johndoe@what.at.greatnet.com";
   $upasswd = "pass";

   $ldapbind = ldap_bind($ds, $username, $upasswd);
}


  if ($ldapbind)
       {
print "Congratulations! $username is authenticated.";
}
   else
       {
print "Nice try, kid. Better luck next time!";
}

[/code]
Link to comment
Share on other sites

*Bump*

Anonymous binding isn't blocked, I checked. Also I installed Moodle, which authenticates via LDAP, and it will authenticate on my username/password with no issue at all. So, it can be done. The authentication (see my code above) should work....according to the sparsely available documentation available. I can connect to LDAP, I can even bind to LDAP....BUT I should be able to authenticate using the method I have above, or very similar.

I don't know if authentication on an LDAP server is a global super secret or not, but I'm sure runnning out of ideas and options.

>:(
Link to comment
Share on other sites

Never let it be said that I quit!!!!

The answer:

[code]

<?php

$ds=ldap_connect("xxx.xxx.xxx.xxx");
if(!$ds)
{
print "can't connect";
exit(0);
}

if($ds)
{
print "connected";
exit(0);
}

// The above was already working fine

  $username = "john_doe";
   $upasswd = "whatever";
   $base_dn = "cn=users, dc=directory,dc=ipc,dc=ac,dc=nz";
   $rdn = "uid=$username, " . $base_dn;

   ldap_set_option($ldap_connect, LDAP_OPT_PROTOCOL_VERSION, 3);
   $ldapbind = ldap_bind($ds, $rdn, $upasswd);


  if ($ldapbind)
       {
print "<br>Congratulations! $username is authenticated.";
}
   else
       {
print "<br>Nice try, kid. Better luck next time!";
}

?>

[/code]

So what I was missing was "uid=$username, "....I was trying to use cn=$username

and more importantly......

LDAP_OPT_PROTOCOL_VERSION, 3 ........it seems that the version number MUST be declared!!

So there you go.....problem solved, and hopefully someone else will learn from this 

;D
Link to comment
Share on other sites

ldap_connect will always return "true".

Use ldap_error on your bind statement to find out the error that is occurring:

[code]$ldapbind = ldap_bind($ds, $username, $upasswd) or die(ldap_error($ds));[/code]

Also, keep in mind that if you are using a win2k3 AD server, anon connects are disabled by default.

Have you tried using ldaps to connect?

I noticed that you aren't specifing the protocol in your ldap_connect call...when I connect I use:

[code]ldap_connect("ldap://fully.qualified.domain.name.of.server");[/code]
or
[code]ldap_connect("ldaps://fully.qualified.domain.name.of.server");[/code]
Link to comment
Share on other sites

Here's the function I use to authenticate to an LDAP server:

[code]function checkuser($uname, $pword) {
if ($uname != "") {
$username = $uname . "@domain.name";

$ldapconn = ldap_connect("ldaps://ldap.server") //or ldap://ldap.server
or die("Could not connect to LDAP server.");

ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);

$ldapbind = ldap_bind($ldapconn, $username, $pword); // or die("Could not connect to LDAP: " . ldap_error($ldapconn));
if ($ldapbind) {
ldap_close($ldapconn);
return true; // username / password good

} else {
ldap_close($ldapconn);
return "Invalid Username or Password!!";
}
} else {
return "No Username Entered!!";
}
}[/code]
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.