LDAP Controls (Password Expiration)

[Toyimk]

I'm trying to detect whether a user in LDAP is expired or not after a bind.

 

LDAP RFC's specify a control (OID: 2.16.840.1.113730.3.4.4) which tells the server to return if a password has expired after a bind.

 

I am using the following code to attempt to enable this control:

 

$ld = ldap_connect( $host );
ldap_set_option( $ld, LDAP_OPT_PROTOCOL_VERSION, 3 );
$ctrl1 = array( "oid" => "2.16.840.1.113730.3.4.4", "iscritical" => false );
ldap_set_option( $ld, LDAP_OPT_SERVER_CONTROLS, array( $ctrl1 ) );

$bind = ldap_bind( $ld, $userDN, $password );
if ( !( $bind ) ) {
   print ldap_errno( $ld )  . " " . ldap_error( $ld ) . "<br>\n";
}

 

This code returns ldap error 49, which is Invalid Credentials, but thats it.  It doesn't specify that the password is expired.

 

The ldap_set_option function returns true, so I'm assuming the server is made aware of the control, but I can't figure out how to retrieve the control or message stating if the password is expired or not.

 

I know how to do this in Perl, but PHP's LDAP implementation is vastly different than Perl's Net::LDAP implementation.

 

Any help would be appreciated!

[MadTechie]

This may help

 

<?php

define(AD_SERVER,   "192.168.1.4");
define(AD_USER,     "bob@testdomain.com");
define(AD_PASSWORD, "Passssss");

// Connect to the directory server.
$ad = ldap_connect("ldap://" . AD_SERVER) 
        or die("Couldn't connect to AD!");

ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ad, LDAP_OPT_REFERRALS, 0);

// Bind to the directory server.
$bd = ldap_bind($ad, AD_USER, AD_PASSWORD)
        or die("Couldn't bind to AD!");


$dn = "CN=Users,DC=testdomain,DC=com";
$attributes = array("displayname");
$filter = "(objectcategory=user)";

$result = ldap_search($ad, $dn, $filter, $attributes)
            or die("Search failed!");

$entries = ldap_get_entries($ad, $result);
var_dump($entries); //<--may help

ldap_unbind($ad);