Authentication - HELP $PHP_AUTH_USER

[closerwalk]

Here it goes... This script works it authenticates against the AD (LDAP) and I can echo the session var but why do I have to put the password in three times at the authentication popup before it will complete and authenticate?

 

Why does it not authenticate the first time?

 

 

Anyone?

 

<?php
session_start();
// Kgoddard - 2007

$header .= header('WWW-Authenticate: Basic realm="My Realm"');
$header .= header('HTTP/1.0 401 Unauthorized');


$ldap_user = $_SERVER['PHP_AUTH_USER'];

$ldap_pass = $_SERVER['PHP_AUTH_PW'];

$ldap_host = "servername";
$base_dn = "DC=xxx,DC=lan";
$filter = "(&(objectClass=user)(objectCategory=person)(cn=".$ldap_user."*))";
$connect = ldap_connect( $ldap_host, $ldap_port)
or exit("UNABLE TO REACH AUTH SERVER");
ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($connect, LDAP_OPT_REFERRALS, 0);
$bind = ldap_bind($connect, $ldap_user, $ldap_pass)
or exit("ACCESS DENIED PLEASE RETRY");
$read= ldap_search($connect, $base_dn, $filter)
or exit("ACCESS DENIED PLEASE HIT REFRESH AND TRY AGAIN");
$info = ldap_get_entries($connect, $read);
$ii=0;

  
   for ($i=0; $i<$info["count"]; $i++) {
   
$_SESSION['displayname'] = $info[$i]["displayname"][0]; 

$_SESSION['department'] =  $info[$i]["department"][0];
   
	$_SESSION['phonenumber'] = $info[$i]["telephonenumber"][0];
  
$_SESSION['ext'] = $info[$i]["physicaldeliveryofficename"][0];

   
	if (strlen($info[$i]["mobile"][0])<1) { 
   
   		$content ='&nbsp'; 
   		}
   		else
   		{
   		$content = $info[$i]["mobile"][0];
  		}
   	$_SESSION['mobile'] = $content;
   		$group = str_replace('CN=','' ,$info[$i]['memberof'][0]);
   		$group = str_replace('OU=','', $group);
   		$group = str_replace(',','', $group);
   		$group = str_replace('DC=','', $group);
   		$group = str_replace('Groups','', $group);
   		$group = str_replace('ces','', $group);
   		$group = str_replace('lan','', $group);
   	$_SESSION['group'] = $group;


   
  
   
   
   	}
   

  
ldap_close($connect);

?>

[btherl]

You should only send the 401 header if authentication fails.  The rest of your script runs even though you have indicated failure with the headers, which is why the session vars are set.

[closerwalk]

Thanks always helps to get other eyes looking apprecaite your help.   Here is the working version:

 

 

LDAP AUTHENTCATION

 

<?php
session_start();



$ldap_user = $_SERVER['PHP_AUTH_USER'];

$ldap_pass = $_SERVER['PHP_AUTH_PW'];

$ldap_host = "servername";
$base_dn = "DC=xxx,DC=lan";
$filter = "(&(objectClass=user)(objectCategory=person)(cn=".$ldap_user."*))";
$connect = ldap_connect( $ldap_host, $ldap_port)
or exit("UNABLE TO REACH AUTH SERVER");
ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($connect, LDAP_OPT_REFERRALS, 0);
$bind = ldap_bind($connect, $ldap_user, $ldap_pass)
or exit("ACCESS DENIED PLEASE RETRY");
$read= ldap_search($connect, $base_dn, $filter)
or exit("ACCESS DENIED PLEASE HIT REFRESH AND TRY AGAIN");
$info = ldap_get_entries($connect, $read);
$ii=0;

  
   for ($i=0; $i<$info["count"]; $i++) {
   
$_SESSION['displayname'] = $info[$i]["displayname"][0]; 

$_SESSION['department'] =  $info[$i]["department"][0];
   
	$_SESSION['phonenumber'] = $info[$i]["telephonenumber"][0];
  
$_SESSION['ext'] = $info[$i]["physicaldeliveryofficename"][0];

   
	if (strlen($info[$i]["mobile"][0])<1) { 
   
   		$content ='&nbsp'; 
   		}
   		else
   		{
   		$content = $info[$i]["mobile"][0];
  		}
   	$_SESSION['mobile'] = $content;
   		$group = str_replace('CN=','' ,$info[$i]['memberof'][0]);
   		$group = str_replace('OU=','', $group);
   		$group = str_replace(',','', $group);
   		$group = str_replace('DC=','', $group);
   		$group = str_replace('Groups','', $group);
   		$group = str_replace('ces','', $group);
   		$group = str_replace('lan','', $group);
   	$_SESSION['group'] = $group;


   
  
   
   
   	}
   

  
ldap_close($connect);
}
else {


header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
}
?>