Reputation: 7208
Can I programmatically determine if ldap_bind fails because of a network issue?
We use an LDAP server to authenticate our users. Because the server is accessed remotely, there's a rather high plausibility that our webserver will be online, and the LDAP server will be down for maintenance.
Right now, when ldap_bind fails, I assume it is a user authentication issue (wrong username/pass) and I display a message to the user. However, if the connection to the LDAP server is failing (and it's not necessarily a credentials problem) then I end up with hundreds of users telling me that their password isn't working when that isn't the problem.
How can I recover from this? ldap_connect seems to succeed in all cases, as the connection is deferred until ldap_bind is called. The return value from ldap_bind is a simple boolean, and while the warning message displayed by PHP is informative, that doesn't help my code out too much.
Upvotes: 1
Views: 1696
Answers (2)
Reputation: 11132
request/response framework
LDAP interactions consist of a request and a response. The response will always contain a result
code. When the request is a bind, a non-zero result code indicates that an error ocurred, for
example, the result code decimal 49 indicates that the credentials supplied were incorrect (in
some cases for security reasons, this result code can be returned when an entry does not exist
in order to mislead an attacker). The application coder should verify that a connection to the
server can be successful and the bind distinguished name has the correct credentials by
auhenticating using a known correct tool such as ldapsearch. For example, try:
ldapsearch -h hostname -p port \
-D distinguished-name-here -w <password> -b '' -s base '(&)'
The above search establishes a connection, changes the authorization state of the connection to the auth ID specified using the given credentials and then retrieves attributes from the root DSE. If this search is successful, then the application coder can be assured that the credentials are correct.
network timeouts
The application coder should always use an API that supports the notion of network timeouts since timeouts are not part of the LDAP protocol - there are time limits on searches (see RFC4511), but no network timeouts in the protocol. If an LDAP API does not support network timeouts, then that API should not be considered for non-trivial LDAP client work.
see also
Upvotes: 0
Reputation: 163438
Use ldap_errno().
http://php.net/manual/en/function.ldap-errno.php
List of possible error codes: http://www.php.net/manual/en/function.ldap-errno.php#20665
Upvotes: 3
Related Questions
- LDAP_BIND Can't contact LDAP server
- ldap_bind always returning true
- ldap_bind fails with Warning but continues with if statment
- PHPs ldap_bind() failing even though ldap_connect() is successful
- Check if a server is online
- PHP ldap_connect to multiple hosts in case of one beeing not reachable
- How to identify different errors on ldap_bind()? PHP
- PHP ldap bind issue
- PHP LDAP bind intermittent issue
- php/ldap - bind fails but errorno doesn't execute