php LDAP Invalid credentials

Question

My code is:

$user = 'test';
$password = 'testpass';
$host = '10.1.1.1';
$port = 389;
$basedn = 'dc=ci,dc=mycompany,dc=com';
$group = 'Users';
$ldaprdn = 'uid=test,dc=ci,dc=mycompany,dc=com';

$ad = ldap_connect("ldap://$host", $port);
if ($ad) {
    echo "Connected" . "<br/>";
} else {
    echo ldap_error($ad) . "<br/>";
}
ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ad, LDAP_OPT_REFERRALS, 0);

//  $ldapBind = ldap_bind($ad, "{$user}@{$domain}", $password); // 1.
//  $ldapBind = ldap_bind($ad, $user, $password); // 2.
    $ldapBind = ldap_bind($ad, $ldaprdn, $password); // 3.
//  $ldapBind = ldap_bind($ad, null, null); // 4.

if ($ldapBind) {
    echo "Binded" . "<br/>";
} else {
    echo ldap_error($ad) . "<br/>";
}

Now I use the comment line "3", get:

Connected
Invalid credentials

If use the comment line "1" or "2", get:

Connected
Invalid DN syntax

If use the comment line "4" (this is anonymouse), get:

Connected
Binded

This is developing under Ubuntu 12.

Why I get Invalid credentials error from comment line "3"? How to bind with authentication correctly? Thanks in advance!

Answer 1

@Annamalai.Somasundaram,

DN should be passed something like cn=test,ou=Users,dc=ci,dc=mycompany,dc=com

the correct spelling can be found on the specific LDAP server

Answer 2

The ldap_bind function appears to require a DN, not an RDN, no matter what the doc says. If this is the case, then:

• Number 1. {$user}@{$domain} is not a correctly formatted DN, hence: Invalid DN syntax
• Number 2: test is not a correctly formatted DN, hence: Invalid DN syntax

For information on the string representation of the formatting of DN, see RFC4514

verify with known good tool

As far as I can tell, Number 3 is the only correct one of the four that are provided. The Directory Server has indicated in the BIND response that it was unable to verify that the provided password testpass matched the password that is stored in its database. In this case, I recommend checking the password using a known good tool like ldapsearch.

ldapsearch -h hostname -p port              \
    -D 'uid=test,dc=ci,dc=mycompany,dc=com' \
    -w 'testpass' -s base '(&)' 1.1

This ldapsearch BINDs to the directory as 'uid=test,dc=ci,dc=mycompany,dc=com' using password testpass and retrieves the DN of the uid=test entry. If this fails with "invalid credentials" error, then there are these possibilities:

• testpass is not the correct password
• some directory servers can be configured to set the result code to "invalid credentials" no matter what the true error is. The reason for this is to withhold information from an attacker
• the uid=test entry does not exist. The bullet point above explains this would result in an "invalid credentials". There is no point in telling an attacker that an entry does not exist - that would provide the attacker with additional information (he has one less DN to try).

jargon and LDAP-speak

In the interest of using the correct jargon:

• $ldaprdn is not an RDN, it's a DN. RDNs are components of DNs

see also

• LDAP: Mastering Search Filters
• LDAP: Programming practices

Answer 3

I find the problem, the $ldaprdn = 'uid=test,dc=ci,dc=mycompany,dc=com' is not as same as it on LDAP server, after change it works well.