Couldn't bind LDAP using PHP

Question

I try to bind LDAP using PHP and I getting this error

    Warning: ldap_bind() [function.ldap-bind]: Unable to bind to server: Can't contact LDAP server on line 21

and the script on line 21 is this..

    $bind_status = ldap_bind($conn_status, $app_user, $app_pass);

Here's the script to connect in LDAP:

   $conn_status = ldap_connect('ldaps://ldap.domain.com/', 389);
    if ($conn_status === FALSE) {
        die("Couldn't connect to LDAP service");
    } else {
        echo "Successful! <br/>";
    }

Here's the script of Bind to LDAP:

    $app_user = 'cn=user, dc=domain, dc=com';
    $app_pass = 'password';

    $username = 'user'; //same as cn
    $password = 'password'; //same as $app_pass

    $bind_status = ldap_bind($conn_status, $app_user, $app_pass);
    if ($bind_status === FALSE) {
        die("Couldn't bind to LDAP as application user");
    } else {
        echo "Bind to LDAP successfully <br/>";
    }

My updated LDAP bind script

    $bind_status = ldap_bind($conn_status, $username, $password);
    if ($bind_status === FALSE) {
        //die("Couldn't bind to LDAP <br/>");
        echo "LDAP-Errno: " . ldap_errno($ds) . "<br />";
    } else {
        echo "Bind to LDAP successfully <br/>";
    }

And now I got this error:

    Warning: ldap_bind() [function.ldap-bind]: Unable to bind to server: Operations error on line 21

Line 21 is this:

    $bind_status = ldap_bind($conn_status, $username, $password);

When I use

    var_dump (@ldap_bind($conn_status, "cn=Username, ou=domain, ou=com"));

The result is

    bool(false)

Pls help me to fix this. Thank you

Answer 1

Typically ldaps listens on port 636/tcp and ldap with starttls listens on port 389/tcp.

$ldap_URI = "ldap://ldap.example.com/" ;
$ldap_bind_dn = "cn=myapplication,ou=service accounts,dc=example,dc=com" ;
$ldap_bind_dn_password = "hopefully something long and complicated" ;
$ldap_connection = ldap_connect($ldap_URI) ;
if(ldap_start_tls($ldap_connection)){
    if(!ldap_bind($ldap_connection,$ldap_bind_dn,$ldap_bind_dn_password)) ;
    //TODO: return/throw some error/exception here to be handled by caller, regarding invalid credentials
}else{
    ldap_close($ldap_connection);
    //TODO: return/throw some error/exception here to be handled by caller, regarding starttls failure
}

• Check the TLS settings of your global ldap config, usually /etc/openldap/ldap.conf or /etc/ldap/ldap.conf.
• If you use SELinux, check httpd_can_connect_ldap, i.e. $ getsebool httpd_can_connect_ldap

Also:

When OpenLDAP 2.x.x is used, ldap_connect() will always return a resource as it does not actually connect but just initializes the connecting parameters. The actual connect happens with the next calls to ldap_* funcs, usually with ldap_bind(). --php manual

Answer 2

In your ldap_connect method, you specified a secure ldap connection ldaps and yet used the standard port for 389. If you are trying to make a secure connection, then remove the port number and ldap_connect will figure out the right port or use port 636. Otherwise use ldap with port number 389 for the unsecure connection.

Either

$conn_status = ldap_connect('ldap://ldap.domain.com/');

$conn_status = ldap_connect('ldap://ldap.domain.com/', 389);

OR

$conn_status = ldap_connect('ldaps://ldap.domain.com/');

$conn_status = ldap_connect('ldaps://ldap.domain.com/', 636);