Reputation: 606
I am trying to make a login page which authenticate using a LDAP server. I use the following information and it works with LDAP client.
Host: ldap.med.xxx.edu
Port: 389
Protocol: v3
Base DN: ou=som,dc=med,dc=xxx,dc=edu
Security level: User + Password
User DN: MED\myusername
Password: mypassword
and then I have the following code:
function ldap_authentication($uname, $password)
{
$ldaprdn = "uid=MED\\$uname,ou=som,dc=med,dc=xxx,dc=edu";
$ldappass = "$password";
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
$ldapconn = @ldap_connect("ldap.med.xxx.edu",389) or die("Cannot connect to LDAP server!");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
if($ldapconn)
{
$ldapbind = @ldap_bind($ldapconn, $ldaprdn, $ldappass);
if($ldapbind)
{
return "Success...";
}
else
{
return "Failed to bind..." . ldap_error($ldapconn);
}
}
else {
return "Cannot Connect";
}
return "Unknown error...";
}
Now this PHP code returns "Failed to bind...Invalid Credenitials"
Any idea what I am doing wrong here?
Upvotes: 0
Views: 6700
Reputation: 691
I had a similar issue with getting "invalid credentials" while attempting to log into Active Directory via LDAP, but only for certain users. I had tried using/removing the domain_prefix\
, both with single and double backslashes, to no avail. The login credentials were all verified for each account I tried, but only one (mine, oddly enough) worked, while others with both more or less permissions, different or identical groups, all failed. What I found to be the solution to the problem was this: the variable $ldaprdn, which stored the RDN, was in this format:
$ldaprdn = "xxx\\{$username}";
For some reason this was failing for all accounts other than mine (The web server that runs the intranet site I'm working on is on my workstation, which may or may not be relevant), but failed for every other user. By changing the RDN string to this:
$ldaprdn = "xxx\\$username";
it now works just fine for all valid accounts. I have no idea at all why this is, either for why all login credentials save for mine failed, or why the removal of the braces "fixed" the problem. If anyone has insights as to why this seemingly insignificant change had such a strange effect, I'm all ears.
Upvotes: 0
Reputation: 3861
I think you have to use either sAMAccountName=$uname,ou=som,dc=med,dc=xxx,dc=edu
or just MED\\$uname
for the bind.
The last one is a special ActiveDirectory feature. The first one takes into account that the unique id on AD is named sAMAccountName
and not uid
Upvotes: 1