Younes Nj
Younes Nj

Reputation: 606

PHP - ldap_bind returns invalid credentials

I am trying to make a login page which authenticate using a LDAP server. I use the following information and it works with LDAP client.

Host: ldap.med.xxx.edu
Port: 389
Protocol: v3
Base DN: ou=som,dc=med,dc=xxx,dc=edu
Security level: User + Password
User DN: MED\myusername
Password: mypassword

and then I have the following code:

function ldap_authentication($uname, $password)
{
    $ldaprdn = "uid=MED\\$uname,ou=som,dc=med,dc=xxx,dc=edu";
    $ldappass = "$password";
    ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
    $ldapconn = @ldap_connect("ldap.med.xxx.edu",389) or die("Cannot connect to LDAP server!");
    ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
    ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
    if($ldapconn)
    {
        $ldapbind = @ldap_bind($ldapconn, $ldaprdn, $ldappass);
        if($ldapbind)
        {
            return "Success...";
        }
        else
        {

            return "Failed to bind..." . ldap_error($ldapconn);
        }
    }
    else {
        return "Cannot Connect";
    }
    return "Unknown error...";
}

Now this PHP code returns "Failed to bind...Invalid Credenitials"

Any idea what I am doing wrong here?

Upvotes: 0

Views: 6700

Answers (2)

Dave Morton
Dave Morton

Reputation: 691

I had a similar issue with getting "invalid credentials" while attempting to log into Active Directory via LDAP, but only for certain users. I had tried using/removing the domain_prefix\, both with single and double backslashes, to no avail. The login credentials were all verified for each account I tried, but only one (mine, oddly enough) worked, while others with both more or less permissions, different or identical groups, all failed. What I found to be the solution to the problem was this: the variable $ldaprdn, which stored the RDN, was in this format:

$ldaprdn = "xxx\\{$username}";

For some reason this was failing for all accounts other than mine (The web server that runs the intranet site I'm working on is on my workstation, which may or may not be relevant), but failed for every other user. By changing the RDN string to this:

$ldaprdn = "xxx\\$username";

it now works just fine for all valid accounts. I have no idea at all why this is, either for why all login credentials save for mine failed, or why the removal of the braces "fixed" the problem. If anyone has insights as to why this seemingly insignificant change had such a strange effect, I'm all ears.

Upvotes: 0

heiglandreas
heiglandreas

Reputation: 3861

I think you have to use either sAMAccountName=$uname,ou=som,dc=med,dc=xxx,dc=edu or just MED\\$uname for the bind.

The last one is a special ActiveDirectory feature. The first one takes into account that the unique id on AD is named sAMAccountName and not uid

Upvotes: 1

Related Questions