ldap_search(): Search: Operations error again

Question

Hi everyone,

I know my question must have a deja-vue side but I didn't find any solutions through stackoverflow or else. So I've been trying to create a function that allows a connection to ldap, then check the id and pwd of my user and then check in which group he is. When I did this function in one "piece", it worked. But I wanted to do this in three diferent functions so I can deal with it one by one. So now I have the function that connects to ldap:

   function ldapConnection() {
    $ldapConnection = ldap_connect(LDAP_SERVER);
    ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3);
    ldap_set_option($ldapConnection, LDAP_OPT_REFERRALS, 0);
    return $ldapConnection;
}

It returns an identifier LDAP link so the connection is ok.

Then I have the function that check the login and pwd :

  public function checkLoginPwd($login, $pwd) {
    $ldapConnexion = $this->ldapConnection();
    if ($bind = ldap_bind($ldapConnexion, $login, $pwd)) {
        return true;
        //ldap_close($ldapConnexion);
    } else {
        return false;
    }
}

And then the function I've got trouble with.

    public function checkUserRights($login, $pwd, $ldapConnection) {   
    //Récupération login
    $loginAccount = "(sAMAccountName=$login)";
    //Suppression de "myGroup\"
    $filter = str_replace("myGroup\\", "", $loginAccount);
    $attr = array("memberof");
    //Recherche
    $result = ldap_search($ldapConnection, LDAP_BASE_DN, $filter, $attr);
    $entries = ldap_get_entries(ldap_connect(LDAP_SERVER), $result);

    foreach ($entries[0]['memberof'] as $grps) {
        if (strpos($grps, "VPN")) {
            $access = 2;
            break;
        }

        if (strpos($grps, "Users"))
            $access = 0;
    }

    if ($access != 0) {
        $_SESSION['user'] = $login;
        $_SESSION['access'] = $access;
        return true;
    } else {
        return false;
    }

If I try to connect this way, I have this message error: ldap_search(): Search: Operations error Even if it does work if I do it in one time.

If anyone could help me, that would be great....

EDIT :

So you know, if I do a var dump of $filter I have this : string'(sAMAccountName=myLogin)'. For $ldapConnection it's resource(13, ldap link), for LDAP_BASE_DN it's string 'DC=myGroup, DC=fr', and $attr is array (size=1) 0 => string 'memberof' (length=8).

Answer 1

When performing a search in AD, the connection needs to be made first. Thereafter a successful bind needs to happen (generally with a service account) before a search can be performed.

Without the successful bind, a 'search: Operations Error' notice is thrown.

To get a more meaningful error, you can set the debug level before you create the connection:

ldap_set_option(null, LDAP_OPT_DEBUG_LEVEL, 7);
$this->connection = @ldap_connect($server, $port);

When later on in your code an ldap command is failing, you can populate a variable with a more verbose error which can be logged or reported to the user:

ldap_get_option($this->connection, LDAP_OPT_DIAGNOSTIC_MESSAGE, $verboseMessage);

Using the above and trying a search without a valid bind results in the following error which is much more helpful:

"000004DC: LdapErr: DSID-0C0907E9, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580"

Answer 2

So I found the solution after hours of searching, and I post it here in case it could be of use to someone: I just added those two lines to my checkUsersRights function:

  $ldapConn = ldap_connect(LDAP_SERVER);
    ldap_bind($ldapConn, $login, $pwd);

Indeed before I was creating a new connection in calling my function, but I needed to create it in my function and use ldap_bind to connect properly. Hope it will help someone one day...

Answer 3

I hope it will help you Maybe there is a problem with the filter you are using We use ldap to attract users windows server 2008

function connect_ldap_server(){
global $ad_server,$ad_server_port;
putenv('LDAPTLS_REQCERT=never');
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
$ds=ldap_connect($ad_server,$ad_server_port); // must be a validLDAPserver!
}


$basedn=dc=testlab, dc=local

$sr=ldap_search($ds, $basedn,"(&(objectcategory=person) (objectclass=user))");