PHP Warning: ldap_bind(): Unable to bind to server: invalid credentials

Question

Hello to anyone who's reading this. So let me explain my issue first and I'll attach the code below. I am using xampp apache server and microsoft active directory domain services on windows server 2016 (both on same VM). I am not a programmer myself particularly but what I am trying to do is using PHP to try to authenticate users in my active directory. At first the code worked and when I entered correct username and password it showed authenticated and this happened only once. Now whenever I try to authenticate, it just keeps giving me the same error that can't bind to ldap server and invalid credentials even though the usernames and passwords are totally correct. Before this I used a code that used one user credential hardcoded to bind and other hardcoded user credentials whos information I am fetching from AD and that code works fine but the other scenario mentioned above doesn't. PLZ Help

(my separate html form file that i am using)

<html>
</head><style>
body {text-align:center;}
form {margin: 0 auto;width:500px;}
input {padding:10px; font-size:20;}
</head></style>
</body>
<h1>Authentication With Active Directory</h1>
<form action="ldap.php" method="post">
<input type="text" name="username" /><br>
<input type="password" name="password" /><br>
<input type="submit" value="login" />
</form>
</body>
</html>

(my php file and both are stored in c:/xampp/htdocs/)

<?php



$ldap_dn = "CN=".$_POST["username"].",DC=example,DC=example";
$ldap_password = $_POST["password"];

$ldap_con = ldap_connect("example");
ldap_set_option($ldap_con, LDAP_OPT_PROTOCOL_VERSION, 3);

if(ldap_bind(@$ldap_con,$ldap_dn,$ldap_password))
{
echo "Authenticated";
}
else
{
echo "Invalid Credential";
 }


?>

(I have also tried following code to check if connection is established or not and the connection does establish but still it gives invalid credentials. I think there is something wrong with bind in my code but can't figure it out)

<?php

$username; $password;

$ldap_dn = "CN=".$_POST["username"].",DC=ADLAB,DC=local";
$ldap_password = $_POST["password"];

$ldap_con = ldap_connect("ADLAB.ADLAB.local");
ldap_set_option($ldap_con, LDAP_OPT_PROTOCOL_VERSION, 3);

if ($ldap_con) { echo "connection established";

if(ldap_bind(@$ldap_con,$ldap_dn,$ldap_password))
{
echo "Authenticated";
}
else
{echo "Invalid Credential";
     }
}
else
echo "conection failed";

?>

Answer 1

All Active Directory provides an internal email (ex: username@domain.dom). You can use this to authenticate the user with LDAP bind.

Before use, the values provided by the user, validate it to not contains an invalid character. See preg_match: https://www.php.net/manual/en/function.preg-match

CAUTION: The password must contain one character. If a password is not specified or is empty, an anonymous bind is attempted. See: https://www.php.net/manual/en/function.ldap-bind.php

    <?php
$username = $_POST['username'];
$ldap_password = $_POST['password'];
$ldap_dn = $username.'@ADLAB.local';

if (empty($username) || empty($ldap_password) || !preg_match('/^[A-Za-z0-9\-_]$/', $username)) {
die("Invalid credential");
}

$ldap_con = ldap_connect("ADLAB.ADLAB.local");
ldap_set_option($ldap_con, LDAP_OPT_PROTOCOL_VERSION, 3);
if ($ldap_con) { echo "connection established";

if(ldap_bind(@$ldap_con,$ldap_dn,$ldap_password))
{
echo "Authenticated";
}
else
{echo "Invalid Credential";
     }
}
else
echo "conection failed";

?>