Reputation: 1945
PHP Secure LDAP / LDAPS to Azure Active Directory via Microsoft Entra Domain Services
I've got Secure LDAP / LDAPS enabled to Azure Active Directory using Microsoft Entra Domain Services. This is working great in an application I have so I know it's enabled and working fine.
I'm now trying to build a PHP application to grab a list of all users from my Azure AD.
I've been referencing https://www.php.net/manual/en/function.ldap-bind.php to build this, but I'm not all to familiar with LDAP.
$ldapconn = ldap_connect("ldaps://ds.example.co.uk")
or die("Could not connect to LDAP server.");
This works fine, so I'm assuming I'm able to connect to this server fine. So i then added an LDAP Bind anonymously
$ldapconn = ldap_connect("ldaps://ds.example.co.uk")
or die("Could not connect to LDAP server.");
if ($ldapconn) {
// binding anonymously
$ldapbind = ldap_bind($ldapconn);
if ($ldapbind) {
echo "LDAP bind anonymous successful...";
} else {
echo "LDAP bind anonymous failed...";
}
}
And I get the error
Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /ldap.php on line ##
LDAP bind anonymous failed...
Line ## is $ldapbind = ldap_bind($ldapconn);
Next I thought this might be because I'm trying to do things anonymously, so I tried with credentials
// using ldap bind
$ldaprdn = '[email protected]'; // ldap rdn or dn
$ldappass = 'passwordexample123!'; // associated password
// connect to ldap server
$ldapconn = ldap_connect("ldaps://ds.example.co.uk")
or die("Could not connect to LDAP server.");
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...";
} else {
echo "LDAP bind failed...";
}
}
However I still get an error. this time
Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /ldap.php on line ##
LDAP bind failed...
Line ## is $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
Any advice on where I should begin to either
A) find the problems here? Either in Entra's logs or server logs? (Console shows nothing.)
B) assuming it's a syntax issue - anything obvious here?
I think the OU for this would be a default AADDC Users according to https://learn.microsoft.com/en-us/entra/identity/domain-services/synchronization however I don't know the syntax for putting this into the mix.
Upvotes: 0
Views: 316
Answers (1)
Reputation: 1254
A few details can make all the difference:
- specifying the port
- specifying the 'ldap://' prefix (or ldaps://)
- specify the user's domain
Try specifying them as in the code below to check.
$LDAPHost = 'ldap://domain:389';
$LDAPUser = 'domain\ldap-user';
$LDAPPassword = 'xxx';
$ldap = ldap_connect($LDAPHost);
ldap_bind($ldap, $LDAPUser, $LDAPPassword) or die("Could not bind to LDAP");
Also check that the specified LDAP user is authorised to read the directory (not expired, locked, no change password at next login, etc.).
Upvotes: 0
Related Questions
- LDAP_BIND Can't contact LDAP server
- PHP on IIS - unable to bind to Active Directory over LDAPS
- LDAP and PHP connection failure
- What are the differences between LDAP and Active Directory?
- LDAP on XAMPP localhost
- can not bind to the LDAP directory with secure connection with php
- PHP cannot connect to LDAP Oracle Directory Server Enterprise Edition
- Ldap_bind() ERROR