LDAP Authenticated Bind Issue - PHP, Apache, Windows

0
votes

I'm having issues performing an authenticated bind against the server. The issues doesn't appear to be in code however maybe a server issue.

Just so you know;

  • LDAP is enabled in Apache/PHP
  • I'm connecting as [email protected]
  • The domain controller has LDAP running and an entry in the firewall (Windows Server 2008 R2)
  • I can perform an anonymous bind

I can bind anonymously using this script;

$ldapconn = ldap_connect("machinename.domain.com")
    or die("Could not connect to LDAP server.");

if ($ldapconn) {

    // binding anonymously
    $ldapbind = ldap_bind($ldapconn);

    if ($ldapbind) {
        echo "LDAP bind anonymous successful...";
    } else {
        echo "LDAP bind anonymous failed...";
    }

}

However when I try to do an authenticated bind using this script, it fails.

// Authenticated Bind
$ldaprdn  = '[email protected]';     // ldap rdn or dn
$ldappass = 'password';  // associated password

// connect to ldap server
$ldapconn = ldap_connect("machinename.domain.com")
    or die("Could not connect to LDAP server.");

if ($ldapconn) {

    // binding to ldap server
    $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);

    // verify binding
    if ($ldapbind) {
        echo "LDAP bind successful...";
    } else {
        echo "LDAP bind failed...";
    }

}

Where am I going wrong?

2
phpwindowsapacheldap
Use a known good tool, for example, ldapsearch to validate the bindDN and bindPassword before writing any code.Terry Gardner

2 Answers

0
votes

May your LDAP requires a DN as login. For retrive the DN make a search of the user uid first.

$search = ldap_search($ldapconn, $baseDn, $filter, $attributes);

if ($search) {
    $entries = ldap_get_entries($ldapconn, 'uid=' . $ldaprdn);// Here $ldaprdn is the email
    if (is_array($entries)) {
        $ldaprdn = $entries[0]['dn']; // Get the DN of the user
    }
}

$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);

// ....

NOTE: You should escape $ldaprdn for avoid LDAP injection attacks.

0
votes

Okay, after much investigation I have turned on error info using ldap_errno() and ldap_error() and found it bringing back the error 'Strong(er) authentication required' have discovered two possible solutions;

Adjust Group Policy Settings

  • Negotiate Signing (Network security: LDAP client signing requirements)

  • No signing requirements (Domain Controller: LDAP server signing requirements)

  • Result: Managed to bind successfully and when I enter the username or password incorrectly and it throws an 'Invalid credentials' as expected.

Enable LDAP over SSL (LDAPS)