LDAP Authentication not working for login page

1
votes

I am trying to create simple login page for Intranet users to login and get a webpage of helpful links. The login uses PHP and LDAP authentication to get logged in, however it fails.

The authenticate.php file verifies their login and verifies that they are a member of a security group in AD to gain access. Below is my index.php file that prompts the users for their domain username and password:

index.php

    <?php
include("authenticate.php");

// check to see if user is logging out
if(isset($_GET['out'])) {
        // destroy session
        session_unset();
        $_SESSION = array();
        unset($_SESSION['user'],$_SESSION['access']);
        session_destroy();
}

// check to see if login form has been submitted
if(isset($_POST['userLogin'])){
        // run information through authenticator
        if(authenticate($_POST['userLogin'],$_POST['userPassword']))
        {
                // authentication passed
                header("Location: userpage.php");
                echo "Pass";
    echo $_POST['userLogin'];
        } else {
                // authentication failed
                $error = 1;
        }
}
echo "$error";
// output error to user
if($error) echo "Login failed: Incorrect user name, password, or rights<br /-->";

// output logout success
if(isset($_GET['out'])) echo "Logout successful";
?>
<html>
<form action="index.php" method="post">
        User: <input type="text" name="userLogin" /><br />
        Password: <input type="password" name="userPassword" />
        <input type="submit" name="submit" value="Submit" />
</form>
</html>

And here is my authenticate.php file that authenticates the user login:

authenticate.php (variables removed for security purposes.)

<?php
session_start();
function authenticate($user, $password) {
    // Active Directory server
    $ldap_host = "FQDN of Domain Controller";

    // Active Directory DN
    $ldap_dn = "OU=Name of OU w/ Groups,DC=something,DC=something";

    // Active Directory user group
    $ldap_user_group = "Usergroup";

    // Active Directory manager group
    $ldap_manager_group = "Managergroup";

    // Domain, for purposes of constructing $user
    $ldap_usr_dom = "@some.thing";

// connect to active directory
$ldap = ldap_connect($ldap_host);
// verify user and password
if($bind = @ldap_bind($ldap, $user . $ldap_usr_dom, $password)) {
// valid
// check presence in groups
    $filter = "(sAMAccountName=" . $user . ")";
    $attr = array("memberof","givenname");
    $result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
    $entries = ldap_get_entries($ldap, $result);
    $givenname = $entries[0]['givenname'];
    ldap_unbind($ldap);

    // check groups
    foreach($entries[0]['memberof'] as $grps) {
        // is manager, break loop
        if (strpos($grps, $ldap_manager_group)) { $access = 2; break; }

        // is user
        if (strpos($grps, $ldap_user_group)) $access = 1;
    }

    if ($access != 0) {
        // establish session variables
        $_SESSION['user'] = $user;
        $_SESSION['access'] = $access;
        $_SESSION['givenname'] = $givenname;
        return true;
    } else {
        // user has no rights
        return false;
    }

} else {
    // invalid name or password
    return false;
}
}
?>

When I try to login I always get this error:

1Loginfailed: Incorrect user name, password, or rights

I have tried echoing out the results from ldap_get_entries() function and it is returning the following:

entries = Array ( [0] => 0 )

Any ideas on where I'm going wrong here? Any help is much appreciated and thanks in advance!

2
phpldap
To better understand your problem, could you debug the different parts of the authentication process? That is, what does $ldap = ldap_connect($ldap_host); return? - SJDS

2 Answers

0
votes

if that is your actual file, the problem is this:

    // Active Directory server
$ldap_host = "FQDN of Domain Controller";

// Active Directory DN
$ldap_dn = "OU=Name of OU w/ Groups,DC=something,DC=something";

// Active Directory user group
$ldap_user_group = "Usergroup";

// Active Directory manager group
$ldap_manager_group = "Managergroup";

// Domain, for purposes of constructing $user
$ldap_usr_dom = "@some.thing";

You should assign the correct values for those variables.

0
votes

Here is simple php ldap connection of valid user to active directory.

REQUIRED BEFORE BIND :

ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); version 3 to talk to active directory , ldap_set_option($ds, LDAP_OPT_REFERRALS, 0); turn off referral handling.

<?php
    error_reporting(E_ALL);
    ini_set('error_reporting', E_ALL);
    ini_set('display_errors',1);

    $domain = 'testdomain.com';
    $username = 'Administrator';
    $password = 'Admin@1234';
    $ldapconfig['host'] = '192.168.1.189';
    $ldapconfig['port'] = 389;
    $ldapconfig['basedn'] = 'DC=testdomain,DC=com';

    $ds=ldap_connect($ldapconfig['host'], $ldapconfig['port']);
    ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
    ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);

    $dn=$ldapconfig['basedn'];
    $bind=ldap_bind($ds, $username .'@' .$domain, $password);
    $attr = array("memberof","givenname");
    $isITuser = ldap_search($ds,$dn,"(sAMAccountName=" . $username. ")" ,$attr);
    $data = ldap_get_entries($ds,$isITuser);

    echo $data['count']." entry found ";
    echo "<pre>";
    print_r($data);
    if ($isITuser) {
        echo("Login correct");
    } else {
        echo("Login incorrect");
    }
?>