PHP - LDAP Authentication and Search

2
votes

I am using an Online LDAP Test Server here: http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/ to test some basic LDAP code.

I need to authenticate a user and retrieve some user information.

If I understand the information about the test server correctly I should be able to bind with users that belong to respective groups. With the code 'AS IS' below I can bind to un-commented $dn, but if I use any other $dn to authenticate, the bind fails.

What am I not understanding?

For example, tesla should belong to 'ou=scientists,dc=example,dc=com' but I am unable to authenticate tesla on that DN and subsequently I can't search for related information.

    $dn = 'dc=example,dc=com';
    // $dn = 'ou=mathematicians,dc=example,dc=com';
    // $dn = 'ou=scientists,dc=example,dc=com';

    $username   = 'tesla';
    $password   = 'password';
    $filter     = "(uid=" . $username . ")";

    $ldapDN     = 'uid=' . $username . ',' . $dn;

    $ldapCONN   = ldap_connect("ldap.forumsys.com") or die("Could not connect to LDAP server.");

    if ($ldapCONN)
    {
        ldap_set_option($ldapCONN, LDAP_OPT_PROTOCOL_VERSION, 3);

        $ldapBIND = @ldap_bind($ldapCONN, $ldapDN, $password);

        if ( $ldapBIND )
        {

            $result = ldap_search($ldapCONN, $dn, $filter) or die ("Error: ".ldap_error($ldapCONN));

            $data   = ldap_get_entries($ldapCONN, $result);

            echo '<pre>';
                print_r($data);
            echo '</pre>';

        } 
        else
        {
            echo "LDAP bind failed...";
        }
    }
1
phpauthenticationactive-directoryldap

1 Answers

2
votes

When using LDAP, it is important to visualize how the database is organized.

Basically, all users are in the main folder. Use this folder to authenticate your user with, otherwise it will not work. In this case the main folder where all users are in, is dc=example,dc=com. However, most LDAP servers use a main folder like cn=users,dc=example,dc=com.

Why are they using folders at all then? Well, that is to make it easier to categorize and search with a filter. For example, if you want to only show the names of scientists, you add the group Scientists to your search filter like $filter = "(ou=Scientists)". A filter for both groups would look like this: $filter = "(&(ou=Scientists)(ou=Mathematicians)". Now the server will take a look into this folder/these folders, and display just these members.

Hope this helps, for gaining further insight in how the server is organized, I can recommend installing Apache Directory Studio. It is free to download from their site, helped me a lot!