PHP LDAP newbie question

wtleung7

This is my first time using LDAP to try connecting to domain controller (active directory server, win 2000 server) to authenticate users.

I followed some simple example with ldap_connect(), ldap_bind()...

But my test failed on,
ldap_bind() with returned error of "Can't contact LDAP server on 192.168.xxx.xxx"

I searched around the web and found few articles teaching me to troubleshoot this problem, so I think this maybe not a common problem.

How to find out the reason? Any configuration I need to enable on the win 2000 server? Is this problem related to the kerberos setting on the domain controller for authenticating users?

Thank you very much for your help / suggestion.

Regards,
Raymond

LordShryku

Show your code. Are you providing a username and password?

wtleung7

Sure. Thanks in advance.

--------- my code --------------

<?php

// I want to search the name containing the string "chan"
$name = "chan";

$ldap_server = "ldap://192.168.xxx.xxx"; //domain controller
$auth_user = "user@microsoft.com"; // take an example of microsoft.com, I substitute this with my domain name
$auth_pass = "xxxx"; // user password

// Set the base dn to search the entire microsoft.com directory.

$base_dn = "DC=microsoft, DC=com";

/ filter the search for all people in the microsoft.com tree that have a name that matches any one of the following attributes name, displayname, or cn. /

$filter = "(&(objectClass=user)(objectCategory=person)
(|(name=$name)(displayname=$name)(cn=$name*)))";

// connect to server

if (!($connect=ldap_connect($ldap))) {
die("Could not connect to ldap server");
echo "Could not connect to ldap server";
}

// check if return a valid connection id
echo "\$connect is $connect<BR>\n";

if (ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3))
echo "Using LDAPv3<BR>\n";
else
echo "Failed to set protocol version to 3<BR>\n";

// bind to server

if (!($bind=ldap_bind($connect, $auth_user, $auth_pass))) {
die("Unable to bind to server");

echo "Unable to bind to server";

}

// search active directory

if (!($search=ldap_search($connect, $base_dn, $filter))) {
die("Unable to search ldap server");
echo "Unable to search ldap server";
}

$number_returned = ldap_count_entries($connect,$search);
$info = ldap_get_entries($connect, $search);

echo "The number of entries returned is ". $number_returned;

for ($i=0; $i<$info["count"]; $i++) {
echo "Name is: ". $info[$i]["name"];
echo "Display name is: ". $info[$i]["displayname"][0];
echo "Email is: ". $info[$i]["mail"][0];
echo "Telephone number is: ". $info[$i]["telephonenumber"][0];
}

--------- end my code --------------

It can print out the resource id $connect after ldap_connect()
It failed at the line of ldap_bind(), with returned error:

Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in line xx.

I also tried the tool ldapweb available at http://ldapweb.sourceforge.net/
It failed with the same error.

How can I trace out the reason? Any option I need to configure on the win 2000 server (primary domain controller)?

Thanks again.

Regards,
Raymond

wtleung7

One more question,

Is there a chance that my PDC (Active Directory) is disabling the LDAP protocol?
I know that it is configured for kerberos authentication.
If this is the case, how can I code PHP program to authenticate using kerberos protocol?

Thanks.

Regards,
Raymond

icornwal

I am having the same problem. Had any luck yet?

rob_n

Try this (php.net - Sami Oksanen
16-May-2004 07:27):

<?php

$ldap_server = "ldap://whatever";
$auth_user = "adlogonid@domain.net";
$auth_pass = "pswd";

// Set the base dn to search the entire directory.

$base_dn = "DC=domain, DC=net";

// Show only user persons
$filter = "(&(objectClass=user)(objectCategory=person)(cn=*))";

// Enable to show only users
// $filter = "(&(objectClass=user)(cn=$*))";

// Enable to show everything
// $filter = "(cn=*)";

// connect to server

if (!($connect=@ldap_connect($ldap_server))) {
     die("Could not connect to ldap server");
}

// bind to server

if (!($bind=@ldap_bind($connect, $auth_user, $auth_pass))) {
     die("Unable to bind to server");
}

//if (!($bind=@ldap_bind($connect))) {
//    die("Unable to bind to server");
//}

// search active directory

if (!($search=@ldap_search($connect, $base_dn, $filter))) {
     die("Unable to search ldap server");
}

$number_returned = ldap_count_entries($connect,$search);
$info = ldap_get_entries($connect, $search);

echo "The number of entries returned is ". $number_returned."<p>";

for ($i=0; $i<$info["count"]; $i++) {
   echo "Name is: ". $info[$i]["name"][0]."<br>";
   echo "Display name is: ". $info[$i]["displayname"][0]."<br>";
   echo "Email is: ". $info[$i]["mail"][0]."<br>";
   echo "Telephone number is: ". $info[$i]["telephonenumber"][0]."<p>";
}
?>

icornwal

I still get 'Unable to bind to server'

rob_n

Iit is most likely $auth_user that is giving you trouble.

For example, my username is "rnevins" but my logon is actually "574638"

If I use rnevins@domain.net it will fail, I would need to use 574638@domain.net

So, $auth_user must have credentials to bind in AD and be in the correct format, which for us is not the email address, but rather the logon id.

icornwal

From what I can tell, my login name is correct. I went to active directory manager and then to the user properties. In the Account tab I have a logon name. I am not normally a Windows Administrator so if there is somewhere else to look please tell me.

rob_n

Download this tool and experiment with logging in and viewing AD data:

http://www.ldapadministrator.com/

If you can't get at the directory with this, maybe ldap is turned off.

The_Chancer

I connect to the GAL in exchange using LDAP - and use the bare IP not ldap://xxx.xxx.xxx.xxx

One other option is have you tried using the enterprise admins login credentials to see if it is a permissions problem you are having. (understandably this user CANNOT be used in reality)