ldap &amp; php authentication

ldap & php authentication

timmybuck

hi guys,

getting a parse error

Parse error: parse error, unexpected '=' in C:\Program Files\Apache Group\Apache2\htdocs\ldapstuff\connect.php on line 36

this is line 36

<?php
$ldap[‘dn’] = ‘uid=’.$ldap[‘user’].’,ou=users,dc=mydomain,dc=com’;

i tried changing ‘uid=’ to ‘uid’= but not joy.

this is the rest of my code
<form action="user" method="get">
<p>
Username
<input name="user" type="text">
</p>
<p>Password
<input name="pass" type="text">
</p>
<p> 
</p>
</form>

<form action="user" method="get">
<p>
Username
<input name="" type="text">
</p>
<p>Password
<input name="pass" type="text">
</p>
<p> 
</p>
</form>

<?php
// LDAP variables
$ldap[‘user’] = ‘uname’;
$ldap[‘pass’] = ‘password’;
$ldap[‘host’] = 'localhost';
$ldap[‘port’] = 389;

$ldap[‘dn’] = ‘uid=’.$ldap[‘user’].’,ou=users,dc=mydomain,dc=com’;
$ldap[‘base’] = ‘dc=mydomain,dc=com’;

// connecting to ldap
$ldap[‘conn’] = ldap_connect( $ldap[‘host’], $ldap[‘port’] )
or die( “Could not connect to {$ldap[‘host’]}” );

// binding to ldap
$ldap[‘bind’] = ldap_bind( $ldap[‘conn’], $ldap[‘dn’], $ldap[‘pass’] );

if( !$ldap[‘bind’] )
{
echo ldap_error( $ldap[‘conn’] );
exit;
}

// search for the user on the ldap server and return all
// the user information
$ldap[‘result’] = ldap_search( $ldap[‘conn’], $ldap[‘base’], ‘uid=’.$ldap[‘user’] );

if( $ldap[‘result’] )
{
// retrieve all the entries from the search result
$ldap[‘info’] = ldap_get_entries( $ldap[‘conn’], $ldap[‘result’] );
}
else
{
echo ldap_error( $ldap[‘conn’] );
exit;

}

if( $ldap[‘info’] )
{
// Add the user’s department name and email address
// to the session
$SESSION[‘userdept’] = $ldap[‘info’][0][‘department’][0];
$SESSION[‘usermail’] = $ldap[‘info’][0][‘mail’][0];
}
else
{
echo ldap_error( $ldap[‘conn’] );
exit;
}

// close connection to ldap server
$ldap_close( $ldap[‘conn’] );

tsinka

Hi,

the single quotes look suspicious, replace them by "standard" single quotes (') or double quotes

$ldap['dn'] = 'uid='.$ldap['user'].',ou=users,dc=mydomain,dc=com';

Replace them in the whole script.

Thomas

timmybuck

hi have replaced all single quotes with doubles

but get this error

Warning: ldap_bind(): Unable to bind to server: Protocol error in C:\Program Files\Apache Group\Apache2\htdocs\ldapstuff\connect.php on line 28
Protocol error

my server is up and running, have tried swapping localhost for ip address, still no joy

<form action="user" method="get">
<p>
Username
<input name="user" type="text">
</p>
<p>Password
<input name="pass" type="text">
</p>
<p> 
</p>
</form>

<?php
// LDAP variables
$ldap["user"] = "uname";
$ldap["pass"] = "password";
$ldap["host"] = " localhost ";
$ldap["port"] = 389;

$ldap["dn"] = "uid=".$ldap["user"].",ou=users,dc=mydomain,dc=com";
$ldap["base"] = "dc=mydomain,dc=com";

// connecting to ldap
$ldap["conn"] = ldap_connect( $ldap["host"], $ldap["port"] )
or die( "Could not connect to {$ldap[‘host’]}" );

// binding to ldap
$ldap["bind"] = ldap_bind( $ldap["conn"], $ldap["dn"], $ldap["pass"] );

if( !$ldap["bind"] )
{
echo ldap_error( $ldap["conn"] );
exit;
}

// search for the user on the ldap server and return all
// the user information
$ldap["result"] = ldap_search( $ldap["conn"], $ldap["base"], "uid=".$ldap["user"] );

if( $ldap["result"] )
{
// retrieve all the entries from the search result
$ldap["info"] = ldap_get_entries( $ldap["conn"], $ldap["result"] );
}
else
{
echo ldap_error( $ldap["conn"] );
exit;

}

if( $ldap["info"] )
{
// Add the user’s department name and email address
// to the session
$SESSION["userdept"] = $ldap["info"][0]["department"][0];
$SESSION["usermail"] = $ldap["info"][0]["mail"][0];
}
else
{
echo ldap_error( $ldap["conn"] );
exit;
}

// close connection to ldap server
$ldap_close( $ldap["conn"] );

tsinka

Hi,

which ldap server do you use ?

Try

// connecting to ldap 
$ldap["conn"] = ldap_connect( $ldap["host"], $ldap["port"] ) 
or die( "Could not connect to {$ldap[‘host’]}" ); 

// set protocol version
ldap_set_option($ldap["conn"], LDAP_OPT_PROTOCOL_VERSION, 3);

// binding to ldap 
$ldap["bind"] = ldap_bind( $ldap["conn"], $ldap["dn"], $ldap["pass"] );

If you use OpenLDAP you can alternatively set the
allow bind_v2
option in slapd.conf

Thomas

timmybuck

Hi Thomas

I am using openldap but its a port to windows.

i now get the following

Warning: ldap_bind(): Unable to bind to server: Invalid credentials in C:\Program Files\Apache Group\Apache2\htdocs\ldapstuff\connect.php on line 31
Invalid credentials

using version openldap-2_1_29-1-win32.exe

LordShryku

You shouldn't have to pass the base dn through the ldap bind. Try just passing the username as the bind rdn. The base dn should be used later in the search.

timmybuck

can you show me, what u mean please as im not sure,

LordShryku

# Currently, you  have this
$ldap["dn"] = "uid=".$ldap["user"].",ou=users,dc=mydomain,dc=com";
...
$ldap["bind"] = ldap_bind( $ldap["conn"], $ldap["dn"], $ldap["pass"] );

# Try this instead
$ldap["bind"] = ldap_bind( $ldap["conn"], $ldap["user"], $ldap["pass"] );

timmybuck

even when i comment out those two lines and add

$ldap["bind"] = ldap_bind( $ldap["conn"], $ldap["user"], $ldap["pass"] );

i still get error message

Warning: ldap_bind(): Unable to bind to server: Invalid DN syntax in C:\Program Files\Apache Group\Apache2\htdocs\ldapstuff\connect.php on line 32
Invalid DN syntax

tsinka

Hi,

I never used that Windows port of OpenLDAP but you should have a root dn defined in slapd.conf with a given password.

Try to use that root dn and the password to bind to the ldap server.

I think you need to use a valid dn to bind to the server.

Thomas

timmybuck

Hi tsinka,

Yes theres a lot of incomplete documentation of the windows port. So I have to just try and understand as much as i can from the documentation there is.

How silly of my not to inlude the binding details. You are right i have root dn and the password to bind to the ldap server in my slapd.conf

rootdn "cn=Manager,dc=mydomain,dc=com"

rootpw *****

but im not sure exactly where to use them. I thought maybe here

$ldap["user"] = "uname";
$ldap["pass"] = "password";

but i think that this where the names of the form text fields will be eg

<input name="password" type="text">
$ldap["pass"] = "password";

this is my current code, I have added a submit button.

<?php
if($_POST["Submit1"]) {

// LDAP variables
$ldap["user"] = "uname";
$ldap["pass"] = "password";
$ldap["host"] = " localhost ";
$ldap["port"] = 389;

//$ldap["dn"] = "uid=".$ldap["user"].",ou=users,dc=mydomain,dc=com";
$ldap["base"] = "dc=mydomain,dc=com";

// connecting to ldap
$ldap["conn"] = ldap_connect( $ldap["host"], $ldap["port"] )
or die( "Could not connect to {$ldap["host"]}" );

// set protocol version
ldap_set_option($ldap["conn"], LDAP_OPT_PROTOCOL_VERSION, 3);

// binding to ldap
//$ldap["bind"] = ldap_bind( $ldap["conn"], $ldap["dn"], $ldap["pass"] );
$ldap["bind"] = ldap_bind( $ldap["conn"], $ldap["user"], $ldap["pass"] );

if( !$ldap["bind"] )
{
echo ldap_error( $ldap["conn"] );
exit;
}

// search for the user on the ldap server and return all
// the user information
$ldap["result"] = ldap_search( $ldap["conn"], $ldap["base"], "uid=".$ldap["user"] );

if( $ldap["result"] )
{
// retrieve all the entries from the search result
$ldap["info"] = ldap_get_entries( $ldap["conn"], $ldap["result"] );
}
else
{
echo ldap_error( $ldap["conn"] );
exit;

}

// close connection to ldap server
$ldap_close( $ldap["conn"] );

}else { }?>

<form name="login" method="post" action="<? $PHP_SELF ?>">
<p>
Username
<input name="uname" type="text">
</p>
<p>Password
<input name="password" type="text">
</p>
<p>
<input type="submit" name="Submit1" value="Submit">
</p>
<p> 
</p>
</form>

tsinka

Hi,

did you already insert some data into the ldap server ? The setup seems to be the default on. You might want to change the root dn and the suffix to something like o=My Organization,c=com or something like that.

Take a look at LDAP Administrator

There is a some kind of limited free version available for download. That might make it easier to administrate the ldap server.

About the user stuff:

bind to the server with the root dn.
use search filters to deal with the user data like

(&(objectclass=person)(uid=$username)(userPassword=$pw))

which would tell the ldap server to search for objects of type person with a uid of $username and a password of $pw.
I'd suggest to store passwords e.g. md5 encrypted in the ldap server for security reasons.

Thomas

timmybuck

Hi,

Yes i have used ldap adminstrator, but then decided to go for a simpler one, so im now using a java browser/editor from

www.iit.edu/~gawojar/ldap

Yes i have test already in my ldap server. This is my test data

ou= people
ou=groups
ou=users

under ou=users i have a single user uid=testuser

uid testuser
userPassword [B@8acfc3
objectClass top
objectClass simpleSecurityObject
objectClass uidObject
objectClass organizationalRole
cn Some Testuser

I can just about use the ldapbrowser/editor to search add entries etc.

But my goal is to be able to write a php login script for my php/mysql application that autheticates against a usernames and passwors in ldap server. so im trying to write the script and doo all the work in the script.

tsinka

Hi,

which encryption did you use for the userPassword.

Thomas

tsinka

Hi,

there are two articles on devshed named Using PHP With LDAP (part 1/part 2) with examples that should give you the basics.

Thomas

timmybuck

md5,

timmybuck

sorry its clear text

timmybuck

I am aware of the tutorial you are talking about, but didnt get along with it, may try again

at the momment im using this one

http://builder.com.com/5100-6387-5032010.html

are you able to to answer my previous question about where i need to put the names of the text fields in the script

$ldap["user"] = "uname";
$ldap["pass"] = "password";

I think that this where the names of the form text fields will be eg

<input name="password" type="text">
$ldap["pass"] = "password";

any ideas

tsinka

Yes,

put them into the search string:

//$filter = "(& (objectclass=person)(uid=".$_POST['username'].")(userPassword=".md5($_POST['pass])."))";
$filter = "(uid=".$_POST['uname'].")";
$ldap["result"] = ldap_search( $ldap["conn"], $ldap["base"], $filter);

The one commented out is a little bit more specific and looks for an entry of class person with the given uid and userPassword.
Depending on the data you use in the filter you might need to utf8_encode the data.

Use the root dn and password to connect and bind to the server.

Thomas

timmybuck

Thanks for the code snippet, im still learning about all this stuff, so please forgive me dumb questions.

i think i should take this one step at a time so i dint get muddled up.

the first thing i need to do is bind to the server.

I tried doing this

// LDAP variables
$ldap["user"] = "rootdn";
$ldap["pass"] = "secret";
$ldap["host"] = " localhost ";
$ldap["port"] = 389;

but that does not allow me to bind

so then i tried

$ldap["bind"] = ldap_bind( $ldap["conn"], $ldap["rootdn"], $ldap["secret"] );

that worked i think, but i got another error message much further down the page about something else.

any ideas