0

I am trying to write an application in php, that verifies user-credentials against the companys ldap-server. The application runs on a virtual (Debian) Server located inside the company.

What I have accomplished so far is installing "LDAP Admin" on a PC inside the company and successfully connecting to the ldap-Server.

The Connection Properties that worked where like this:

Host: ldapadit.company.de Port: 389 Version: 3 Base: DC=ad,DC=it,DC=company,DC=de GSS-API selected SASL: works with or without SASL checked Account: my company-account credentials or checkbox "use current user credentials"

Simple authentication with or without SSL/TLS throws an error.

What i tried to connect via php was this:

$ds = ldap_connect("ldapadit.company.de");
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);

if ($ds) {
    
    $ldap_dn = 'cn=username,dc=ad,dc=it,dc=company,dc=de';   <= I took base from LDAP-Admin
    $ldap_password = 'password';

    $r = ldap_sasl_bind($ds,$ldap_dn,$ldap_password);  <= ldap_sasl_bind because of GSS-API in LDAP-Admin

    if($r) {
        echo 'binding successful<br>';
    }
    else {
        echo 'binding NOT successful<br>';
    }
}
else {
    echo 'ldap_connect failed';
}

My problem: $ds is always true. It is always of type "resource" with the value "Resource #1" or "Resource #2", whatever I give to ldap_connect() as uri. (I already learned, that ldap_connect() does not in fact makes any connections, instead only checks if parameters are plausible. But this behaviour doesn't make much sense to me any way).

$r is always false, meaning the binding always fails.

Now I don't have a clue how to get closer to the core of the problem. Or at least how to get any error-message that woukld lead me in the right direction.

What I tried:

  • pinging ldapadit.company.de => succesful
  • binding with ldap_bind() <= failed
  • verifying function ldap_sasl_bind() is available <= function exists
  • giving ldap-uri with ldap://[] ldaps://[] and port 389/636 <= no difference
  • playing with the base-parameters <= no difference

Any hint, what to check next is highly welcome

Paco
  • 13
  • 1
  • 6
  • As you found, `ldap_connect` will pretty much only fail if you pass it absolute garbage, so you generally don't need to troubleshoot that one specifically. Are you getting an error message with full PHP error reporting turned on? Although I haven't tried any of these, you might want to look at a LDAP wrapper such as [Symfony's](https://symfony.com/doc/current/components/ldap) or [Adldap2](https://github.com/Adldap2/Adldap2) which may or may not give you better documentation and clearer error messages – Chris Haas Dec 13 '22 at 17:05
  • Thanks Chris. I think I will have a look at the wrappers tomorrow. At least I just figured out that I can get the binding-errors with echoing ldap_error($ds) and ldap_errno($ds) That gives me "Unknown authentication method" and "-6" – Paco Dec 13 '22 at 17:12
  • The [top-voted comment](https://www.php.net/manual/en/function.ldap-sasl-bind.php#115391) on the `ldap_sasl_bind` page recommends to use "ldap_sasl_interactive_bind_s" when searching for errors, btw. This leads [here](https://www.openldap.org/doc/admin26/appendix-common-errors.html) which says that beyond the obvious, the authentication method might be "too weak or otherwise inappropriate for use by the client" – Chris Haas Dec 13 '22 at 17:33

0 Answers0