0

My code is:

$user = 'test';
$password = 'testpass';
$host = '10.1.1.1';
$port = 389;
$basedn = 'dc=ci,dc=mycompany,dc=com';
$group = 'Users';
$ldaprdn = 'uid=test,dc=ci,dc=mycompany,dc=com';

$ad = ldap_connect("ldap://$host", $port);
if ($ad) {
    echo "Connected" . "<br/>";
} else {
    echo ldap_error($ad) . "<br/>";
}
ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ad, LDAP_OPT_REFERRALS, 0);

//  $ldapBind = ldap_bind($ad, "{$user}@{$domain}", $password); // 1.
//  $ldapBind = ldap_bind($ad, $user, $password); // 2.
    $ldapBind = ldap_bind($ad, $ldaprdn, $password); // 3.
//  $ldapBind = ldap_bind($ad, null, null); // 4.

if ($ldapBind) {
    echo "Binded" . "<br/>";
} else {
    echo ldap_error($ad) . "<br/>";
}

Now I use the comment line "3", get:

Connected
Invalid credentials

If use the comment line "1" or "2", get:

Connected
Invalid DN syntax

If use the comment line "4" (this is anonymouse), get:

Connected
Binded

This is developing under Ubuntu 12.

Why I get Invalid credentials error from comment line "3"? How to bind with authentication correctly? Thanks in advance!

Improve this question
1
  • My environment is Ubuntu 12 Commented Dec 11, 2013 at 19:48

3 Answers 3

Reset to default
6

The ldap_bind function appears to require a DN, not an RDN, no matter what the doc says. If this is the case, then:

  • Number 1. {$user}@{$domain} is not a correctly formatted DN, hence: Invalid DN syntax
  • Number 2: test is not a correctly formatted DN, hence: Invalid DN syntax

For information on the string representation of the formatting of DN, see RFC4514

verify with known good tool

As far as I can tell, Number 3 is the only correct one of the four that are provided. The Directory Server has indicated in the BIND response that it was unable to verify that the provided password testpass matched the password that is stored in its database. In this case, I recommend checking the password using a known good tool like ldapsearch.

ldapsearch -h hostname -p port              \
    -D 'uid=test,dc=ci,dc=mycompany,dc=com' \
    -w 'testpass' -s base '(&)' 1.1

This ldapsearch BINDs to the directory as 'uid=test,dc=ci,dc=mycompany,dc=com' using password testpass and retrieves the DN of the uid=test entry. If this fails with "invalid credentials" error, then there are these possibilities:

  • testpass is not the correct password
  • some directory servers can be configured to set the result code to "invalid credentials" no matter what the true error is. The reason for this is to withhold information from an attacker
  • the uid=test entry does not exist. The bullet point above explains this would result in an "invalid credentials". There is no point in telling an attacker that an entry does not exist - that would provide the attacker with additional information (he has one less DN to try).

jargon and LDAP-speak

In the interest of using the correct jargon:

  • $ldaprdn is not an RDN, it's a DN. RDNs are components of DNs

see also

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I find the problem, the $ldaprdn = 'uid=test,dc=ci,dc=mycompany,dc=com' is not as same as it on LDAP server, after change it works well.

Improve this answer

1 Comment

Hi can you detailed your answer it will helpful for me plz
0

@Annamalai.Somasundaram,

DN should be passed something like cn=test,ou=Users,dc=ci,dc=mycompany,dc=com

the correct spelling can be found on the specific LDAP server

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.