3

I'm trying to create a login page using LDAP authentication.

i created the following code:

<?php
$query = 'CN=AD Username, OU=Users,OU=No Policy Light,OU=IT,DC=Domain,DC=Corp';
$server = 'Domain.Corp';
$dn = 'dc=Domain, dc=com';
$conn = ldap_connect($server);
ldap_search($conn, $dn, $query);

echo "ldap error: " . ldap_error($conn);
ldap_get_option($conn, LDAP_OPT_DIAGNOSTIC_MESSAGE, $err);
echo "ldap_get_option: $err";
?>

when i check my webpage i get the following error:

"ldap error: Operations error ldap_get_option:"

i found this connection under php ldap manual:

https://www.php.net/manual/en/function.ldap-error.php

does anyone know what can be the issue with my code? or if you have a better solution for ldap authentication with php.

Thanks in advance.

Update:

so according to 'EricLavault' comment i had to set bind first:

<?php
// using ldap bind
$ldaprdn  = 'AD Username';     // ldap rdn or dn
$ldappass = 'Password';  // associated password

// connect to ldap server
$ldapconn = ldap_connect("LDAP Server")
or die("Could not connect to LDAP server.");

if ($ldapconn) 
{
    // binding to ldap server
    $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);

    // verify binding
    if ($ldapbind) 
    {
        echo "LDAP bind successful...";
    }
    else
    {
        echo "LDAP bind failed...";
    }
}
    $ldaprdn = $_POST["username"];
    $ldappass = $_POST["password"];
    if(ldap_bind($ldapconn, $ldaprdn, $ldappass))
    {
        echo "bin successful!";
    }
    else
    {
        echo "invalid user/pass or other error";
    }
?>

my form looks like this:

<html>
    <head>
        <style>
        body
        { 
            text-align:center;
        }
        form
        {
            margin: 0 auto; width: 500px;
        }
        input
        {
            padding: 10px; font-zie:20;
        }
        </style>
    </head>
    <body>
        <h1> authentication with AD </h1>
        <form action="Auth.php" method="post">
            <input type="text" name="username" /><br>
            <input type="text" name="password" /><br>
            <input type="submit" value="Login" />
    </body>
</html>
Improve this question
2
  • You need to bind to the server before going further. php.net/manual/en/function.ldap-bind.php Commented Mar 26, 2020 at 10:01
  • @EricLavault - I managed to create a bind with specific username and password, however when i try to to send a form request to search another username or password (login page) it keeps saying wrong username or password. Commented Mar 26, 2020 at 15:30

1 Answer 1

Reset to default
10

So after making some research and some trials & errors i came up with this solution which seems to be working perfectly to my needs.

my form:

<html>
    <head>
        <style>
            body
            {
                text-align:center;
            }
            form
            {
                margin: 0 auto; width: 500px;
            }
            input
            {
                padding: 10px; font-zie:20;
            }
    </head>
        </style>
    <body>
    <h1> authentication with AD </h1>
    <form action="Auth.php" method="post">
        <input type="text" name="username" /><br>
        <input type="password" name="password" /><br>
        <input type="submit" value="Login" />
    </body>
</html>

my Auth page:

<?php
    $ldaprdn  = $_POST["username"];
    $ldappass = $_POST["password"];
    $ldapconn = ldap_connect("ldap server name") or die("Could not connect to LDAP server.");

if ($ldapconn) 
{
    $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
    if ($ldapbind) 
    {
        echo "LDAP bind successful...";
    }
    else 
    {
        echo "LDAP bind failed...";
    }
}
$Result = ldap_search($ldapconn, "OU=IT,DC="Domain",DC=corp", "(samaccountname=$ldaprdn)", array("dn"));
$data = ldap_get_entries($ldapconn, $Result);
print_r($data);
?>

Additionally, per this answer, you may need to set the following options immediately after ldap_connect :

ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);

hope this solution can help those who needs the same.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks, this works for me!! Moreover, do you know how to use SSL connection (via port 636) instead? Would appreciate if you can answer that in my question here stackoverflow.com/questions/72529588/…
Just a friendly notice, for some reason I couldn't login using my samaccountname and instead had to use one of variations like userprincipalname, DOMAIN\samaccountname, or [email protected]. Because of that filter in $Result wouldn't work like in this answer, had to first see what user used as login, pick out samaccountname portion, and then it would all work. Thanks! this was still almost copy/paste, just took me a while why it wouldn't show my user's data.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.