3

I'm having issues performing an authenticated bind against the server. The issues doesn't appear to be in code however maybe a server issue.

Just so you know;

  • LDAP is enabled in Apache/PHP
  • I'm connecting as [email protected]
  • The domain controller has LDAP running and an entry in the firewall (Windows Server 2008 R2) The issue might be here, this was setup as a DC and is running LDAP by default. I did no special configuration on LDAP
  • I can perform an anonymous bind but not an authenticated one

I can bind anonymously using this script;

$ldapconn = ldap_connect("machinename.domain.com") or die("Could not connect to LDAP server."); if ($ldapconn) { // binding anonymously $ldapbind = ldap_bind($ldapconn); if ($ldapbind) { echo "LDAP bind anonymous successful..."; } else { echo "LDAP bind anonymous failed..."; } }

However when I try to do an authenticated bind using this script, it fails.

// Authenticated Bind $ldaprdn = '[email protected]'; // ldap rdn or dn $ldappass = 'password'; // associated password // connect to ldap server $ldapconn = ldap_connect("machinename.domain.com") or die("Could not connect to LDAP server."); if ($ldapconn) { // binding to ldap server $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass); // verify binding if ($ldapbind) { echo "LDAP bind successful..."; } else { echo "LDAP bind failed..."; } }

Where am I going wrong?

Improve this question
2
  • "[email protected]" is neither an RDN or DN, it could be a user's UPN though. Try it without the "@domain.com" or get the full DN of the object, something like "CN=username,OU=something,DC=example,DC=com". It also may help if you updated your question to detail which error message your seeing. Commented Apr 9, 2013 at 10:26
  • Thanks for the help guys, I've found a solution and I'll post it up shortly. Commented Apr 9, 2013 at 15:56

1 Answer 1

Reset to default
4

Okay, after much investigation I have turned on error info using ldap_errno() and ldap_error() and found it bringing back the error 'Strong(er) authentication required' have discovered two possible solutions;

Adjust Group Policy Settings

  • Negotiate Signing (Network security: LDAP client signing requirements)

  • No signing requirements (Domain Controller: LDAP server signing requirements)

  • Result: Managed to bind successfully and when I enter the username or password incorrectly and it throws an 'Invalid credentials' as expected.

Enable LDAP over SSL (LDAPS)

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.