#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2008
    Posts
    4
    Rep Power
    0

    LDAP Failed Bind Using PHP


    I am hoping some one might be able to shed some light on what is happening here. I am writting a simple authentication script for our intranet web services using PHP. I am trying to bind the user on the CN and Password. Using the following script:

    PHP Code:
    $server='192.168.xxx.xxx,636';
     
    $username='cn=username,ou=mydivision,o=mycompany';
     
    $password='password';
     
    $ds=ldap_connect($server);
     if (
    $ds) {
         
    $r=ldap_bind($ds$username$password);
         if(!
    $r) die("ldap_bind failed<br>");
           echo 
    "ldap_bind success";
           
    ldap_close($ds);
        }
     } 
    I am getting this error:
    Warning: ldap_bind(): Unable to bind to server: Confidentiality required in SERVER:/APACHE2/htdocs/test.php on line 16

    Line 16 is:
    PHP Code:
    $r=ldap_bind($ds$admin$passwd); 
    I can do anonymous binds all day long, but secure bind...nope!

    Now, on another note. I am able to do secure binds using a LDAP browser utility from securityxploded.com called, LDAP Seach Application. I am using the same syntax in this application as I am using in my PHP script...WTF

    Thanks in advance for any help, advise, shove in the right direction or a scolding for doing something stupid would be greatly appreciated...


    Thanks,

    S
    <- Running on: Apache 2.0.59, PHP 4.4.0 ->

    *------------------------------------------------*
    Time Flies Like An Arrow and Fruit Flies Like Bananas
  2. #2
  3. Psycho Canadian
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Jan 2001
    Location
    Canada
    Posts
    4,846
    Rep Power
    635
    First lets fix your ldap_connect

    from the php docs
    resource ldap_connect ( [string hostname [, int port]] )

    So
    $server='192.168.xxx.xxx,636'; is incorrect, instead just do
    $server='192.168.xxx.xxx';
    $port = 636;
    ldap_connect($server,$port);

    If that doesn't work (or maybe in your real code you had it correct), perhaps it wants SSL? have you tried on the non secure port?
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2008
    Posts
    4
    Rep Power
    0

    Seems to have gotten worse


    Originally Posted by Viper_SB
    First lets fix your ldap_connect

    from the php docs
    resource ldap_connect ( [string hostname [, int port]] )

    So
    $server='192.168.xxx.xxx,636'; is incorrect, instead just do
    $server='192.168.xxx.xxx';
    $port = 636;
    ldap_connect($server,$port);

    If that doesn't work (or maybe in your real code you had it correct), perhaps it wants SSL? have you tried on the non secure port?
    Now that I have made the change as you suggested I am getting:
    Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in SERVER:/APACHE2/htdocs/test.php on line 9
    ldap_bind failed

    I alos tried the NON-secure port 389 (or blank should default to 389, or so I have read.)


    Before I was able to connect, just not bind. When I have my original code in place it can not make the authenticated bind so it appears to be doing an anonymous bind because I get returned results from my query.


    OK, here is the full test code (With the names changed to protect the guilty):

    PHP Code:
    $username 'cn=user,ou=mydivision,o=mycompany';
    $password'password';
    echo 
    "<h3>LDAP query test</h3>";
    echo 
    "Connecting ...";
    $ds=ldap_connect("192.168.xxx.xxx, 636");
    echo 
    "connect result is ".$ds."<p>";
    if (
    $ds) {
       echo 
    "Binding ...";
       
    $r=ldap_bind($ds$username$password);
       echo 
    "Bind result is ".$r."<p>";
       echo 
    "Searching for (cn=*) ...";
       
    $sr=ldap_search($ds,"ou=users,ou=division,o=company""cn=johndoe");  
       echo 
    "Search result is ".$sr."<p>";
       echo 
    "Number of entires returned is ".ldap_count_entries($ds,$sr)."<p>";
    }

    $entry ldap_first_entry($ds$sr);
    $attrs = array();
    $attribute ldap_first_attribute($ds,$entry,$identifier);
    while (
    $attribute) {
       
    $attrs[] = $attribute;
       
    $attribute=ldap_next_attribute($ds,$entry,$identifier);
    }
    echo 
    count($attrs) . " attributes held for this entry:<p>";

    $ldapResults ldap_get_entries($ds$sr);
    for (
    $item 0$item $ldapResults['count']; $item++) {
       for (
    $attribute 0$attribute $ldapResults[$item]['count'];                  $attribute++) {
          
    $data $ldapResults[$item][$attribute];
          echo 
    $data.":&nbsp;&nbsp;".$ldapResults[$item][$data][0]."<br>";            
       }
    echo 
    '<hr />';

    The above returns these results:

    LDAP query test
    Connecting ...connect result is Resource id #2

    Binding ...
    Warning: ldap_bind(): Unable to bind to server: Confidentiality required in SERVER:/APACHE2/htdocs/test.php on line 9
    Bind result is

    Searching for (cn=*) ...Search result is Resource id #3

    Number of entires returned is 1

    85 attributes held for this entry:

    ...and then follows the list of all attributes and their values...


    Thanks again for your input... now if I could just get my output to work.


    Thanks,

    S
    <- Running on: Apache 2.0.59, PHP 4.4.0 ->

    *------------------------------------------------*
    Time Flies Like An Arrow and Fruit Flies Like Bananas
  6. #4
  7. Psycho Canadian
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Jan 2001
    Location
    Canada
    Posts
    4,846
    Rep Power
    635
    ldap_connect("192.168.xxx.xxx, 636") is still incorrect or is that because you edited it? it should be

    ldap_connect("192.168.xxx.xxx", 636)

    also one thing to relizse is that ldap_connect() WILL say it's connected NO matter what info you give it, it's a bug/feature of it, ONLY once you do ldap_bind will the actual connection to the server be done.

    you can do

    $x = ldap_connect('boom.com', 389);
    print $x;

    it'll say that $x is a Resource Id #x

    I believe it mentions it in the manual.

    So this is why you're getting this error
    Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in SERVER:/APACHE2/htdocs/test.php on line 9
    ldap_bind failed
    Can't contact LDAP server is the real error, for some reason PHP can't contact it, perhaps the IP is wrong, or it's blocked on that port?
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2008
    Posts
    4
    Rep Power
    0

    Still unable to bind


    Originally Posted by Viper_SB
    ldap_connect("192.168.xxx.xxx, 636") is still incorrect or is that because you edited it? it should be

    ldap_connect("192.168.xxx.xxx", 636)
    First off I would like to thank you for your patience. I am fairly new to LDAP.

    In the full code that I posted I got all the attributes and values back from the LDAP query on the specific user. Am I correct in assuming that my code could not bind using USER and PASSWORD so it did an anonymous bind?

    Anyway. Here are the changes I made as per your suggestions. I also stripped all they extra stuff out until I get the bind to work.
    PHP Code:
    $username  'cn=user,ou=mydivision,o=mycompany';
    $password 'password';
    $ds=ldap_connect("192.168.xxx.xxx",636);
    if (
    $ds){
       
    $r=ldap_bind($ds$username$password);

    I get the follwing results:
    Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in SERVER:/APACHE2/htdocs/test.php on line 5

    Line 5 being:
    PHP Code:
    $r=ldap_bind($ds$username$password); 


    If I change this:
    PHP Code:
    $ds=ldap_connect("192.168.xxx.xxx",636); 
    to this:
    PHP Code:
    $ds=ldap_connect("192.168.xxx.xxx"); 
    I get:
    Warning: ldap_bind(): Unable to bind to server: Confidentiality required in SERVER:/APACHE2/htdocs/test.php on line 5

    So apparently it requires the secure port.


    I really appreciate you taking the time to help me out here.


    Thanks,

    S
    <- Running on: Apache 2.0.59, PHP 4.4.0 ->

    *------------------------------------------------*
    Time Flies Like An Arrow and Fruit Flies Like Bananas
  10. #6
  11. Psycho Canadian
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Jan 2001
    Location
    Canada
    Posts
    4,846
    Rep Power
    635
    As per a quick google,

    LDAP Error 13 - Confidentiality required

    Cause/Fix: This error will occur when SSL is not being used, and the LDAP Group Object is not configured to use Clear Text Passwords. This can be resolved by either enabling SSL or by editing the LDAP Group Object and checking the "Allow Clear Text Passwords" box.
    By default eDirectory does not accept clear-text credentials. There are two possible ways for you to go for:
    1) Use SSL connection
    2) Disable "confidentiality" requirement at the server side (turn to server documentation for details)
    I think I found the problem, again a quick search of google.

    tells you to rebuild PHP with openSSL enabled
    http://www.openldap.org/lists/openld.../msg00290.html

    I think this page sums it up
    http://greg.cathell.net/php_ldap_ssl.html
  12. #7
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2008
    Posts
    4
    Rep Power
    0

    You Da Man Billy Ray


    That was it.
    By default eDirectory does not accept clear-text credentials. There are two possible ways for you to go for:
    1) Use SSL connection
    2) Disable "confidentiality" requirement at the server side (turn to server documentation for details)
    For anyone else with this issue here was my fix:
    Allowing Clear Text Passwords (bind operations)

    If there by some reason is no way to enable transport security (SSL) for bind operations (where passwords are transmitted), eDirectory must be configured to allow cleartext bind operations. This is done in the LDAP Group object under the General tab. Remove the check from the "Require TLS for simple binds with password" checkbox.

    Now I am not to sure about how secure that is but at this time we are using this to authenticate users to serve up web pages on our intrAnet. So, I am not too concerned about it. Maybe if we ever try to put something up on the Internet I will address the TLS issue.

    Thanks again Viper_SB for all your help. I am sure I will be back, probably sooner than later, with more questions.



    Later,

    S
    <- Running on: Netware 6.5 / Apache 2.0.59 / PHP 4.4.0 ->

    *------------------------------------------------*
    Time Flies Like An Arrow and Fruit Flies Like Bananas
  14. #8
  15. Psycho Canadian
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Jan 2001
    Location
    Canada
    Posts
    4,846
    Rep Power
    635
    Glad you found it, ya on an intranet it's fine, but on the internet you won't want it like that for sure.

IMN logo majestic logo threadwatch logo seochat tools logo