#16
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2004
    Posts
    1
    Rep Power
    0

    No SSL


    Originally Posted by MatthewClark
    I can verify that I have a secure connection to LDAP and everything.
    Matt,

    Did you need to do anything special to set up the SSL connection? I can't bind over SSL. I have verified that my DLLs are in the right place.

    PHP 4.3.6
    Apache/2.0.49
    Windows 2000
    OpenSSL 0.9.7c 30 Sep 2003

    Geoff
  2. #17
  3. Psycho Canadian
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Jan 2001
    Location
    Canada
    Posts
    4,846
    Rep Power
    635
  4. #18
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2004
    Location
    Poland
    Posts
    6
    Rep Power
    0

    Angry Still not working for me.


    Has anyone got it to work properly ?

    I'm also working on user administration panel in PHP, when users are stored on an AD server.

    Everything works fine except setting and changing the unicodePwd field.

    I've lost several days to find out how to made it to work and still nothing. I'm really angry about that.
  6. #19
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2004
    Posts
    9
    Rep Power
    0

    Did you see my recent post?


    Originally Posted by KuRcZaK
    Everything works fine except setting and changing the unicodePwd field.
    Did you see the recent posts using the perl script and/or the php converted perl script? That has worked for me, I'd be interested to know if others are having luck with it.

    - Ben
  8. #20
  9. Psycho Canadian
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Jan 2001
    Location
    Canada
    Posts
    4,846
    Rep Power
    635
    Originally Posted by bwhaley
    Did you see the recent posts using the perl script and/or the php converted perl script? That has worked for me, I'd be interested to know if others are having luck with it.

    - Ben
    Any chance you can test the PHP script? I don't have AD so can't test it here.
  10. #21
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2004
    Posts
    9
    Rep Power
    0

    No luck...


    Originally Posted by Viper_SB
    Any chance you can test the PHP script? I don't have AD so can't test it here.
    I first made the following minor modification (possibly specific for my environment; I'm no PHP/Active Directory expert). The last line is the change:

    PHP Code:
    if (!ldap_set_option($ldapLDAP_OPT_PROTOCOL_VERSION$protocolVersion))
    {
        exit(
    'Failed to set protocol version to '.$protocolVersion);

    ldap_set_option($ldapLDAP_OPT_REFERRALS0); 
    Alas, no luck. I still received the "Server unwilling to perform" error that I was getting before. Son of a....


    - Ben
  12. #22
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2004
    Location
    Poland
    Posts
    6
    Rep Power
    0

    I'm still having problem to connect via SSL


    I've read that if I want to change password via LDAP I have to connect via SSL to LDAP server.

    And that's my problem right now.

    $ldap=ldap_connect("myserver",636);
    returns Success
    and $ldap gets "Resource #1", so I suppose, that the connection is made, but when I try to bind using this connection I receive an error:
    "Could not connect to LDAP server"
    I tried also to bind annonymously mysql_bind($ldap), but it also reutrns the same error.

    I've checked my php configuration and OpenSSL is configured. Our networ administrator says, that also AD server is configured to use SSL.

    I have no idea where the problem could be right now.

    The connection without SSL is possible and works fine.
  14. #23
  15. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2004
    Location
    Poland
    Posts
    6
    Rep Power
    0

    Lightbulb How to check the connection type ?


    OK - I think I'm one next step to the solution.

    Surprisingly what helped to make a SSL connection with LDAP server was creating C:\OpenLDAP\sysconf\ (as described in one of the threads on the net) and putting there ldap.conf file which contains in its first line:
    TLS_REQCERT never

    Why on C drive and in this concrete directory - people says that its coded deep in the php_ldap.dll.

    So now my script seems to be runnig fine:
    PHP Code:
    $ldap_server "ldaps://mscrmsvr/";
    $auth_user "Admin";
    $auth_pass "P@ssw0rd77";
     
    // connect to server

    if (!($connect=@ldap_connect($ldap_server,636))) {
         die(
    "Could not connect to ldap server");
    }
    echo 
    "connect result is: ".$connect."<BR>";

    ldap_set_option($connectLDAP_OPT_PROTOCOL_VERSION3);

    // bind to server


    if (!($bind=ldap_bind($connect$auth_user$auth_pass))) {
         die(
    "Unable to bind to server");  
    }

    echo 
    "bind result is: ".$bind."<BR>";


    if (!(
    $search=@ldap_search($connect$base_dn$filter))) {
         die(
    "Unable to search ldap server"); 
    ,but when I try to change unicodePwd field I get the same message as in non SSL connection "Warning: ldap_modify(): Modify: Server is unwilling to perform".

    Do you know if and how can I check if my connection to the LDAP server is encoded with SSL ?
  16. #24
  17. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2004
    Posts
    9
    Rep Power
    0
    Originally Posted by KuRcZaK
    Do you know if and how can I check if my connection to the LDAP server is encoded with SSL ?
    I battled with the very same thing, as described earlier in this thread. I think we've determined that it is not an SSL problem. I am certain that I have a secure connection and I get the "Server unwilling to perform" error message as well. You can try the perl script shown earlier in the thread. That has worked for me. The direct translation to php, however, does NOT work. We aren't sure why that is...
  18. #25
  19. Psycho Canadian
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Jan 2001
    Location
    Canada
    Posts
    4,846
    Rep Power
    635
    Ya if the PHP script isn't working then it's something with PHP, if anyone has an active directory server I could test stuff on I'd be willing to track down the problem and report it to PHP. All I'd need is a user account that could change my own password nothing else would be needed.

    Also just so everyone is aware of this, ldap_connect() (in PHP) ALWAYS returns true. You can put in any IP or host and it'll be sucessfully, this IS a feature and is working correctly. ldap_bind() is what really connects so that is where you should check for connection. Here is how I do it.

    PHP Code:
    <?php
    $link 
    ldap_connect($host);
    if (!
    ldap_set_option($linkLDAP_OPT_PROTOCOL_VERSION3))
    {
        exit(
    'Failed to set protocol version to 3');
    }
    // just do an anoymous bind and this makes sure the ldap server exists
    ldap_bind($link);
    // 0 is successful thus it was able to connect
    if (ldap_errno($link) !== 0)
    {
        exit(
    'Could not connect to LDAP server');
    }
    // this is your real bind
    ldap_bind($link$user$password);
    ?>
  20. #26
  21. Psycho Canadian
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Jan 2001
    Location
    Canada
    Posts
    4,846
    Rep Power
    635
    BTW what version of PHP are you trying this with?
  22. #27
  23. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2004
    Posts
    9
    Rep Power
    0

    Version


    Originally Posted by Viper_SB
    BTW what version of PHP are you trying this with?
    I'm using PHP v 4.2.2.

    Sorry, can't give you an account at my location...
  24. #28
  25. Psycho Canadian
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Jan 2001
    Location
    Canada
    Posts
    4,846
    Rep Power
    635
    any chance you can try with PHP 5 rc3? Because it could be a bug that was already fixed.
  26. #29
  27. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2004
    Location
    Poland
    Posts
    6
    Rep Power
    0

    ...and what about user authentication


    OK - I'll try version 5 RC 3 of PHP.

    But I've one more question. Do you know if it's possible to verify user & password stored in AD. What I mean is that user while entering a site is asked to enter loginname and password.

    Then I have to compare this with login & pwd stored in AD.

    I suppose that the only way to verify this user is to search in AD for username and encoded password ? but is it possible ... just like below:

    PHP Code:
    //connect
    //bind (as Domain Admin)

    $user="kurczak";
    $password '{md5}'.base64_encode(pack('H*'md5('P@ssw0rd')));
    $search=ldap_search($connect"dc=mscrm, dc=local""(&(samaccountname=".$user.")(unicodePwd=".$password."))"); 
    It isn't working now - but maybe I'm completely wrong in the idea of how to do it, or maybe the password encoding isn't correct ?

    ....or maybe the best idea to verify if user exists is to bind as this user to AD, like this:

    PHP Code:
    $user="kurczak";
    $password="P@ssw0rd";
    $con=ldap_connect("server");
    ldap_bind($con,$user,$password); 
    ...and if bind succeedes we can be sure that user exists. ??
  28. #30
  29. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2004
    Posts
    9
    Rep Power
    0

    Password authentication


    Originally Posted by KuRcZaK
    ...and if bind succeedes we can be sure that user exists. ??
    Yes, what you described is the standard way of authenticating a user in AD.

IMN logo majestic logo threadwatch logo seochat tools logo