[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

ldap_modify with Active Directory

Posted on 2002-07-10
31
Medium Priority
?
2,003 Views
Last Modified: 2010-08-05
OK, I am using PHP 4 on a Linux box. I am using PHP pages to connect to my Active Directory server and create Organization lists and so forth. My LDAP searches work very well.

I am now trying to modify entries using ldap_modify and it is failing. I am certain the "mail" record exists in Active Directory because I can display it for each user, however using an ldap_modify on the record causes the following error:
Warning: LDAP: add operation could not be completed. in userMod.php on line 44

The user that I am binding as has Administrator rights and I have looked at security on these attributes, all Administrators should have "Full Control".

Why is this not working?

Chris
0
Comment
Question by:bugsuperstar37
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 12
  • 2
  • +2
31 Comments
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 7145706
Can you show some code please.
0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 7145715
If you are binding without a password, then you may be binding in read-only mode?

From the PHP manual.

ldap_bind() does a bind operation on the directory. bind_rdn and bind_password are optional. If not specified, anonymous bind is attempted.

and

$r=ldap_bind($ds);     // this is an "anonymous" bind, typically read-only access


Regards,

Richard Quadling.
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146485
ok, I am binding. In Active Directory if you do not perform a bind, you have no access so I doubt I am binding anonymously. An anonymous bind would work, however a search on the Active Directory would result in no entries.

What do you want to see in the way of code?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 40

Expert Comment

by:Richard Quadling
ID: 7146495
At least line 44, but the general flow from the ldap_connect() to the error.
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146561
When using ldap_error() I see that the real error is DSA unwilling to perform. Now searching the internet I find that the reason for this could be the disk is full (not in this case though) or the server refuses to perform the modify function.

I can say that the same modify commands will work from a 2000 machine in the domain using the Windows 2000 Active Directory Administration Tool that comes with the support pack. This is an LDAP tool used with in Windows. I issue the same LDAP commands there and it functions correctly making the modifications.
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146583
This is the page given the obvious changes to keep my info private, but you can see the code that does the work.

<?
$ds=ldap_connect("server", "3268");
ldap_set_option($ds,LDAP_OPT_PROTOCOL_VERSION,3);
$attributes = array( "CN", "mail");
$filter = "(& (sAMAccountType=805306368) )";
$baseDN = "cn= me, ou= Something,dc= domain, dc= com";
$password = "password";
if ($ds) {
    $r=ldap_bind($ds, $baseDN, $password);
     $baseDN = "ou= Something ,dc= domain, dc= com";
    $sr=ldap_search($ds, $baseDN, $filter);
    $info = ldap_get_entries($ds, $sr);
     $fp = fopen("/path/to/contacts.txt", "r");

     while($data = fgetcsv($fp, 1000))
     {
         for ($i=0; $i < (sizeof($info) - 1); $i++)
          {
               $userDN = "cn= " . $info[$i]["cn"][0]. ", ou= Something,dc= domain, dc= com";
             if($data[0] == $info[$i]["givenname"][0] && $data[1] == $info[$i]["sn"][0])
               {
                    $newInfo["mail"][0] = $data[2];

                    print($newInfo["mail"][0] . $userDN . "<br>");
                    $baseDN = "cn= me, ou= Something,dc= domain, dc= com";
$password = "password";
$dsTemp=ldap_connect("server", "3268");
                    $r=ldap_bind($dsTemp, $baseDN, $password);
                    ldap_modify($dsTemp, $userDN, $newInfo);
                    $Ldaperror = ldap_error($dsTemp);
                    print($Ldaperror);
                   ldap_close($dsTemp);
               }
          }
     }
     fclose($fp);
     
     
     //close the LDAP connection
    ldap_close($ds);

} else {
    echo "<h4>Unable to connect to LDAP server</h4>";
}
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146590
Line 44 would be: ldap_modify($dsTemp, $userDN, $newInfo);
0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 7146610
Can you add a test to see if $r is true.

$r=ldap_bind($dsTemp, $baseDN, $password) else die("Failed to bind.");
0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 7146614
I suspect it isn't true and therefore you have connected as an anonymous user.

0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146617
Line 44 would be: ldap_modify($dsTemp, $userDN, $newInfo);
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146620
No, I very highly doubt that because if I do not bind, I can run searches, however nothing can be viewed in the results. Only when I bind as an admin do I get results.
0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 7146630
Then try the adding the test. This will see if the bind DOES work for your setup.

I'm not an ldap person, but it seems at the second bind is still using the baseDN, rather than the userDN and then you try to modify with the baseDN.

Maybe?

If not, can you explain what you are trying to acheive?
0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 7146632
I would still try checking both binds with an "or die();" too.

Richard.
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146634
I test now to see if it binds and it does bind at all instances.
0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 7146646
Ok.

What about

$r=ldap_bind($dsTemp, $baseDN, $password); // Binding to base
ldap_modify($dsTemp, $userDN, $newInfo); // Modifying user

issue I have?

I suspect you've cut'n'pasted the code and forgot to change the RDN variable.

Richard.
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146648
OK look, I have tried this many ways. This is just another itteration. Simply put, you must set the Base DN to bind. A bind specifiec what user you are and what rights you have to the Directory. I bind as an Administrator. You must bind as someone with rights to make changes as far as I understand (at least you must to run searches in the Directory).

The userDN specifies the DN of the user where I will be running the modify.
0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 7146649
The reason for the error, assuming the typo, would probably be you are trying to modify something that you have not yet been binded to.

You've bound to base no problems, but you want to modify user.

Try ...

$r=ldap_bind($dsTemp, $userDN, $password);
ldap_modify($dsTemp, $userDN, $newInfo);

Richard.
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146661
Maybe you should read about the ldap functions first. a modify must specify a connection, the DN where the modification will be made, and what values (in array form) that will be modified.

Up above I create the DN for the user and assign it to $userDN. I may bind with $baseDN, but I most assuredly do not wish to make changes there (although I have tried this for testing and recieve the same results).

I really think it is a problem with Windows and what machines it allows to make modifications, but I want to make certain of this (and find a way to allow this machine to make modifications). I don't know if there is an ldap_option() I need to set besides the protocol version.
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146667
NO NO NO. In Windows tools I bind as an Administrator to make changes to these accounts and it works fine. I have already tried to bind as my user and make changes to my user without success.
0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 7146677
Something that is a little more drastic would be to get a packet sniffer under windows (Commview for example) and to see what is sent and received when you do the modification under the windows tools.

Then try using the PHP code to do it and see what the functional differences are.

Hopefully LDAP uses plain_text to send its data around.

I'm sorry I can't be of any more help.

From the looks of it, you are trying to globally update the email addresses for users whose details are in the csv file.


Ok.

Another daft question.

Your code ALWAYS shows an error. I assume the data has NOT been updated?

if (!ldap_modify($dsTemp, $userDN, $newInfo))
     {
     $Ldaperror = ldap_error($dsTemp);
        print($Ldaperror);
     }

Daft I know, but you may simply be seeing some spurious error!

Richard.
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146679
NO NO NO. In Windows tools I bind as an Administrator to make changes to these accounts and it works fine. I have already tried to bind as my user and make changes to my user without success.
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146714
No, the data on the Directory is never changed.
0
 
LVL 2

Expert Comment

by:Unifex
ID: 7165985
Should those DN's have spaces in them?  That would trip up our OpenLDAP server...

Also, can you please throw this in at line 43 and show us the output.

echo "<pre>";print_r($newinfo);echo "</pre>";

Regards,
Gold
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7166074
I have already figured out what this problem is. Thank you all for trying.

Chris
0
 
LVL 2

Expert Comment

by:Unifex
ID: 7166081
What was the problem?  Just out of interest...
0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 7168906
Yes. What was wrong? Is it something REALLY simple? Are you embarrassed?
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7169507
No, it was using port 389 rather than port 3268. I guess it is simple, but not embarrassing. I thought I had that in at first, but other applications using that port still do not work correctly. However my applications using port 389 to perform all modifications are working well.

Thank you all for participating.
0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 7169521
Ha!

Should have spotted that.

From the PHP Manual ...



ldap_connect
(PHP 3, PHP 4 )

ldap_connect -- Connect to an LDAP server
Description
resource ldap_connect ( [string hostname [, int port]])


Returns a positive LDAP link identifier on success, or FALSE on error.

ldap_connect() establishes a connection to a LDAP server on a specified hostname and port. Both the arguments are optional. If no arguments are specified then the link identifier of the already opened link will be returned. If only hostname is specified, then the port defaults to >>>389<<<.

If you are using OpenLDAP 2.x.x you can specify a URL instead of the hostname. To use LDAP with SSL, compile OpenLDAP 2.x.x with SSL support, configure PHP with SSL, and use ldaps://hostname/ as host parameter. The port parameter is not used when using URLs.

Note: URL and SSL support were added in 4.0.4.


Regards,


Richard Quadling.
0
 
LVL 1

Expert Comment

by:netwiz562
ID: 9492518
---- CLEAN UP ----

bugsuperstar37,
No comment has been added lately.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: [ PAQ/Refund ]

Please leave any comments here within the next seven days.

¡PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

------------------------------
Rajiv Makhijani
EE Cleanup Volunteer

This question was linked to in a Win2k Question.  I will add this question to that cleanup.
0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
ID: 11688196
Submitted to PAQ with points refunded (100)

DarthMod
Community Support Moderator
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Popularity Can Be Measured Sometimes we deal with questions of popularity, and we need a way to collect opinions from our clients.  This article shows a simple teaching example of how we might elect a favorite color by letting our clients vote for …
There are times when I have encountered the need to decompress a response from a PHP request. This is how it's done, but you must have control of the request and you can set the Accept-Encoding header.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question