Solved

ldap_modify with Active Directory

Posted on 2002-07-10
31
1,994 Views
Last Modified: 2010-08-05
OK, I am using PHP 4 on a Linux box. I am using PHP pages to connect to my Active Directory server and create Organization lists and so forth. My LDAP searches work very well.

I am now trying to modify entries using ldap_modify and it is failing. I am certain the "mail" record exists in Active Directory because I can display it for each user, however using an ldap_modify on the record causes the following error:
Warning: LDAP: add operation could not be completed. in userMod.php on line 44

The user that I am binding as has Administrator rights and I have looked at security on these attributes, all Administrators should have "Full Control".

Why is this not working?

Chris
0
Comment
Question by:bugsuperstar37
  • 14
  • 12
  • 2
  • +2
31 Comments
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 7145706
Can you show some code please.
0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 7145715
If you are binding without a password, then you may be binding in read-only mode?

From the PHP manual.

ldap_bind() does a bind operation on the directory. bind_rdn and bind_password are optional. If not specified, anonymous bind is attempted.

and

$r=ldap_bind($ds);     // this is an "anonymous" bind, typically read-only access


Regards,

Richard Quadling.
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146485
ok, I am binding. In Active Directory if you do not perform a bind, you have no access so I doubt I am binding anonymously. An anonymous bind would work, however a search on the Active Directory would result in no entries.

What do you want to see in the way of code?
0
Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

 
LVL 40

Expert Comment

by:Richard Quadling
ID: 7146495
At least line 44, but the general flow from the ldap_connect() to the error.
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146561
When using ldap_error() I see that the real error is DSA unwilling to perform. Now searching the internet I find that the reason for this could be the disk is full (not in this case though) or the server refuses to perform the modify function.

I can say that the same modify commands will work from a 2000 machine in the domain using the Windows 2000 Active Directory Administration Tool that comes with the support pack. This is an LDAP tool used with in Windows. I issue the same LDAP commands there and it functions correctly making the modifications.
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146583
This is the page given the obvious changes to keep my info private, but you can see the code that does the work.

<?
$ds=ldap_connect("server", "3268");
ldap_set_option($ds,LDAP_OPT_PROTOCOL_VERSION,3);
$attributes = array( "CN", "mail");
$filter = "(& (sAMAccountType=805306368) )";
$baseDN = "cn= me, ou= Something,dc= domain, dc= com";
$password = "password";
if ($ds) {
    $r=ldap_bind($ds, $baseDN, $password);
     $baseDN = "ou= Something ,dc= domain, dc= com";
    $sr=ldap_search($ds, $baseDN, $filter);
    $info = ldap_get_entries($ds, $sr);
     $fp = fopen("/path/to/contacts.txt", "r");

     while($data = fgetcsv($fp, 1000))
     {
         for ($i=0; $i < (sizeof($info) - 1); $i++)
          {
               $userDN = "cn= " . $info[$i]["cn"][0]. ", ou= Something,dc= domain, dc= com";
             if($data[0] == $info[$i]["givenname"][0] && $data[1] == $info[$i]["sn"][0])
               {
                    $newInfo["mail"][0] = $data[2];

                    print($newInfo["mail"][0] . $userDN . "<br>");
                    $baseDN = "cn= me, ou= Something,dc= domain, dc= com";
$password = "password";
$dsTemp=ldap_connect("server", "3268");
                    $r=ldap_bind($dsTemp, $baseDN, $password);
                    ldap_modify($dsTemp, $userDN, $newInfo);
                    $Ldaperror = ldap_error($dsTemp);
                    print($Ldaperror);
                   ldap_close($dsTemp);
               }
          }
     }
     fclose($fp);
     
     
     //close the LDAP connection
    ldap_close($ds);

} else {
    echo "<h4>Unable to connect to LDAP server</h4>";
}
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146590
Line 44 would be: ldap_modify($dsTemp, $userDN, $newInfo);
0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 7146610
Can you add a test to see if $r is true.

$r=ldap_bind($dsTemp, $baseDN, $password) else die("Failed to bind.");
0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 7146614
I suspect it isn't true and therefore you have connected as an anonymous user.

0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146617
Line 44 would be: ldap_modify($dsTemp, $userDN, $newInfo);
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146620
No, I very highly doubt that because if I do not bind, I can run searches, however nothing can be viewed in the results. Only when I bind as an admin do I get results.
0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 7146630
Then try the adding the test. This will see if the bind DOES work for your setup.

I'm not an ldap person, but it seems at the second bind is still using the baseDN, rather than the userDN and then you try to modify with the baseDN.

Maybe?

If not, can you explain what you are trying to acheive?
0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 7146632
I would still try checking both binds with an "or die();" too.

Richard.
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146634
I test now to see if it binds and it does bind at all instances.
0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 7146646
Ok.

What about

$r=ldap_bind($dsTemp, $baseDN, $password); // Binding to base
ldap_modify($dsTemp, $userDN, $newInfo); // Modifying user

issue I have?

I suspect you've cut'n'pasted the code and forgot to change the RDN variable.

Richard.
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146648
OK look, I have tried this many ways. This is just another itteration. Simply put, you must set the Base DN to bind. A bind specifiec what user you are and what rights you have to the Directory. I bind as an Administrator. You must bind as someone with rights to make changes as far as I understand (at least you must to run searches in the Directory).

The userDN specifies the DN of the user where I will be running the modify.
0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 7146649
The reason for the error, assuming the typo, would probably be you are trying to modify something that you have not yet been binded to.

You've bound to base no problems, but you want to modify user.

Try ...

$r=ldap_bind($dsTemp, $userDN, $password);
ldap_modify($dsTemp, $userDN, $newInfo);

Richard.
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146661
Maybe you should read about the ldap functions first. a modify must specify a connection, the DN where the modification will be made, and what values (in array form) that will be modified.

Up above I create the DN for the user and assign it to $userDN. I may bind with $baseDN, but I most assuredly do not wish to make changes there (although I have tried this for testing and recieve the same results).

I really think it is a problem with Windows and what machines it allows to make modifications, but I want to make certain of this (and find a way to allow this machine to make modifications). I don't know if there is an ldap_option() I need to set besides the protocol version.
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146667
NO NO NO. In Windows tools I bind as an Administrator to make changes to these accounts and it works fine. I have already tried to bind as my user and make changes to my user without success.
0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 7146677
Something that is a little more drastic would be to get a packet sniffer under windows (Commview for example) and to see what is sent and received when you do the modification under the windows tools.

Then try using the PHP code to do it and see what the functional differences are.

Hopefully LDAP uses plain_text to send its data around.

I'm sorry I can't be of any more help.

From the looks of it, you are trying to globally update the email addresses for users whose details are in the csv file.


Ok.

Another daft question.

Your code ALWAYS shows an error. I assume the data has NOT been updated?

if (!ldap_modify($dsTemp, $userDN, $newInfo))
     {
     $Ldaperror = ldap_error($dsTemp);
        print($Ldaperror);
     }

Daft I know, but you may simply be seeing some spurious error!

Richard.
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146679
NO NO NO. In Windows tools I bind as an Administrator to make changes to these accounts and it works fine. I have already tried to bind as my user and make changes to my user without success.
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146714
No, the data on the Directory is never changed.
0
 
LVL 2

Expert Comment

by:Unifex
ID: 7165985
Should those DN's have spaces in them?  That would trip up our OpenLDAP server...

Also, can you please throw this in at line 43 and show us the output.

echo "<pre>";print_r($newinfo);echo "</pre>";

Regards,
Gold
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7166074
I have already figured out what this problem is. Thank you all for trying.

Chris
0
 
LVL 2

Expert Comment

by:Unifex
ID: 7166081
What was the problem?  Just out of interest...
0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 7168906
Yes. What was wrong? Is it something REALLY simple? Are you embarrassed?
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7169507
No, it was using port 389 rather than port 3268. I guess it is simple, but not embarrassing. I thought I had that in at first, but other applications using that port still do not work correctly. However my applications using port 389 to perform all modifications are working well.

Thank you all for participating.
0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 7169521
Ha!

Should have spotted that.

From the PHP Manual ...



ldap_connect
(PHP 3, PHP 4 )

ldap_connect -- Connect to an LDAP server
Description
resource ldap_connect ( [string hostname [, int port]])


Returns a positive LDAP link identifier on success, or FALSE on error.

ldap_connect() establishes a connection to a LDAP server on a specified hostname and port. Both the arguments are optional. If no arguments are specified then the link identifier of the already opened link will be returned. If only hostname is specified, then the port defaults to >>>389<<<.

If you are using OpenLDAP 2.x.x you can specify a URL instead of the hostname. To use LDAP with SSL, compile OpenLDAP 2.x.x with SSL support, configure PHP with SSL, and use ldaps://hostname/ as host parameter. The port parameter is not used when using URLs.

Note: URL and SSL support were added in 4.0.4.


Regards,


Richard Quadling.
0
 
LVL 1

Expert Comment

by:netwiz562
ID: 9492518
---- CLEAN UP ----

bugsuperstar37,
No comment has been added lately.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: [ PAQ/Refund ]

Please leave any comments here within the next seven days.

¡PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

------------------------------
Rajiv Makhijani
EE Cleanup Volunteer

This question was linked to in a Win2k Question.  I will add this question to that cleanup.
0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
ID: 11688196
Submitted to PAQ with points refunded (100)

DarthMod
Community Support Moderator
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Popularity Can Be Measured Sometimes we deal with questions of popularity, and we need a way to collect opinions from our clients.  This article shows a simple teaching example of how we might elect a favorite color by letting our clients vote for …
Deprecated and Headed for the Dustbin By now, you have probably heard that some PHP features, while convenient, can also cause PHP security problems.  This article discusses one of those, called register_globals.  It is a thing you do not want.  …
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question