Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2008
  • Last Modified:

ldap_modify with Active Directory

OK, I am using PHP 4 on a Linux box. I am using PHP pages to connect to my Active Directory server and create Organization lists and so forth. My LDAP searches work very well.

I am now trying to modify entries using ldap_modify and it is failing. I am certain the "mail" record exists in Active Directory because I can display it for each user, however using an ldap_modify on the record causes the following error:
Warning: LDAP: add operation could not be completed. in userMod.php on line 44

The user that I am binding as has Administrator rights and I have looked at security on these attributes, all Administrators should have "Full Control".

Why is this not working?

Chris
0
bugsuperstar37
Asked:
bugsuperstar37
  • 14
  • 12
  • 2
  • +2
1 Solution
 
Richard QuadlingSenior Software DeveloperCommented:
Can you show some code please.
0
 
Richard QuadlingSenior Software DeveloperCommented:
If you are binding without a password, then you may be binding in read-only mode?

From the PHP manual.

ldap_bind() does a bind operation on the directory. bind_rdn and bind_password are optional. If not specified, anonymous bind is attempted.

and

$r=ldap_bind($ds);     // this is an "anonymous" bind, typically read-only access


Regards,

Richard Quadling.
0
 
bugsuperstar37Author Commented:
ok, I am binding. In Active Directory if you do not perform a bind, you have no access so I doubt I am binding anonymously. An anonymous bind would work, however a search on the Active Directory would result in no entries.

What do you want to see in the way of code?
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
Richard QuadlingSenior Software DeveloperCommented:
At least line 44, but the general flow from the ldap_connect() to the error.
0
 
bugsuperstar37Author Commented:
When using ldap_error() I see that the real error is DSA unwilling to perform. Now searching the internet I find that the reason for this could be the disk is full (not in this case though) or the server refuses to perform the modify function.

I can say that the same modify commands will work from a 2000 machine in the domain using the Windows 2000 Active Directory Administration Tool that comes with the support pack. This is an LDAP tool used with in Windows. I issue the same LDAP commands there and it functions correctly making the modifications.
0
 
bugsuperstar37Author Commented:
This is the page given the obvious changes to keep my info private, but you can see the code that does the work.

<?
$ds=ldap_connect("server", "3268");
ldap_set_option($ds,LDAP_OPT_PROTOCOL_VERSION,3);
$attributes = array( "CN", "mail");
$filter = "(& (sAMAccountType=805306368) )";
$baseDN = "cn= me, ou= Something,dc= domain, dc= com";
$password = "password";
if ($ds) {
    $r=ldap_bind($ds, $baseDN, $password);
     $baseDN = "ou= Something ,dc= domain, dc= com";
    $sr=ldap_search($ds, $baseDN, $filter);
    $info = ldap_get_entries($ds, $sr);
     $fp = fopen("/path/to/contacts.txt", "r");

     while($data = fgetcsv($fp, 1000))
     {
         for ($i=0; $i < (sizeof($info) - 1); $i++)
          {
               $userDN = "cn= " . $info[$i]["cn"][0]. ", ou= Something,dc= domain, dc= com";
             if($data[0] == $info[$i]["givenname"][0] && $data[1] == $info[$i]["sn"][0])
               {
                    $newInfo["mail"][0] = $data[2];

                    print($newInfo["mail"][0] . $userDN . "<br>");
                    $baseDN = "cn= me, ou= Something,dc= domain, dc= com";
$password = "password";
$dsTemp=ldap_connect("server", "3268");
                    $r=ldap_bind($dsTemp, $baseDN, $password);
                    ldap_modify($dsTemp, $userDN, $newInfo);
                    $Ldaperror = ldap_error($dsTemp);
                    print($Ldaperror);
                   ldap_close($dsTemp);
               }
          }
     }
     fclose($fp);
     
     
     //close the LDAP connection
    ldap_close($ds);

} else {
    echo "<h4>Unable to connect to LDAP server</h4>";
}
0
 
bugsuperstar37Author Commented:
Line 44 would be: ldap_modify($dsTemp, $userDN, $newInfo);
0
 
Richard QuadlingSenior Software DeveloperCommented:
Can you add a test to see if $r is true.

$r=ldap_bind($dsTemp, $baseDN, $password) else die("Failed to bind.");
0
 
Richard QuadlingSenior Software DeveloperCommented:
I suspect it isn't true and therefore you have connected as an anonymous user.

0
 
bugsuperstar37Author Commented:
Line 44 would be: ldap_modify($dsTemp, $userDN, $newInfo);
0
 
bugsuperstar37Author Commented:
No, I very highly doubt that because if I do not bind, I can run searches, however nothing can be viewed in the results. Only when I bind as an admin do I get results.
0
 
Richard QuadlingSenior Software DeveloperCommented:
Then try the adding the test. This will see if the bind DOES work for your setup.

I'm not an ldap person, but it seems at the second bind is still using the baseDN, rather than the userDN and then you try to modify with the baseDN.

Maybe?

If not, can you explain what you are trying to acheive?
0
 
Richard QuadlingSenior Software DeveloperCommented:
I would still try checking both binds with an "or die();" too.

Richard.
0
 
bugsuperstar37Author Commented:
I test now to see if it binds and it does bind at all instances.
0
 
Richard QuadlingSenior Software DeveloperCommented:
Ok.

What about

$r=ldap_bind($dsTemp, $baseDN, $password); // Binding to base
ldap_modify($dsTemp, $userDN, $newInfo); // Modifying user

issue I have?

I suspect you've cut'n'pasted the code and forgot to change the RDN variable.

Richard.
0
 
bugsuperstar37Author Commented:
OK look, I have tried this many ways. This is just another itteration. Simply put, you must set the Base DN to bind. A bind specifiec what user you are and what rights you have to the Directory. I bind as an Administrator. You must bind as someone with rights to make changes as far as I understand (at least you must to run searches in the Directory).

The userDN specifies the DN of the user where I will be running the modify.
0
 
Richard QuadlingSenior Software DeveloperCommented:
The reason for the error, assuming the typo, would probably be you are trying to modify something that you have not yet been binded to.

You've bound to base no problems, but you want to modify user.

Try ...

$r=ldap_bind($dsTemp, $userDN, $password);
ldap_modify($dsTemp, $userDN, $newInfo);

Richard.
0
 
bugsuperstar37Author Commented:
Maybe you should read about the ldap functions first. a modify must specify a connection, the DN where the modification will be made, and what values (in array form) that will be modified.

Up above I create the DN for the user and assign it to $userDN. I may bind with $baseDN, but I most assuredly do not wish to make changes there (although I have tried this for testing and recieve the same results).

I really think it is a problem with Windows and what machines it allows to make modifications, but I want to make certain of this (and find a way to allow this machine to make modifications). I don't know if there is an ldap_option() I need to set besides the protocol version.
0
 
bugsuperstar37Author Commented:
NO NO NO. In Windows tools I bind as an Administrator to make changes to these accounts and it works fine. I have already tried to bind as my user and make changes to my user without success.
0
 
Richard QuadlingSenior Software DeveloperCommented:
Something that is a little more drastic would be to get a packet sniffer under windows (Commview for example) and to see what is sent and received when you do the modification under the windows tools.

Then try using the PHP code to do it and see what the functional differences are.

Hopefully LDAP uses plain_text to send its data around.

I'm sorry I can't be of any more help.

From the looks of it, you are trying to globally update the email addresses for users whose details are in the csv file.


Ok.

Another daft question.

Your code ALWAYS shows an error. I assume the data has NOT been updated?

if (!ldap_modify($dsTemp, $userDN, $newInfo))
     {
     $Ldaperror = ldap_error($dsTemp);
        print($Ldaperror);
     }

Daft I know, but you may simply be seeing some spurious error!

Richard.
0
 
bugsuperstar37Author Commented:
NO NO NO. In Windows tools I bind as an Administrator to make changes to these accounts and it works fine. I have already tried to bind as my user and make changes to my user without success.
0
 
bugsuperstar37Author Commented:
No, the data on the Directory is never changed.
0
 
UnifexCommented:
Should those DN's have spaces in them?  That would trip up our OpenLDAP server...

Also, can you please throw this in at line 43 and show us the output.

echo "<pre>";print_r($newinfo);echo "</pre>";

Regards,
Gold
0
 
bugsuperstar37Author Commented:
I have already figured out what this problem is. Thank you all for trying.

Chris
0
 
UnifexCommented:
What was the problem?  Just out of interest...
0
 
Richard QuadlingSenior Software DeveloperCommented:
Yes. What was wrong? Is it something REALLY simple? Are you embarrassed?
0
 
bugsuperstar37Author Commented:
No, it was using port 389 rather than port 3268. I guess it is simple, but not embarrassing. I thought I had that in at first, but other applications using that port still do not work correctly. However my applications using port 389 to perform all modifications are working well.

Thank you all for participating.
0
 
Richard QuadlingSenior Software DeveloperCommented:
Ha!

Should have spotted that.

From the PHP Manual ...



ldap_connect
(PHP 3, PHP 4 )

ldap_connect -- Connect to an LDAP server
Description
resource ldap_connect ( [string hostname [, int port]])


Returns a positive LDAP link identifier on success, or FALSE on error.

ldap_connect() establishes a connection to a LDAP server on a specified hostname and port. Both the arguments are optional. If no arguments are specified then the link identifier of the already opened link will be returned. If only hostname is specified, then the port defaults to >>>389<<<.

If you are using OpenLDAP 2.x.x you can specify a URL instead of the hostname. To use LDAP with SSL, compile OpenLDAP 2.x.x with SSL support, configure PHP with SSL, and use ldaps://hostname/ as host parameter. The port parameter is not used when using URLs.

Note: URL and SSL support were added in 4.0.4.


Regards,


Richard Quadling.
0
 
netwiz562Commented:
---- CLEAN UP ----

bugsuperstar37,
No comment has been added lately.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: [ PAQ/Refund ]

Please leave any comments here within the next seven days.

¡PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

------------------------------
Rajiv Makhijani
EE Cleanup Volunteer

This question was linked to in a Win2k Question.  I will add this question to that cleanup.
0
 
DarthModCommented:
Submitted to PAQ with points refunded (100)

DarthMod
Community Support Moderator
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 14
  • 12
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now