Solved

ldap_modify with Active Directory

Posted on 2002-07-10
31
1,988 Views
Last Modified: 2010-08-05
OK, I am using PHP 4 on a Linux box. I am using PHP pages to connect to my Active Directory server and create Organization lists and so forth. My LDAP searches work very well.

I am now trying to modify entries using ldap_modify and it is failing. I am certain the "mail" record exists in Active Directory because I can display it for each user, however using an ldap_modify on the record causes the following error:
Warning: LDAP: add operation could not be completed. in userMod.php on line 44

The user that I am binding as has Administrator rights and I have looked at security on these attributes, all Administrators should have "Full Control".

Why is this not working?

Chris
0
Comment
Question by:bugsuperstar37
  • 14
  • 12
  • 2
  • +2
31 Comments
 
LVL 40

Expert Comment

by:RQuadling
ID: 7145706
Can you show some code please.
0
 
LVL 40

Expert Comment

by:RQuadling
ID: 7145715
If you are binding without a password, then you may be binding in read-only mode?

From the PHP manual.

ldap_bind() does a bind operation on the directory. bind_rdn and bind_password are optional. If not specified, anonymous bind is attempted.

and

$r=ldap_bind($ds);     // this is an "anonymous" bind, typically read-only access


Regards,

Richard Quadling.
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146485
ok, I am binding. In Active Directory if you do not perform a bind, you have no access so I doubt I am binding anonymously. An anonymous bind would work, however a search on the Active Directory would result in no entries.

What do you want to see in the way of code?
0
 
LVL 40

Expert Comment

by:RQuadling
ID: 7146495
At least line 44, but the general flow from the ldap_connect() to the error.
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146561
When using ldap_error() I see that the real error is DSA unwilling to perform. Now searching the internet I find that the reason for this could be the disk is full (not in this case though) or the server refuses to perform the modify function.

I can say that the same modify commands will work from a 2000 machine in the domain using the Windows 2000 Active Directory Administration Tool that comes with the support pack. This is an LDAP tool used with in Windows. I issue the same LDAP commands there and it functions correctly making the modifications.
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146583
This is the page given the obvious changes to keep my info private, but you can see the code that does the work.

<?
$ds=ldap_connect("server", "3268");
ldap_set_option($ds,LDAP_OPT_PROTOCOL_VERSION,3);
$attributes = array( "CN", "mail");
$filter = "(& (sAMAccountType=805306368) )";
$baseDN = "cn= me, ou= Something,dc= domain, dc= com";
$password = "password";
if ($ds) {
    $r=ldap_bind($ds, $baseDN, $password);
     $baseDN = "ou= Something ,dc= domain, dc= com";
    $sr=ldap_search($ds, $baseDN, $filter);
    $info = ldap_get_entries($ds, $sr);
     $fp = fopen("/path/to/contacts.txt", "r");

     while($data = fgetcsv($fp, 1000))
     {
         for ($i=0; $i < (sizeof($info) - 1); $i++)
          {
               $userDN = "cn= " . $info[$i]["cn"][0]. ", ou= Something,dc= domain, dc= com";
             if($data[0] == $info[$i]["givenname"][0] && $data[1] == $info[$i]["sn"][0])
               {
                    $newInfo["mail"][0] = $data[2];

                    print($newInfo["mail"][0] . $userDN . "<br>");
                    $baseDN = "cn= me, ou= Something,dc= domain, dc= com";
$password = "password";
$dsTemp=ldap_connect("server", "3268");
                    $r=ldap_bind($dsTemp, $baseDN, $password);
                    ldap_modify($dsTemp, $userDN, $newInfo);
                    $Ldaperror = ldap_error($dsTemp);
                    print($Ldaperror);
                   ldap_close($dsTemp);
               }
          }
     }
     fclose($fp);
     
     
     //close the LDAP connection
    ldap_close($ds);

} else {
    echo "<h4>Unable to connect to LDAP server</h4>";
}
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146590
Line 44 would be: ldap_modify($dsTemp, $userDN, $newInfo);
0
 
LVL 40

Expert Comment

by:RQuadling
ID: 7146610
Can you add a test to see if $r is true.

$r=ldap_bind($dsTemp, $baseDN, $password) else die("Failed to bind.");
0
 
LVL 40

Expert Comment

by:RQuadling
ID: 7146614
I suspect it isn't true and therefore you have connected as an anonymous user.

0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146617
Line 44 would be: ldap_modify($dsTemp, $userDN, $newInfo);
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146620
No, I very highly doubt that because if I do not bind, I can run searches, however nothing can be viewed in the results. Only when I bind as an admin do I get results.
0
 
LVL 40

Expert Comment

by:RQuadling
ID: 7146630
Then try the adding the test. This will see if the bind DOES work for your setup.

I'm not an ldap person, but it seems at the second bind is still using the baseDN, rather than the userDN and then you try to modify with the baseDN.

Maybe?

If not, can you explain what you are trying to acheive?
0
 
LVL 40

Expert Comment

by:RQuadling
ID: 7146632
I would still try checking both binds with an "or die();" too.

Richard.
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146634
I test now to see if it binds and it does bind at all instances.
0
 
LVL 40

Expert Comment

by:RQuadling
ID: 7146646
Ok.

What about

$r=ldap_bind($dsTemp, $baseDN, $password); // Binding to base
ldap_modify($dsTemp, $userDN, $newInfo); // Modifying user

issue I have?

I suspect you've cut'n'pasted the code and forgot to change the RDN variable.

Richard.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146648
OK look, I have tried this many ways. This is just another itteration. Simply put, you must set the Base DN to bind. A bind specifiec what user you are and what rights you have to the Directory. I bind as an Administrator. You must bind as someone with rights to make changes as far as I understand (at least you must to run searches in the Directory).

The userDN specifies the DN of the user where I will be running the modify.
0
 
LVL 40

Expert Comment

by:RQuadling
ID: 7146649
The reason for the error, assuming the typo, would probably be you are trying to modify something that you have not yet been binded to.

You've bound to base no problems, but you want to modify user.

Try ...

$r=ldap_bind($dsTemp, $userDN, $password);
ldap_modify($dsTemp, $userDN, $newInfo);

Richard.
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146661
Maybe you should read about the ldap functions first. a modify must specify a connection, the DN where the modification will be made, and what values (in array form) that will be modified.

Up above I create the DN for the user and assign it to $userDN. I may bind with $baseDN, but I most assuredly do not wish to make changes there (although I have tried this for testing and recieve the same results).

I really think it is a problem with Windows and what machines it allows to make modifications, but I want to make certain of this (and find a way to allow this machine to make modifications). I don't know if there is an ldap_option() I need to set besides the protocol version.
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146667
NO NO NO. In Windows tools I bind as an Administrator to make changes to these accounts and it works fine. I have already tried to bind as my user and make changes to my user without success.
0
 
LVL 40

Expert Comment

by:RQuadling
ID: 7146677
Something that is a little more drastic would be to get a packet sniffer under windows (Commview for example) and to see what is sent and received when you do the modification under the windows tools.

Then try using the PHP code to do it and see what the functional differences are.

Hopefully LDAP uses plain_text to send its data around.

I'm sorry I can't be of any more help.

From the looks of it, you are trying to globally update the email addresses for users whose details are in the csv file.


Ok.

Another daft question.

Your code ALWAYS shows an error. I assume the data has NOT been updated?

if (!ldap_modify($dsTemp, $userDN, $newInfo))
     {
     $Ldaperror = ldap_error($dsTemp);
        print($Ldaperror);
     }

Daft I know, but you may simply be seeing some spurious error!

Richard.
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146679
NO NO NO. In Windows tools I bind as an Administrator to make changes to these accounts and it works fine. I have already tried to bind as my user and make changes to my user without success.
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7146714
No, the data on the Directory is never changed.
0
 
LVL 2

Expert Comment

by:Unifex
ID: 7165985
Should those DN's have spaces in them?  That would trip up our OpenLDAP server...

Also, can you please throw this in at line 43 and show us the output.

echo "<pre>";print_r($newinfo);echo "</pre>";

Regards,
Gold
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7166074
I have already figured out what this problem is. Thank you all for trying.

Chris
0
 
LVL 2

Expert Comment

by:Unifex
ID: 7166081
What was the problem?  Just out of interest...
0
 
LVL 40

Expert Comment

by:RQuadling
ID: 7168906
Yes. What was wrong? Is it something REALLY simple? Are you embarrassed?
0
 
LVL 1

Author Comment

by:bugsuperstar37
ID: 7169507
No, it was using port 389 rather than port 3268. I guess it is simple, but not embarrassing. I thought I had that in at first, but other applications using that port still do not work correctly. However my applications using port 389 to perform all modifications are working well.

Thank you all for participating.
0
 
LVL 40

Expert Comment

by:RQuadling
ID: 7169521
Ha!

Should have spotted that.

From the PHP Manual ...



ldap_connect
(PHP 3, PHP 4 )

ldap_connect -- Connect to an LDAP server
Description
resource ldap_connect ( [string hostname [, int port]])


Returns a positive LDAP link identifier on success, or FALSE on error.

ldap_connect() establishes a connection to a LDAP server on a specified hostname and port. Both the arguments are optional. If no arguments are specified then the link identifier of the already opened link will be returned. If only hostname is specified, then the port defaults to >>>389<<<.

If you are using OpenLDAP 2.x.x you can specify a URL instead of the hostname. To use LDAP with SSL, compile OpenLDAP 2.x.x with SSL support, configure PHP with SSL, and use ldaps://hostname/ as host parameter. The port parameter is not used when using URLs.

Note: URL and SSL support were added in 4.0.4.


Regards,


Richard Quadling.
0
 
LVL 1

Expert Comment

by:netwiz562
ID: 9492518
---- CLEAN UP ----

bugsuperstar37,
No comment has been added lately.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: [ PAQ/Refund ]

Please leave any comments here within the next seven days.

¡PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

------------------------------
Rajiv Makhijani
EE Cleanup Volunteer

This question was linked to in a Win2k Question.  I will add this question to that cleanup.
0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
ID: 11688196
Submitted to PAQ with points refunded (100)

DarthMod
Community Support Moderator
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
This article discusses how to create an extensible mechanism for linked drop downs.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now