[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Connecting to LDAP

Posted on 2006-04-28
52
Medium Priority
?
2,424 Views
Last Modified: 2012-06-21
Im trying to create a simple PHP page to connect to LDAP.

Active Directory is installed on the server.

What im want to do is:

1) engineer logs into our machine on the network via AD.
2) when the engineer starts FF or IE to browse the web, display my PHP page as their homepage and display all that users details stored in AD. (so somehow the PHP php will have to know who is viewing the PHP page by connecting to LDAP and finding the current login creditinals... i think? )
3) allow the user write data back into AD if they decide to edit there details..

stages 1 & 2 is what im planning to getting working for now. stage 3 will be another question in a few days...

needing some code examples for satges 1 & 2 above.
0
Comment
Question by:ellandrd
  • 31
  • 7
  • 7
  • +2
52 Comments
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 16561589
Hi.

Just to say, I've no idea, but I am asking the same question as I also want the answer to this.

So, whoever answers this could get a LOT of points! Not sure if this is against the EE rules - collaborative questioning!
0
 
LVL 16

Author Comment

by:ellandrd
ID: 16561689
Hi Richard,

I cant see EE given out - since im the one who opened the thread and your just over looking...  

Sean

p.s hope you have calmed down from the other day... ;-) its gone crazy right now!!
0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 16561823
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 40

Expert Comment

by:Richard Quadling
ID: 16561830
How crazy? Should I drop in and take a look see?
0
 
LVL 2

Expert Comment

by:randy_stuart
ID: 16562357
I don't have a clue either.  I don't really think this is possible.  I just wanted to post so that I will recieve a reminder if someone answers.  I would like to do this as well.

I have thought about this quite a bit, but the only thing I could come up with was a csv text query of AD that is then imported into MySQL.  having that run automated once a day.  But that sure is a lot of extra work.

If no one answers the question you can just post to each others question and accept the other ones answer, that way you will get your points back, if this is not possible :)
0
 
LVL 16

Author Comment

by:ellandrd
ID: 16562391
if no one answers the question you can just post to each others question and accept the other ones answer, that way you will get your points back, if this is not possible

now that might be against EE rules...!

it can be done! my boss has done it before and he has giving me a project to implement it on our company intranet, but he wont tell me - its to let me figure it out and learn....
0
 
LVL 16

Author Comment

by:ellandrd
ID: 16562435
has each of us searched EE for solution?  

I have, but what i have found, i dont really understand... my PHP is average, but Richard is a genius, so bit confused to why he has not coded a solution yet...

was kinda hoping Roonaan or WoodyRoundUp would provide some advice but they must be offline at the mo?

well at least there is alot of interest in this topic... PHP + LDAP
0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 16562527
Yes. The big issue for me was working out how to connect with proper credentials for searching. It seems that AD doesn't support readonly mode. You have to be a valid user. Which is a good thing I suppose.

In the end I did give up on ldap entirely and used my own user tables.

0
 
LVL 16

Author Comment

by:ellandrd
ID: 16562554
well my understanding was, you connect using admin account or test user account with admin privilages. but thebit im stuck with is finding out whihc user is actaully logged into the machine that is viewing the PHP page?
0
 
LVL 16

Author Comment

by:ellandrd
ID: 16562601
Richard,

I spoke to rdivilbiss a few months ago about this issue before as i think he has coded something in ASP or along the lines of it...

i will contact him again and give you an update...

0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 16562650
AFAIK, all unsecured requests are anonymous to the web. If you are on an AD network, then, the request will come from a specific IP. But getting the user logged on at that IP is not easy. Think about terminal server. 1 machine, 20 users. 1 IP. Hmm.

So IP is no use.

MAYBE IIS has this as part of the server variables it provides.

I don't run IIS, so I've no idea here.
0
 
LVL 16

Author Comment

by:ellandrd
ID: 16562672
we run IIS - at the moment im searching for possible solution/examples in ASP.  ASP plays abit fairer with AD... so Rod says...
0
 
LVL 16

Author Comment

by:ellandrd
ID: 16562890
somebody might know whats going on here:

http://www.experts-exchange.com/Programming/Programming_Platforms/Win_Prog/Q_20788246.html


As im pretty handy at Java my alternative solution is get it working with java and i have an example that displays the currently logged in username...

support i could then continue this further by passing this info to PHP/to query LDAP for user details...

when i mean pass it to PHP, i mean by using JSP...

Richard/Stuart

Hows you Java skills? ;-)
0
 
LVL 16

Author Comment

by:ellandrd
ID: 16562916
surpose not support!
0
 
LVL 16

Author Comment

by:ellandrd
ID: 16562946
just been doing abit of testing - logging into other machines across the office and each time i run my java app, it display the currently logged in username whihc is what i require to query ldap to get users details...

you guys still on track or have i lost you ?

next step is to create a applet or code it in JSP and pass the values to PHP...
0
 
LVL 3

Accepted Solution

by:
dancablam earned 1000 total points
ID: 16564180
Hey guys,
Accessing LDAP from PHP is pretty easy once you get ahold of all of the concepts behind it. I've written MANY PHP apps that directly read/write to AD, and there's really nothing you can't do to active directory through PHP. For starters, make sure you have all the requred DLLS (or SOs if you're on linux) and your php.ini is setup correctly. Look under "Installation" here:
http://us2.php.net/manual/en/ref.ldap.php

Let's start there - let me know what you have so far so I can know where to tweak.

Dan
0
 
LVL 3

Assisted Solution

by:dancablam
dancablam earned 1000 total points
ID: 16564214
Also, practice logging in from LDAP Browser, because it'll allow you to see exactly what the credentials you need are, and it'll show you the attributes you'll need as well. That can then be copy/pasted into PHP.

http://www.ldapbrowser.com/
0
 
LVL 16

Author Comment

by:ellandrd
ID: 16565097
dancablam

You've just landed yourself with LOTS of points -from  myself, richard and steve... we are all needing ot do this...

at the moment ive tried coding something in java, but if ive got help you from, lets get the ball rolling...
0
 
LVL 3

Expert Comment

by:dancablam
ID: 16565325
I'm glad to help in anyway I can. Again, a good way to start is to read through the LDAP section on the PHP website, there's also a lot of comments about connecting specifically to active directory as well on there.
0
 
LVL 9

Assisted Solution

by:LinuxNubb
LinuxNubb earned 1000 total points
ID: 16565499
As I posted in RQuadling's post:

There are some different ways you can do things.  If the user supplies the username/password, you can try to connect to LDAP with it in the USERNAME and PASSWORD fields below.  Once you connect, you can also search for a username as well.  Just specify the search criteria.

$ldap_server = "server01";  // must be a valid LDAP server!
$ds=ldap_connect($ldap_server);

if ($ds) {

     ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
        ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);

     $ldap_user = "USERNAME";  
     $ldap_pass = "PASSWORD";

     $r=ldap_bind($ds, $ldap_user, $ldap_pass);
 
     $search_string = "(&(objectClass=Person)(cn=*))";
                /// could also be      $search_string = "(&(objectClass=Person)(cn=*$username*))";   /// or something


     $sr=ldap_search($ds, "DC=company,DC=com", $search_string );
                // search the whole container, or go even deeper to sub containers

     $info = ldap_get_entries($ds, $sr);

     for ($i=0; $i<$info["count"]; $i++) {
          print_r($info);  // dump array so you can see what was brought back
     }

     ldap_close($ds);

} else {
       echo "<h4>Unable to connect to LDAP server</h4>";
}
0
 
LVL 16

Author Comment

by:ellandrd
ID: 16569815
Ok, ive coded a java app to fetch the username of the current logged into user adn then i use Java to send that data to a PHP page.

when when an engineer logged into our system/network via AD, and they try viewing the 'personal' page in the intranet im building, they get this message:

Hello X !

this is what i want so its good so far.

next step is to display all X's information stored in our AD.

this is where im a small bit confused to who it all works!

>>If the user supplies the username/password, you can try to connect to LDAP with it in the USERNAME and PASSWORD fields below.  Once you connect, you can also search for a username as well.  Just specify the search criteria.

do i require both the username and password?  as i can only get username!

can i connect to LDAP using admin account? and query AD for all information on user X and display it that way?

what about writing back to it?
0
 
LVL 16

Author Comment

by:ellandrd
ID: 16569817
p.s Richard/Steve, if i can get it all working, i'll allow my Java Program to be downloaded so ye can use it too...
0
 
LVL 16

Author Comment

by:ellandrd
ID: 16579875
dancablam ? LinuxNubb

Waiting for your responses...
0
 
LVL 9

Expert Comment

by:LinuxNubb
ID: 16579991
It depends on if your LDAP server allows anonymous bind or not.

You can try

 $r=ldap_bind($ds);

But if that fails then you need to provide valid AD credentials to access it.

Yes, you can use some sort of admin account, and just display the user info based on what your javascript found for user.

I really don't have much experience writing to LDAP as of yet.  Most of the stuff I've done is just reading LDAP.
0
 
LVL 3

Assisted Solution

by:dancablam
dancablam earned 1000 total points
ID: 16580106
To write to LDAP you'll almost certainly need to login using valid AD credentials. You'll need to know what attributes you wish to write to, for instance telephoneNumber, and all others that will need to be populated by default. For that you'll need to familiarize yourself with the following functions

ldap_add: http://us2.php.net/manual/en/function.ldap-add.php
ldap_modify: http://us2.php.net/manual/en/function.ldap-modify.php
ldap_mod_add: http://us2.php.net/manual/en/function.ldap-mod-add.php

There should be AD-specific examples on those pages as well.

Dan
0
 
LVL 16

Author Comment

by:ellandrd
ID: 16583694
im getting this:

Connected to LDAP server

Warning: ldap_bind() [function.ldap-bind]: Unable to bind to server: Can't contact LDAP server in c:\Inetpub\wwwroot\admin\Personal\personal.php on line 22

Warning: ldap_search() [function.ldap-search]: Search: Can't contact LDAP server in c:\Inetpub\wwwroot\admin\Personal\personal.php on line 29

Warning: ldap_get_entries(): supplied argument is not a valid ldap result resource in c:\Inetpub\wwwroot\admin\Personal\personal.php on line 32


Code:

<?php
$ldap_server = "???????";
$ds = ldap_connect($ldap_server);

if ($ds)
{
      echo "<h4>Connected to LDAP server</h4>";

      ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
      ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);

      $ldap_user = "administrator";
      $ldap_pass = "????????????";

      $r = ldap_bind($ds, $ldap_user, $ldap_pass);

      $username = "administrator";

      $search_string = "(&(objectClass=Person)(cn=*))";
      //$search_string = "(&(objectClass=Person)(cn=*$username*))";

      $sr = ldap_search($ds, "DC=company,DC=com", $search_string );
      // search the whole container, or go even deeper to sub containers

      $info = ldap_get_entries($ds, $sr);

      for ($i=0; $i<$info["count"]; $i++)
      {
            print_r($info);
      }

      ldap_close($ds);
}
else
{
      echo "<h4>Unable to connect to LDAP server</h4>";
}
?>

Again this is where im a little confused? do i have to specify our company name?
0
 
LVL 16

Author Comment

by:ellandrd
ID: 16583855
also what is DC?  Domain Controller?

and CN too?
0
 
LVL 9

Expert Comment

by:LinuxNubb
ID: 16585996
Is that administrator login your domain admin login?  What if you use your domain credentials?

DC= Domain Controller yes

CN=Canonical Name, basically a container in your directory
0
 
LVL 3

Assisted Solution

by:dancablam
dancablam earned 1000 total points
ID: 16590185
That is probably a part of your confusion DC does NOT mean Domain Controller. It means "Domain Component". It's an entirely different thing. For instance, if your domain name was corp.mybiz.com, it would be broken up into Domain Components in LDAP like: DC=corp,DC=mybiz,DC=com

To login you probably need the distinguished name (DN) of your administrator. This could be something like CN=Administrator,OU=Users,DC=corp,DC=mybiz,DC=com. You can't just use "Administrator". Well I haven't actually tried just using Administrator but since PHP uses LDAP and windows uses Active Directory which is king of a LDAP/Domain Controller hybrid, it probably wouldn't know what you are talking about. I recommend using LDAPBrowser to connect in and find the DN of your administrator.

$ldap_user should therefore be something like: CN=Administrator,OU=Users,DC=corp,DC=mybiz,DC=com

Don't give up yet! There's a big learning curve to use LDAP, but once you get it, you can do some really awesome stuff with it.

Also keep looking through those PHP pages I sent because there are some good examples about how to get access to Active Directory.
0
 
LVL 9

Expert Comment

by:LinuxNubb
ID: 16591948
Dancablam, I use my domain username and password without having to specify my DN.  We have win2k3 domain.
0
 
LVL 16

Author Comment

by:ellandrd
ID: 16594502
>>Don't give up yet! There's a big learning curve to use LDAP, but once you get it, you can do some really awesome stuff with it.

Im not and wont give up...

Enjoy failure and learn from it - you never learn from success!

ellandrd
0
 
LVL 16

Author Comment

by:ellandrd
ID: 16594735
OK ive tried using LDAP brwser but still cant connect...

what do i put in as host?  do i use 192.168.0.2 or localhost or www.ellandrd.co.uk

what do i use for BASE?

for user DN im using Administrator...
0
 
LVL 16

Author Comment

by:ellandrd
ID: 16596879
also for the host, can you have:

www.elland-rd.co.uk like : like: DC=elland-rd,DC=co.uk
0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 16603821
Ah. Am I right in thinking that if the domain is JUST the company name (ish), no .xx.yy.zz stuff, then DC=domainname.

So, if I worked for a company called "Richard Tyre Contracts" and the login domain I see when I login to windows was RTC, then I would only have 1 DC, DC=RTC ?

0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 16603826
LDAP Browser? Where would I get one of those then?
0
 
LVL 16

Author Comment

by:ellandrd
ID: 16603830
http://www.ldapbrowser.com/

but i cant get it to work though...
0
 
LVL 16

Author Comment

by:ellandrd
ID: 16603985
Ahh... cheers Richard!

So in my case:

company: www.pegasus-international.com
login domain I see when I login to windows: ABZPI

so my details should be:

CN=Administrator,OU=Users,DC=ABZPI

correct?

but im still confused over this HOSt and BASE values required in LDAP Browser...  what are the exact values required for these..  

example would be very helpful
0
 
LVL 16

Author Comment

by:ellandrd
ID: 16603995
Richard

look at the pear-package Auth http://pear.php.net/manual/en/package.authentication.auth.php.
0
 
LVL 16

Author Comment

by:ellandrd
ID: 16604005
sorry wrong thread.. forget my post above
0
 
LVL 16

Author Comment

by:ellandrd
ID: 16604170
I GOT IT WORKING!!!!!!!!!!!!!!!!!!!!
0
 
LVL 16

Author Comment

by:ellandrd
ID: 16604204
code that was successful...

<?php

$output = '';

$ad = ldap_connect("abz.pegasus.com") or die("Couldn't connect to AD!");

ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ad, LDAP_OPT_REFERRALS, 0);

$bd = ldap_bind($ad,"administrator@abz.pegasus.com","???????") or die("Couldn't bind to AD!");

$dn = "ou=Users,ou=Engineering,DC=abz,DC=pegasus,DC=com";

$output .= ($dn) ? '<p>DN OK</p>' : '<p>DN failed</p>';

$attributes = array("displayname");

$filter = "(cn=*)";

$result = ldap_search($ad, $dn, $filter, $attributes) or die('Search failed');

$entries = ldap_get_entries($ad, $result);

for ($i=0; $i<$entries["count"]; $i++)
{
    $output .= '<p>'.$entries[$i]["displayname"][0].'</p>';
}

echo $output;

ldap_unbind($ad);
?>
0
 
LVL 16

Author Comment

by:ellandrd
ID: 16604229
oops mistake:

this line:

$dn = "ou=Pegasus Users,ou=IT,DC=abz,DC=pegasus-,DC=com";

should be:

$dn = "ou=IT,ou=Pegasus Users,DC=abz,DC=pegasus,DC=com";
0
 
LVL 16

Author Comment

by:ellandrd
ID: 16604239
i found this on the web and from this, i was able to know what values to put where...

http://www.jello.me.uk/images/ldap.bmp
0
 
LVL 16

Author Comment

by:ellandrd
ID: 16606563
hey guys - having some problems at just pulling out a single users details...

ive tried following the URL's above but i cat get them to work... they are not very clear examplesa dn the info parameters they specific is different than what im trying to do and i dont understand!

basically what im trying to do is query AD and retrieve all information about an user.  i have my username stored in $username...
0
 
LVL 9

Expert Comment

by:LinuxNubb
ID: 16606921
Instead of:

for ($i=0; $i<$entries["count"]; $i++)
{
    $output .= '<p>'.$entries[$i]["displayname"][0].'</p>';
}



do:

print_r($entries);

This will show all the returned values.
0
 
LVL 16

Author Comment

by:ellandrd
ID: 16607101
OK i can now pull out a user details but i not only want to show there values but the field names too:

eg: $output .= '<tr><td>Mail</td><td><p>'.$entries[$i]["mail"][0].'</p></td></tr>';

but instead of typing out each field name (as there is 67 of them), is there a shorter way to just loop through each entry printing out field name and its value...?
0
 
LVL 9

Expert Comment

by:LinuxNubb
ID: 16607297
Not really!  :)

Pick out the most useful ones, and build a loop like you had just shown.

You could technically build a function to do this, but you will probably spend as much time building the function as you would just adding the ones you need.
0
 
LVL 16

Author Comment

by:ellandrd
ID: 16607332
OK
0
 
LVL 16

Author Comment

by:ellandrd
ID: 16608162
dancablam / LinuxNubb

How can i change user password?
0
 
LVL 3

Expert Comment

by:dancablam
ID: 16608248
try the following lines:
$new["userPassword"] = '{md5}' . base64_encode(pack('H*', md5($newpass_in_plaintext)));
ldap_modify($ds, $dn, $new);

--Dan
0
 
LVL 16

Author Comment

by:ellandrd
ID: 16609298
can you explain it please?
0
 
LVL 3

Expert Comment

by:dancablam
ID: 16610268
Typically, active directory passwords are hashed with md5 encryption, so you must hash them as well.
Make sure you're connected with write capabilities and you should be able to just copy/paste (and specify the $newpass_in_plaintext value) and run it. Also specify the $dn of the specific user you want to change the password for (ex: CN=bob,OU=Corp,DC=sales,DC=mycorp,DC=com).

Lemme know how/if I can clarify any more :)

Dan
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Suggested Courses
Course of the Month18 days, 5 hours left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question