PHP and access to raw LDAP responses under Apache

We are working with an LDAP server that returns the standard return code of 49 when something is "wrong" with the users account.  That is they supplied bad user-id, bad password, the password is expired and must be changed, the account has been revoked/disabled due to to many invalid attempts.  

However, this LDAP server also returns an additional message stating why the authentication failed.  So if the password has expired it will return the code 49  plus the additional information stating that the password is expired.

Under Apache all the standard LDAP function returns in "good" or "bad".  Using ldap_errno function I see 49, which is correct.  However if I use ldap_error I don't see the  message the LDAP server returned, I see "Invalid Credentials", the standard message for a error 49.

Is there a way with PHP under Apache I can get access to the additional information the LDAP server is returning.  If the user's password is expired I want to re-direct them to another web page where they can change their password.
LVL 57
Who is Participating?
giltjrConnect With a Mentor Author Commented:
Success!!!! Found it:

ldap_get_option($ds, LDAP_OPT_ERROR_STRING, $err)
echo $err . "<br />\n" ;

Results in the following if password is expired:

R000100 The password has expired (srv_authenticate_native_password)
Ray PaseurConnect With a Mentor Commented:
Have you tried this?

<?php // RAY_temp_giltjr.php

for ($i=0; $i<100; $i++)
     echo "Error $i: ";
     echo ldap_err2str($i);
     echo '<br>' . PHP_EOL;

Open in new window

giltjrAuthor Commented:
Yes, that returns the "standard" message for the error code returned.  So the standard message for cod 49 is "Invalid credentials", so that is what it displays.
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Ray PaseurCommented:
Rats!  I was hoping for something more illuminating.  I don't have LDAP on my server any more, so I couldn't test.

I will mark this as a "neglected question" and that should get some fresh eyes on the problem.  HTH, ~Ray
giltjrAuthor Commented:
Thanks.  I just opened this so you don't need to mark it neglected yet.
Ray PaseurCommented:
Awesome!  Accept your own answer so it will go into the PAQ!

Thanks for using EE, ~Ray
giltjrAuthor Commented:
Gave me exactly what I needed.

Although Ray_Paseur's  suggestion didn't work it made me go back and review every PHP LDAP function.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.