User authentication using LDAP with PHP only with SamAccountName and password?

Question

User authentication using LDAP with PHP only with SamAccountName and password?

How can I authenticate to PHP using LDAP when I only have SamAccountName and password? Is there a way to associate only with SamAccountName and Password and without Distinguished Name. The only examples I found suggest that you have a DN:

$server="XXX.XXX.XXX.XXX"; $dn = "cn=$username, "; $basedn="ou=users, ou=accounts, dc=domain, dc=com"; if (!($connect = ldap_connect($server))) { die ("Could not connect to LDAP server"); } if (!($bind = ldap_bind($connect, "$dn" . "$basedn", $password))) { die ("Could not bind to $dn"); } $sr = ldap_search($connect, $basedn,"$filter"); $info = ldap_get_entries($connect, $sr); $fullname=$info[0]["displayname"][0]; $fqdn=$info[0]["dn"];

+4

php ldap

user840930 Nov 30 '11 at 10:56

source share

5 answers

This works for me. I spent many days trying to figure it out.

 <?php //We just need six varaiables here $baseDN = 'CN=Users,DC=domain,DC=local'; $adminDN = "YourAdminDN";//this is the admin distinguishedName $adminPswd = "YourAdminPass"; $username = 'Username';//this is the user samaccountname $userpass = 'UserPass'; $ldap_conn = ldap_connect('ldaps://yourADdomain.local');//I'm using LDAPS here if (! $ldap_conn) { echo ("<p style='color: red;'>Couldn't connect to LDAP service</p>"); } else { echo ("<p style='color: green;'>Connection to LDAP service successful!</p>"); } //The first step is to bind the administrator so that we can search user info $ldapBindAdmin = ldap_bind($ldap_conn, $adminDN, $adminPswd); if ($ldapBindAdmin){ echo ("<p style='color: green;'>Admin binding and authentication successful!!!</p>"); $filter = '(sAMAccountName='.$username.')'; $attributes = array("name", "telephonenumber", "mail", "samaccountname"); $result = ldap_search($ldap_conn, $baseDN, $filter, $attributes); $entries = ldap_get_entries($ldap_conn, $result); $userDN = $entries[0]["name"][0]; echo ('<p style="color:green;">I have the user DN: '.$userDN.'</p>'); //Okay, we're in! But now we need bind the user now that we have the user DN $ldapBindUser = ldap_bind($ldap_conn, $userDN, $userpass); if($ldapBindUser){ echo ("<p style='color: green;'>User binding and authentication successful!!!</p>"); ldap_unbind($ldap_conn); // Clean up after ourselves. } else { echo ("<p style='color: red;'>There was a problem binding the user to LDAP :(</p>"); } } else { echo ("<p style='color: red;'>There was a problem binding the admin to LDAP :(</p>"); } ?>

+10

Daniel Murphy Aug 27 '14 at 19:16

source share

Try user @domain on dn ... It worked for me!

+2

Ricardo Mar 10 '14 at 21:38

source share

You always need a DN to authenticate with the LDAP server. After that, you can execute a filter based on a specific attribute, for example SamAccountName, but you need an LDAP user identified by a DN.

0

Alfonso marin Nov 30 '11 at 11:38

source share

The LDAP interface for AD requires you to communicate using DNs. In order to authenticate a user, you must first find this username - fortunately, you can find the DN by doing an LDAP search.

If you configured AD to allow anonymous requests (do not do this if you are not sure that everything is in order with a decrease in security), you can do

 ldap_bind($connect, "", "") $sr = ldap_search($connect, $base_dn, "(sAMAccountName=$username)")

And then retrieve this user DN and proceed to recovery with the DN and user password.

If you did not enable anonymous binding, you use the application identifier for the initial search, for example:

 ldap_bind($connect, "DN=LDAP_App,OU=Users,DC=Domain,DC=com", "thePassword") $sr = ldap_search($connect, $base_dn, "(sAMAccountName=$username)")

Then, as above, retrieve this username and proceed with the reconfiguration.

0

DarrenPMeyer Feb 10 '14 at 18:31

source share

user840930 · Accepted Answer · 2011-11-30T19:40:57+0000

Actually, the answer is that it depends on how the LDAP administrator is configured. You do not always need a DN to authenticate with the LDAP server. In my particular case, even with a DN, I still could not authenticate to the LDAP server. For the LDAP server I was trying to connect to, it seems that this is a Microsoft domain, and therefore I could only authenticate with DOMAIN \ user015 for user015 in DOMAIN, where user015 is SamAccountName and DOMAIN is the domain for this user. But I was able to authenticate.

Thanks for all the posts! Even if they were not the right answer, they helped a lot!

User authentication using LDAP with PHP only with SamAccountName and password?

More articles: