3

I know this has sort of been answered before but it hasnt been able to help me (unless it has but because of my limited php knowledge it hasn't helped). Here is my code below:

<body>
<html>     

<?php
//echo var_dump($_POST);
        $user = "".$_POST["username"]."";
        settype($user, "string");
        $password = $_POST["password"];
        $ldap_host = "ldap.burnside.school.nz";
        $base_dn = "ou=students,o=bhs";
        $ldap_user = "(cn=".$user.")";
        $filter = "($ldap_user)"; // Just results for this user
        $ldap_pass = "".$password."";

        $connect = ldap_connect($ldap_host)
                or exit(">>Could not connect to LDAP server<<");
        ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
        ldap_set_option($connect, LDAP_OPT_REFERRALS, 0);

        // This next bit is the important step.  Bind, or fail to bind.  This tests the username/password.        
        if (ldap_bind($connect, $ldap_user.",".$base_dn, $ldap_pass)) {
            $read = ldap_search($connect, $base_dn, $filter)
                or exit(">>Unable to search ldap server<<");

            // All the next 8 lines do is get the users first name.  Not required
            $info = ldap_get_entries($connect, $read);
            $ii = 0;
            for ($i = 0; $ii < $info[$i]["count"]; $ii++) {
                $data = $info[$i][$ii];
                if ($data == "givenname") {
                    $name = $info[$i][$data][0];
                }
            }

            ldap_close($connect);
            header("Location: success.php?name=$name");
        } 
        else {
            ldap_close($connect);
            //header("Location: failure.php?user=$user");
        }
        ?>

</body>
</html>

I am getting an error on line 21 which is when I bind to the server saying:

Warning: ldap_bind(): Unable to bind to server: Invalid DN syntax in S:\XAMPP\htdocs\PhpProject1\LDAP_main.php on line 21

Would anyone have a solution to this problem? It has only started happening when I implemented my $_POST into the code to receive the username and password but as you can see with my commented out // echo var_dump($_POST) I am actually receiving the data I want.

A.L
  • 10,259
  • 10
  • 67
  • 98
user3765724
  • 31
  • 1
  • 1
  • 2

1 Answers1

4

Your DN for binding to the LDAP-Server is (cn=[username]),ou=students,o=bhs which is not a valid DN-Syntax. That should read cn=[username],ou=students,o=bhs without the braces.

You have mixed up an LDAP-Filter (the stuff inside the braces) with a DN.

I'd do an LDAP authentication in the following way:

  1. Bind anonymously or with a default user where you know the DN
  2. Use that user to do a search for all users that match a certain filter that contains the provided username. you can use a filter like (|(mail=[username])(cn=[username])(uid=[username])) to look for entries that have the username in the mail, cn or uid-attribute
  3. Get the DN from the returned Entry (if there are no or more than one entry there is no appropriate user existent so we can skip the rest)
  4. bind to the ldap again with that retreived DN and the provided password.

Have a look at https://gist.github.com/heiglandreas/5689592

heiglandreas
  • 3,803
  • 1
  • 17
  • 23
  • I've done this now I'm getting an error for a bad search filter? This was all working before when I used a username and password I pre typed in but since I've used the post method to get the data it has started to not work so I think the problem has got something to do with that? unless you know how to fix the new problem; "Warning: ldap_search(): Search: Bad search filter in S:\XAMPP\htdocs\PhpProject1\LDAP_main.php on line 22 >>Unable to search ldap server<<" – user3765724 Oct 16 '14 at 01:04
  • What exactly is your search filter? – heiglandreas Oct 16 '14 at 03:56
  • Put some debug out statements and view your constructed variables so you know what your code is doing. Then you will at least know what values you are submitting to the LDAP server. And get a good LDAP browser that will show you what the values need to be. (I use Apache Studio https://directory.apache.org/studio/) – jwilleke Oct 16 '14 at 10:44